# Opener

AHA: Wants Clarity on Responsibilities Amid UHG Cyberattack

Published by Axio

The recent cyberattack on Change Healthcare, a subsidiary of UnitedHealth Group, has thrown thousands of healthcare organizations across the United States into disarray. With millions of patients potentially affected, the American Hospital Association (AHA) is advocating for a unified notification process, urging the Department of Health and Human Services’ Office for Civil Rights (HHS OCR) to mandate that notifications come solely from the IT services firm and its parent company.

In a letter to HHS OCR, the AHA emphasized the necessity of a streamlined approach to notifying affected individuals in the wake of the February 21 cyberattack. While HHS OCR has launched an investigation into the incident to ascertain whether a breach of Protected Health Information (PHI) occurred, the agency has indicated that its primary focus is on Change Healthcare and UnitedHealth Group, rather than other entities involved.

Despite HHS OCR’s stance, the AHA is seeking clarification that hospitals and healthcare providers need not issue additional notifications if Change Healthcare and UnitedHealth Group fulfill their notification duties. The AHA argues that as a covered entity, Change Healthcare holds the responsibility for notifying both HHS OCR and affected individuals, even if acting as a business associate.

However, legal experts suggest that the likelihood of HHS OCR designating UnitedHealth Group as the sole entity responsible for notifications is low. Nonetheless, such a decision could alleviate financial and operational burdens on healthcare providers affected by the breach.

Meanwhile, efforts to restore affected IT systems are underway, with some services already back online. Change Healthcare has resumed operations for its medical claims preparation software and is gradually reinstating other services, although full recovery is expected to take time.

As the investigation continues and restoration efforts progress, the healthcare industry remains vigilant in navigating the aftermath of this significant cyber incident, underscoring the critical need for robust cybersecurity measures and coordinated response strategies to safeguard sensitive patient data and ensure continuity of care.

We are here to help healthcare security professionals.

The nation’s largest healthcare organizations depend on the Axio platform to build an enterprise-wide cybersecurity standard. Axio360 is a complete risk management solution designed to reduce cyber risks continuously. Healthcare organizations can identify priority scenarios and select the most cost-effective controls to protect their crown jewels. Interested in learning more about what we do? Get started with a demo of our platform, we’re here to help.