Change Healthcare Cyberattack Raises Compliance Concerns for UnitedHealth Group

The recent malicious cyberattack on Change Healthcare, a major provider of revenue cycle management and data solutions for the healthcare industry, has brought significant compliance risks and challenges to UnitedHealth Group, the parent company of Change Healthcare.

Through its initial data review, UnitedHealth Group has uncovered that the attack may have compromised files containing protected health information (PHI) and personally identifiable information (PII) on a substantial portion of individuals across the United States. This potential large-scale data breach raises serious compliance concerns under regulations such as HIPAA and state data privacy laws.

Complicating matters, UnitedHealth Group expects the complex data review process to take several months before specific impacted individuals can be identified and notified. In the interim, the company has proactively established support resources including credit monitoring, identity theft protection, and clinical support services.

However, delays in breach notification can increase compliance risks and potential penalties from regulators like the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), which enforces HIPAA rules. Timely breach notification is a core HIPAA requirement to allow individuals to take protective measures.

"There are strict timelines under HIPAA for notifying affected individuals, HHS, and in some cases, the media, after a breach is discovered," said privacy attorney Elizabeth Harding. "If UnitedHealth can't identify the full scope quickly, they may have to provide substitute notices to maintain compliance."

The cyberattack is also straining Change Healthcare's operations and ability to fulfill contractual obligations to healthcare providers and payers that are bound by HIPAA business associate agreements. Disruptions to services like medical claims processing, payment systems, and data analytics tools can lead to additional compliance exposure.

From a risk management standpoint, UnitedHealth Group faces considerable financial impact from this incident through costs associated with breach response, regulatory fines, litigation, credit monitoring, identity theft services, and potential loss of customers or partners due to reputational damage.

"Cyberattacks on major players like Change Healthcare demonstrate how healthcare data remains an attractive target for cybercriminals," said cyber risk expert John Silva. "This should be a wake-up call for risk officers to redouble efforts around data security and resilience."

As UnitedHealth continues its investigation alongside law enforcement, all parties are monitoring for any further publication of data that could widen the compliance scope. Robust risk management and adherence to data breach notification rules will be crucial to navigate this major incident.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.