The Department of Health and Human Services changed course on Friday and announced that it will allow Change Healthcare to file breach notifications on behalf of the thousands of organizations impacted by February's ransomware attack.
HHS updated a previously released FAQ page from April 19 that said every organization affected by the hack of Change Healthcare would have to file their own breach notices with federal and state regulators, enraging the thousands of hospitals, clinics and doctor's offices that are still recovering financially from the outages caused by the attack.
Change Healthcare handled about 1 in 3 medical records and processed about half of all medical claims in the U.S. at the time of the breach.
The CEO of UnitedHealth, Change Healthcare's parent company, told Congress this month that about one-third of all Americans had information accessed by the hackers.
HHS's focus, she said, is that everyone who had information exposed during the ransomware attack be notified that their data was breached.
The statement ends mounting confusion over a situation that had enraged healthcare entities across the U.S. Hundreds of organizations sent a letter to HHS last week demanding more information on who would be responsible for notifying victims about the leak of their health data.
When contacted for comment last week, HHS directed Recorded Future News to the April 19 version of the FAQ. HHS did not respond to followup questions confirming whether that was still accurate.
Friday's announcement by HHS was met with praise by several associations that represent the healthcare industry.
Chad Golder, American Hospital Association general counsel and secretary, said in a statement that the decision is what they asked of HHS in March.
This Cyber News was published on therecord.media. Publication date: Fri, 31 May 2024 21:40:16 +0000