Draft OCR Investigation on Recent Cyberattacks

By: Jeffrey Lynne March 27, 2024 3:27 am

By: Jeffrey Lynne, Esq. and Laura Stinson, University of Miami School of Law (2L)
March 27, 2024 3:27 am

Draft OCR Investigation on Recent Cyberattacks

On March 13, 2024, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published a “Dear Colleague” letter opening an investigation into recent cybersecurity incidents that have impacted important aspects of Change Healthcare, a unit of UnitedHealthcare Group (UHG) and many other healthcare entities. These healthcare entities house the personal information of healthcare patients and billing information. Commentators have stated that “The likelihood that substance use disorder (SUD) treatment information was included in the breach is very likely,”[1] and HHS states, “if you believe that your or another person’s health information privacy or civil rights have been violated, you can file a complaint with OCR at https://www.hhs.gov/ocr/complaints/index.html.”

Specifically, the letter reminds entities partnered with Change Healthcare and UHG that they are subject to regulatory obligations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to ensure timely breach notifications are disseminated to those affected. Even though it is likely that SUD treatment information may have also been included in the data breach during these incidents, the OCR letter says nothing about entities subject to 42 CFR Part 2 (Part 2) regulations.

In the last five years, HHS has seen an increase in large breaches of data involving hacking and ransomware. Last year, hacking accounted for 79% of the large breaches reported to the OCR and affected over 134 million individuals. That is a 256% increase in significant breaches reported to the OCR within the last five years and a 141% increase in people affected since 2022.


The information provided on this website is for informational purposes only and is intended as a public service. Any questions of a legal nature should be directed to an attorney, and the information on this website is not intended to replace legal advice from a licensed attorney in your state. By using this website, you acknowledge that you may not rely upon or refer to the contents as being legal advice or guidance provided by BMU Law, without its prior written consent.

Copyright © 2024 Beighley, Myrick, Udell Lynne + Zeichman.https://mediatorlocal.com/