noodls browser compatibility check

The security settings of your browser are blocking the execution of scripts.

To use noodls, javascript support must be enabled. Please change your browser's security settings to enable javascript.

If you have changed your browser's security settings, you can click here.

related announcements

News

Bipartisan Policy Center Inc.

ACE Crosses the Border and Party Lines in Arizona and Nogales, Mexico
GeorgiaTech - Georgia Institute of[...]

Faculty, Staff Honored for Outstanding Work
Pennsylvania Department of[...]

Route 15 in Adams County is Open to Traffic

Healthcare

Baker & Hostetler LLP

03/29/2024 | Press release | Distributed by Public on 03/29/2024 07:26

Change Healthcare Incident: Update on ‘Impacted Data’ Analysis and Notification Plan

03/29/2024|2 minute read

Late on March 27, Change Healthcare (CHC)'s parent company, UnitedHealth Group (UHG), provided an update on its analysis of the extent of "impacted data" involved in the CHC incident.

Here are the main takeaways from the update:

CHC is still determining the contents of the "data that was taken by the threat actor." CHC is continuing to analyze "impacted data" and is prioritizing the review of data it believes contains health information, personally identifiable information, and claims and eligibility or financial information.

A third-party vendor has been engaged to assist with data analysis. To expedite its review of the data, CHC has engaged "a leading vendor" to assist with its analysis.

It could be some time before CHC announces the scope of data involved. CHC stated that because of the impact the incident had on its own systems, it was not able to pull the data involved in the incident until just recently. This indicates it will likely take the company weeks or longer to provide an update on the contents of the information involved in the incident.

CHC data has not been found on the dark web. While this may provide comfort to some, just because CHC has not found data on the dark web does not mean that sensitive data is not in the possession of bad actors. It also does not change any potential notice obligations if protected health or personal information was accessed or acquired as a result of the incident.

CHC will be offering to provide notifications for customers "where permitted." UHG stated that, "where permitted," it will handle the notification process for customers whose data was impacted. Depending on the services healthcare providers receive from CHC, CHC may act as a clearinghouse (in and of itself a HIPAA-covered entity) or a business associate of the healthcare entities. The terms of companies' master agreements and business associate agreements with CHC entities may determine whether UHG will handle the notification process on behalf of the entities.

What does this mean for covered entities?

The latest statement from CHC itself does not start any covered entity's "60-day timeline."

Until CHC provides a more specific statement about the services involved or provides notice to customers that their PHI was involved in this incident, a HIPAA-covered entity's date of discovery has not yet occurred, and the "60-day notification deadline" for CHC-covered entity customers has not yet started. The March 27 UHG update does not change this analysis.

Many healthcare systems and providers have already reached out to BakerHostetler about these types of incidents, and we have a team of highly experienced incident response attorneys ready to assist healthcare (and other) clients with responding to vendor and cybersecurity incidents.

Related Services

Plus

Sharing and Personal Tools

Please select the service you want to use:

Back

View original format