Important Information on the Change HealthCare Cybersecurity Incident

By Olivia Wann

As you are aware, Change Healthcare experienced a cyberattack in early 2024.  Change Healthcare is owned by UnitedHealth Group.  Change Healthcare manages health care technology connected to processing insurance claims and billing. This includes Practice Works, SoftDent, Dentrix, EagleSoft, Open Dental and many more companies.  They serve basically as the business associate to the covered entity.  Please review your Business Associate Agreements in place with these companies. 

The Office of Civil Rights enforces the HIPAA Privacy, Security, and Breach Notification Rules. Affected individuals must be notified of this breach. This includes patients and individuals whose information was in your system that was breached.  Notification must also be made to the Department of Health and Human Services and in accordance with state breach notification requirements.

Most of the dental practices we serve do not have the time or the resources to manage breach notification.  The Office of Civil Rights Director indicated that affected covered entities that want Change Healthcare to provide breach notifications on their behalf should contact Change Healthcare. 

HIPAA’s breach notification requires notification within 60 days of discovery of the breach.  The 60-day clock for Change Healthcare to notify their covered entity customers begins when the breach was discovered.  The Office of Civil Rights has yet to receive a breach report from Change Healthcare. 

We are sending you this letter to alert you of the required breach notification and that according to the Department of Health and Human Services, you may delegate to Change Healthcare the tasks of providing the required HIPAA Breach notifications on your behalf.  If Change Healthcare performs the required breach notifications in a manner consistent with the HITECH Act and HIPAA’s Breach Notification Rule, you would not have any additional HIPAA breach notification obligations.

I personally corresponded with Optum Privacy who is handling the breach incident for Change Healthcare.  According to the Associate Director, Shelley Violette indicated that they are conducting an investigation, and no final incident report was available at that time.  However, to help ease reporting obligations on stakeholders whose data may have been compromised as part of this cyberattack, UnitedHealth Group has offered to make notifications and undertake related administrative requirements on behalf of any customer. She further indicated that they would do appropriate notifications in the most efficient way possible as required by law.  This would involve some form of direct mail and website notice as well as other notices required by HIPAA and applicable state laws. She hopes to provide additional information very soon on an opt out process to ease the burden on dental practices.

As we learn more information, we will continue to update you.