The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) issued a “Dear Colleague” letter about the Change Healthcare cyberattack. OCR also opened an official investigation. The attack affects Change Healthcare, a unit of UnitedHealthcare Group (UHG), and many other healthcare organizations.
The cyberattack has disrupted health care and billing operations nationwide. It poses a direct threat to patient care and critical health system functions.
OCR enforces HIPAA Privacy, Security, and Breach Notification Rules. These rules require covered entities and business associates to protect patient data and to notify HHS and affected individuals after a breach.
Cyberattacks remain the top threat in healthcare. In the past five years, large breaches involving hacking increased 256%. Ransomware attacks rose 264%. In 2023, hacking caused 79% of all large breaches, affecting 134 million people, a 141% increase from 2022.
Given the unprecedented size of this cyberattack, OCR has launched an investigation to protect patients and healthcare providers. The investigation will examine whether a breach of protected health information occurred and whether Change Healthcare and UHG complied with HIPAA Rules.
OCR considers its review of other entities connected to Change Healthcare and UHG as secondary. While OCR is not prioritizing investigations of providers, health plans, or business associates impacted by the attack, it is reminding all partners of their obligations. Entities must maintain business associate agreements and provide timely breach notifications to HHS and affected individuals as HIPAA requires.
Safeguarding protected health information remains OCR’s top priority. To support this effort, OCR is sharing resources to help organizations protect record systems and patients from cyberattacks.
OCR HIPAA Security Rule Guidance Material – This webpage offers educational resources on the HIPAA Security Rule and standards for protecting electronic protected health information (ePHI). Resources include a Recognized Security Practices video, the Security Rule Education Paper Series, HIPAA Security Rule guidance documents, OCR Cybersecurity Newsletters, and more.
OCR Video on How the HIPAA Security Rule Protects Against Cyberattacks – This video explains how the HIPAA Security Rule helps covered entities and business associates defend against cyberattacks. It covers breach trends, common attack methods, and key findings from OCR investigations.
OCR Webinar on HIPAA Security Rule Risk Analysis Requirement – This webinar explains the HIPAA Security Rule requirements for performing a complete risk assessment of potential threats and vulnerabilities to electronic protected health information (ePHI). It also reviews common risk analysis deficiencies that OCR has found during its investigations.
HHS Security Risk Assessment Tool – This tool helps small- and medium-sized entities perform an internal security risk assessment to meet the HIPAA Security Rule’s risk analysis requirements. You must also create and implement the policies and forms required in this tool.
Factsheet: Ransomware and HIPAA – This resource explains what ransomware is, outlines steps covered entities and business associates must take if their systems are infected, and details HIPAA breach reporting requirements.