Change Healthcare Incident: Update on ‘Impacted Data’ Analysis and Notification Plan

Sara Goldstein, Roma Gujarathi, Lynn Sessions
BakerHostetler
Contact
LinkedIn
Facebook
X
Send
Embed

BakerHostetler

Late on March 27, Change Healthcare (CHC)’s parent company, UnitedHealth Group (UHG), provided an update on its analysis of the extent of “impacted data” involved in the CHC incident.

Here are the main takeaways from the update:

  • CHC is still determining the contents of the “data that was taken by the threat actor.” CHC is continuing to analyze “impacted data” and is prioritizing the review of data it believes contains health information, personally identifiable information, and claims and eligibility or financial information.
  • A third-party vendor has been engaged to assist with data analysis. To expedite its review of the data, CHC has engaged “a leading vendor” to assist with its analysis.
  • It could be some time before CHC announces the scope of data involved. CHC stated that because of the impact the incident had on its own systems, it was not able to pull the data involved in the incident until just recently. This indicates it will likely take the company weeks or longer to provide an update on the contents of the information involved in the incident.
  • CHC data has not been found on the dark web. While this may provide comfort to some, just because CHC has not found data on the dark web does not mean that sensitive data is not in the possession of bad actors. It also does not change any potential notice obligations if protected health or personal information was accessed or acquired as a result of the incident.
  • CHC will be offering to provide notifications for customers “where permitted.” UHG stated that, “where permitted,” it will handle the notification process for customers whose data was impacted. Depending on the services healthcare providers receive from CHC, CHC may act as a clearinghouse (in and of itself a HIPAA-covered entity) or a business associate of the healthcare entities. The terms of companies’ master agreements and business associate agreements with CHC entities may determine whether UHG will handle the notification process on behalf of the entities.

What does this mean for covered entities?

The latest statement from CHC itself does not start any covered entity’s “60-day timeline.”

Until CHC provides a more specific statement about the services involved or provides notice to customers that their PHI was involved in this incident, a HIPAA-covered entity’s date of discovery has not yet occurred, and the “60-day notification deadline” for CHC-covered entity customers has not yet started. The March 27 UHG update does not change this analysis.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BakerHostetler | Attorney Advertising

Written by:

BakerHostetler
BakerHostetler
Contact
more
less

BakerHostetler on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide