Draft OCR Investigation on Recent Cyberattacks

By: Jeffrey Lynne, Esq. and Laura Stinson, University of Miami School of Law (2L)
March 27, 2024 3:27 am

On March 13, 2024, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published a “Dear Colleague” letter opening an investigation into recent cybersecurity incidents that have impacted important aspects of Change Healthcare, a unit of UnitedHealthcare Group (UHG) and many other healthcare entities. These healthcare entities house the personal information of healthcare patients and billing information. Commentators have stated that “The likelihood that substance use disorder (SUD) treatment information was included in the breach is very likely,”[1] and HHS states, “if you believe that your or another person’s health information privacy or civil rights have been violated, you can file a complaint with OCR at https://www.hhs.gov/ocr/complaints/index.html.”

Specifically, the letter reminds entities partnered with Change Healthcare and UHG that they are subject to regulatory obligations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to ensure timely breach notifications are disseminated to those affected. Even though it is likely that SUD treatment information may have also been included in the data breach during these incidents, the OCR letter says nothing about entities subject to 42 CFR Part 2 (Part 2) regulations.

In the last five years, HHS has seen an increase in large breaches of data involving hacking and ransomware. Last year, hacking accounted for 79% of the large breaches reported to the OCR and affected over 134 million individuals. That is a 256% increase in significant breaches reported to the OCR within the last five years and a 141% increase in people affected since 2022.

Latest Post