Cyberattack-affected Providers seek clarity on stolen data reporting responsibility

Editor's Note

A joint letter from the American Medical Association (AMA) and more than 100 medical organizations asks Health and Human Services (HHS) Secretary Xavier Becerra to confirm that providers do not bear responsibility for legal reporting requirements for information stolen in the Change Healthcare cyberattack, including personal patient data. Healthcare Finance reported the news May 21.

The letter seeks official affirmation that “no other entity other than Change or parent companies Optum and UnitedHealth Group” bear responsibility, noting that UnitedHealth Group has said it may delegate responsibility and offered to help ease reporting obligations.

"OCR should publicly state that its breach investigation and immediate efforts at remediation will be focused on Change Healthcare, and not the providers affected by Change Healthcare's breach," the letter reads. "Numerous providers continue to grapple with the far-reaching consequences of this incident, and financial recovery remains elusive as the situation continues to get fully resolved. This has been exacerbated by a lack of clarity and definitive information offered by UHG and Change Healthcare. Since the attack became known, concerns among our members have mounted related to what could—from all indications—amount to the largest breach of the healthcare sector. Change Healthcare processes claims on behalf of hundreds of thousands of clinicians and providers, and several terabytes of possibly protected health information are alleged to have been stolen and held for ransom."