Breach Notification
,
Fraud Management & Cybercrime
,
Ransomware
Breach Report Says Only 500 People Affected When Actual Number Could be 100 Million
In April, UnitedHealth Group CEO Andrew Witty testified before two congressional committees that the February ransomware attack on the company’s IT services unit Change Healthcare likely affected the sensitive information of one-third of the U.S. population. That’s about 100 million people, give or take a few million.
See Also: Observability: A critical component of digital transformation for public sector
But when the U.S. Department of Health and Human Services this week posted on its public HIPAA Breach Reporting Tool website on Tuesday the report Change Healthcare filed to federal regulators on July 19, the company said the incident affected … drumroll, please: 500 people.
Yes, you read that correctly. Change Healthcare has spent the past five months investigating the breach, and so far it has only reported 500 victims. In an ironic statement, the company acknowledged that millions of people will be notified and promised to update the HHS filing “if needed.”
Of course, the 500 figure Change Healthcare reported to HHS’ Office for Civil Rights is a placeholder estimate while the firm and its parent company UnitedHealth Group continue to analyze the data affected in the massive Feb. 21 attack, which shut down more than 100 IT services for weeks and disrupted thousands of medical care entities.
Organizations will sometimes report to HHS OCR an initial estimate of 500 or 501 individuals being affected by incidents that surely affected far more, in order to comply with the HIPAA breach notification rule’s requirement to notify the agency of protected health information compromises affecting 500 or more individuals within 60 days of discovery or sooner.
Last week, hospital chain Ascension reported to HHS OCR that its ransomware attack in May, which disrupted IT services in 19 states, affected also 500 people. That is a placeholder estimate until Ascension’s final data analysis is completed (see: Ascension Files Placeholder Breach Report for May Hack).
Some legal experts were surprised by Change Healthcare’s super low estimate in the breach report submitted to HHS OCR, especially considering the circumstances of the high-profile ransomware attack.
“This is unusual,” said regulatory attorney Sara Goldstein of the law firm BakerHostetler. “Typically the ‘500 or 501 individual placeholder’ is used when covered entities or business associates are providing notification within 60 days of discovery but have not identified the total number of individuals requiring notification,” she said.
The Russian-speaking ransomware cybercriminal group BlackCat, aka Alphv, claimed responsibility for the attack. Witty admitted to Congress that the company paid the attackers – who claimed on the dark web to have stolen 4 terabytes of patient data – a $22 million ransom (see: A Second Gang Shakes Down UnitedHealth Group for Ransom).
“UHG publicly stated that the incident involved information for ‘a substantial proportion of people in America.’ Based on these statements, one would have expected that the initial notice to HHS OCR would have included a much larger number,” Goldstein said.
Change Healthcare in a statement to Information Security Media Group on Monday – the same day the firm posted a notice on its website saying it had begun to mail breach notifications to affected individuals – said that the company would file an amended breach report to HHS OCR “if needed” at the completion of the review (see: Change Healthcare Begins to Notify Millions Affected by Hack).
“The data review is in its final stages, but we have analyzed enough data to start notifying,” the statement says. “It is in line with earlier information of a substantial proportion of Americans being impacted and as our CEO mentioned in the May. We will amend the OCR report if needed at the completion of the review and mailings.”
HHS OCR on Tuesday, in updated guidance on the agency’s website, said the Change Healthcare report posted on the HHS breach reporting portal will be amended “if” the company amends the total number of individuals affected by this breach.
“HIPAA breach reports filed on the HHS Breach Portal may be amended as the breach report form allows a filer to file an initial breach report or an addendum to a previous report,” HHS OCR said.
Goldstein said HHS OCR likely does not want to “assume” that Change Healthcare will indeed amend its report with a more accurate number but if the company does, she expects HHS OCR will also update its public portal to reflect the new figures.
“The portal will likely be updated with the amended Change Healthcare number, but it might not appear at the top of the list, which maintains reports in chronological order,” Goldstein said.
That potentially makes it easier for the updated Change Healthcare breach figure – which will undoubtedly be eye-popping – to get buried on the HHS OCR public portal.
Change Healthcare said in a statement on Monday that about 90% of its data breach analysis is completed, so the company this week began to mail breach notifications to affected individuals on a “rolling basis.”
Hopefully, Change Healthcare and UnitedHealth Group also will continue to disclose many more important details about their breach and the findings from their investigation.
I urge them to be transparent in the continued public accounting of the data breach – and its wide-ranging effect on the American public – despite the initial lowball estimate already posted.
We know lawmakers are watching, as well (see: Lawmakers Grill UnitedHealth CEO on Change Healthcare Attack).
The U.S. healthcare sector – and its patients – need to know what happened and learn from this historic mega breach.