.jpg)
In February 2024, Change Healthcare, a subsidiary of UnitedHealth Group, was the target of cyberattacks that forced Change Healthcare to take immediate action to prevent the threat to spreading to other systems. Change Healthcare provides payment and revenue tools utilized by patients, medical providers and payers (i.e. insurance companies and other health plans) nationwide. The Department of Health and Human Services notes that Change Healthcare processes 15 billion healthcare transactions annually and is involved in one in every three patient records. Accordingly, the impact of the cyberattack on Change Healthcare cannot be understated.
The Department of Health and Human Services (HHS), Office for Civil Rights, is investigating the incident involving Change Healthcare, and further developments can be expected. The healthcare industry is a compelling and lucrative target for individual and organized threat actors that understand the industry’s complex systems and its vulnerabilities. Therefore, covered entities should remain vigilant and continue to review their cybersecurity policies and practices to ensure that they are taking appropriate measures to safeguard protected health information and are able to quickly respond in the event of a cyberattack. HHS has highlighted a number of resources and links to information concerning cybersecurity, HIPAA obligations and HIPAA’s security rule, which can be accessed here.