This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
Insights Insights
| 1 minute read

Feds to Investigate Hack of Healthcare Payment/Claims Processing Platform

In mid-March, the regulator responsible for privacy in healthcare announced that it will investigate a ransomware incident that took down a massive healthcare claims processing platform in February.  The Change platform, owned by United, suffered a hack that halted payments, prescription refills, and other tasks, greatly straining many healthcare support resources.  Now, the incident is being reviewed for whether it also compromised patient medical privacy.

Why It Matters

Two things make this story important.

First, it once again shows that vendor management is a critical part of cyber and privacy planning. Your company is only as secure (and compliant) as its weakest link – and that link may be a supplier. Particularly where the vendor has access to personal/regulated data, or where you depend on it for clearance of payments, try to secure coverage and assurances in case things go wrong.  

Second, it is one of many, many recent examples of regulators at the state and local level expressing heightened interest in and attention to consumers' health information and the effort to keep it secure. Here, there may be HIPAA violations, but the regulators are throwing increasingly wide nets that don't require a HIPAA claim to cause company headaches. If you have consumer health, medical, location, or well-being data: lock it down and take steps to document how you secure it.  

Subscribe to Taylor English Insights by topic here.

"Given the unprecedented magnitude of this cyberattack," she said, "and in the best interest of patients and health care providers, OCR is initiating an investigation into this incident. OCR's investigation of Change Healthcare and UHG will focus on whether a breach of protected health information occurred and Change Healthcare's and UHG's compliance with the HIPAA rules."


data security and privacy, hill_mitzi, insights, technology, health care