Late on March 27, UnitedHealth Group (UHG), the parent company of Change Healthcare (CHC), provided an update on its analysis of the scope of “impacted data” related to the CHC incident.
The main highlights of the update are as follows:
CHC is still determining what “data obtained by threat actors” is. CHC continues to analyze the “impacted data” and is prioritizing the review of data that appears to contain health information, personally identifiable information, claims and entitlement or financial information. A third-party vendor has been engaged to assist with data analysis. To expedite the review of the data, CHC has engaged a “major vendor” to assist with the analysis. It may be some time before CHC releases the scope of the data involved. CHC said that due to the impact the incident had on its systems, it was unable to obtain data related to the incident until recently. This indicates that it will likely be several weeks or longer before the company provides an update on the content of information related to the incident. CHC’s data has not been found on the dark web. While this may be reassuring to some, just because CHC has not found data on the dark web does not mean that sensitive data is not in the possession of malicious actors. It also does not change the possibility of notification obligations if protected health information or personal information is accessed or obtained as a result of this incident. CHC offers to notify customers “if permitted.” UHG said it will handle the notification process for customers whose data was affected “where permitted.” Depending on the services a healthcare provider receives from CHC, CHC may act as a clearinghouse (itself a HIPAA covered entity) or as a business associate of the healthcare entity. The terms of the corporate master agreement and business associate agreement with the CHC entity will determine whether UHG will handle the notification process on the entity’s behalf.
What does this mean for covered entities?
The CHC’s latest statement does not, in itself, initiate a “60-day timeline” for covered entities.
Until CHC issues a more specific statement about the services involved or notifies its customers that their PHI is involved in the incident, the discovery date for HIPAA covered entities has not yet occurred and the “60-day notice deadline” for CHC covered entities’ customers has not yet begun. The March 27 UHG update does not change this analysis.
[View source.]