Radiology groups want clarity from HHS on reporting requirements following Change cyberattack
Radiology groups are seeking clarity from Health and Human Services on who is responsible for reporting and notifying patients following the Change Healthcare cyberattack in February.
Three imaging groups were among 100-plus medical societies writing to HHS Secretary Xavier Becerra on May 20. The American College of Radiology and others want the Office for Civil Rights to publicly state that its ongoing breach investigation and efforts at remediation will be focused on Change and “not the providers affected.”
“Healthcare clinicians and providers take seriously their responsibility to safeguard and protect their patients’ data,” ACR, the American Society of Neuroradiology and the Society of Interventional Radiology wrote Monday. “Since the attack became known, concerns among our members have mounted related to what could—from all indications—amount to the largest breach of the healthcare sector. Change Healthcare processes claims on behalf of hundreds of thousands of clinicians and providers, and several terabytes of possibly protected health information are alleged to have been stolen and held for ransom.”
During a recent congressional hearing on the cyberattack, the CEO of Change parent company UnitedHealth Group said his company will handle sending notifications to consumers, once its investigation is completed. However, ACR and other physician groups want HHS to ensure that the healthcare giant follows through with its promise.
“Given UnitedHealth Group’s statement that it is prepared to fulfill these reporting and notification requirements, it appears that it would be a quick and straightforward matter for OCR to confirm publicly that the HIPAA breach notification and reporting requirements are applicable to UnitedHealth Group and not to the affected providers,” the groups wrote.
UHG provided further details on the response in an April 22 update. Based on initial data sampling, the company has found that hackers have obtained protected health information covering “a substantial proportion of people in America.” However, UHG has not seen evidence of “exfiltration of materials,” such as doctor’s charts or full medical histories among the data.
Given the complexity of the data review, UnitedHealth estimated it will likely take “several months” before “enough information will be available to identify and notify impacted customers and individual.”
“We know this attack has caused concern and been disruptive for consumers and providers and we are committed to doing everything possible to help and provide support to anyone who may need it,” CEO Andrew Witty said in a statement.
It’s still unclear how many providers were affected by the breach. Physician groups emphasized that a simple affirmation from the Office for Civil Rights is “badly needed” to help address confusion among providers.
“While we appreciate OCR’s FAQs, OCR should publicly state that their breach investigation and immediate efforts at remediation will be focused on Change Healthcare, and not the providers affected by Change Healthcare’s breach,” the letter closed. “For medical providers affected by the UHG ransomware attack, their chief responsibility [is] patient care. These providers may lack clarity regarding what is required of them under HIPAA in this instance and so we call upon HHS-OCR to take the simple step of confirming the above, to publicly to ease concerns in the provider community. We appreciate the opportunity to bring this matter to your attention as we navigate the fallout from this assault on patient care and the privacy of their medical information.”
You can read the full letter here. Others signing the message included the American Medical Association, the American Society for Radiation Oncology, the American College of Radiation Oncology, and numerous state medical associations.