Incident Details
The American Hospital Association has written a letter to the Department of Health and Human Services, requesting clarity on the requirement for hospitals and health systems to inform patients in case of a breach of protected health information resulting from the cyberattack on Change Healthcare on February 21. The letter dated March 21, addressed to Melanie Fontes Rainer, the acting director of the Office for Civil Rights at HHS, urges the agency to provide clear guidelines to healthcare providers on reporting breaches related to the Change Healthcare cyberattack. The AHA is advocating for a streamlined notification procedure to prevent patients from receiving redundant notifications about the same breach.
Incident
How Did the Breach Happen?
The security breach happened as a result of the cyberattack that took place on February 21st at Change Healthcare.
What Data has been Compromised?
There is a possibility that the confidentiality of patients' medical data has been breached.
Why Did the company's Security Measures Fail?
The company's security protocols were ineffective in stopping the breach, causing worry about the obligation to report breaches to both HHS and those affected.
What Immediate Impact Did the Breach Have on the company?
The company was affected by the breach, leading them to review their process for reporting breaches to hospitals and other healthcare providers. This also caused potential confusion for the patients who received multiple notifications.
How could this have been prevented?
Stronger cybersecurity measures and timely detection of the cyberattack could have possibly averted this breach.
What have we learned from this data breach?
The incident underscores the significance of having well-defined procedures for reporting breaches and the importance of having standardized protocols to prevent confusion and minimize unnecessary expenses.
Summary of Coverage
Change Healthcare's breach prompted the American Hospital Association to approach HHS for advice on informing patients about breaches and defining notification duties among the parties concerned.