Today, the US Department of Health and Human Services’ Office for Civil Rights (OCR) issued a “Dear Colleague” letter addressing the cybersecurity incident impacting Change Healthcare, a unit of UnitedHealthcare Group (UHG), and many other healthcare entities. The cyberattack is disrupting healthcare and billing information operations nationwide and poses a direct threat to critically needed patient care and essential operations of the healthcare industry. OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which sets forth the requirements that HIPAA covered entities (most healthcare providers, health plans, and healthcare clearinghouses) and their business associates must follow to protect the privacy and security of protected health information and the required notifications to HHS and affected individuals following a breach.
Ransomware and hacking are the primary cyber-threats in healthcare. Over the past five years, there has been a 256% increase in large breaches reported to OCR involving hacking and a 264% increase in ransomware. In 2023, hacking accounted for 79% of the large breaches reported to OCR. The large breaches reported in 2023 affected over 134 million individuals, a 141% increase from 2022.