News

"Initially geared towards ERISA-governed retirement plans, the DOL has subsequently stated that its 2021 cybersecurity best practices also apply to ERISA-governed group health plans.... [T]he DOL lists 12 best practices to help ERISA plan fiduciaries to mitigate cybersecurity risks: ... [E]mployers are encouraged to consider adopting these best practices to help withstand any DOL scrutiny related to cybersecurity."

"[T]he assumption some sponsors make that their plan uses Well-Known Vendor X, and so they can simply trust that this large vendor must maintain strong cybersecurity protections, is faulty ... A plan fiduciary still has to ... do their due diligence, document that they've done their due diligence, and make prudent decisions.' "

"[An] employee of a J.P. Morgan client whose retirement account J.P. Morgan administered, claims that his and other victims' sensitive information was targeted, compromised and unlawfully accessed due to the data breach that occurred in August of 2021.... [The plaintiff] also claims that cyber thieves have already engaged in identity theft and fraud and can in the future commit a variety of crimes, including opening new financial accounts and taking out loans in victims' names, filing fraudulent tax returns and giving false information to police during an arrest." [Valentine v. J.P. Morgan Chase & Co., No. 24-3438 (S.D.N.Y. complaint filed May 3, 2024)]

"In the aftermath of the Change Healthcare breach, healthcare entities should heed cybersecurity recommendations from regulatory bodies to prevent future attacks and mitigate post-attack enforcement actions.... Not only will alignment with agency recommendations prevent or deter future attacks, but it could likely mitigate the severity of enforcement actions imposed by such agencies in the aftermath of an attack."

"[B]efore an incident even occurs, plan sponsors should speak with their vendors about having an incident response plan, which is typically a written document, formally approved by an organization's senior leadership team, that helps the organization mitigate risk before, during and after a security incident.... Once the problem is contained and steps have been taken to mitigate the breach, a sponsor needs to have a plan for how the organization will communicate the issue with its participant base."

"At [the May 1 hearing ] held by the House Energy & Commerce Committee, United CEO Andrew Witty said, 'we are offering to take full responsibility for all notification obligations for everyone involved in this.' [AHIP supports] this approach and agree that guidance from the Office of Civil Rights should clearly state that only Change has an obligation to perform breach notification in this context. That clarity would avoid tens of millions of Americans being left confused, frustrated and inundated by multiple notifications."

"The cyberattack on Change Healthcare that devastated the U.S. health care sector made painfully clear that much more needs to be done to address vulnerabilities that exist throughout the ecosystem. This article offers five actions that can go a long way to improving cybersecurity throughout the sector and make it much more resilient."

"In a tense Senate hearing  ... lawmakers sharply criticized UnitedHealth Group's handling of the cyberattack that paralyzed the U.S. health care system ... [S]enators questioned whether the cyberattack of Change Healthcare, which manages a third of all U.S. patient records and some 15 billion transactions a year, was so vast because UnitedHealth is too deeply embedded in nearly every aspect of the nation's medical care.... In the afternoon, House lawmakers outlined their concerns, especially given the corporation's enormous scale."

"The FAQs specifically point to OCR's ransomware guidance, which has information on actions for regulated entities to take to determine if a ransomware incident is a breach (which is a fact-specific determination). OCR highlights that if covered entities are aware of a potential breach by a business associate, there is an obligation to proactively investigate whether a breach occurred, and report the breach to HHS, impacted individuals, and in certain cases, the media."

"The participant information that was exposed included participants' names, addresses, Social Security numbers, payment and deduction amounts, as well as bank routing and account numbers if the participants had set up direct deposit.... [On] February 26, the firm learned of a software issue that caused certain reports run by three authorized system users to include plan participant information that they were not entitled to see."

"Covered entities and business associates should carefully review [OCR's] FAQ webpage , in conjunction with all UHG/Change statements, and consider taking the following steps: [1] Contact Change/UHG about notifications and compromised data.... [2] Prepare to evaluate whether patients are impacted.... [3] Review BAAs with Change.... [4] Conduct a dark web investigation.... [5] Continue to monitor relevant sites for updates."

"UnitedHealth Group (UHC) announced on April 22, 2024, that it had paid a ransom to protect patient data potentially acquired in a late February cyberattack on its subsidiary Change Healthcare.... UHC has not officially notified affected health plans and their participants that a breach had occurred.... UHC reported that it has found files containing protected health information (PHI) or personally identifiable information (PII), which could cover a substantial portion of people in America.... To mitigate any harm resulting from the CHC breach, [the authors] recommend that ERISA-regulated plans which may be impacted by the breach inform their plan participants of the CHC event."

"Why is OCR initiating an investigation now and what does it cover? ... Has OCR received breach reports from Change Healthcare, UHG, or any affected health care entities? A: No ... Is OCR's 2016 ransomware guidance applicable to the Change Healthcare cyberattack? A: Yes ... Are covered entities that are affected by the cyberattack involving Change Healthcare and UHG required to file breach notifications? A: Yes ... What HIPAA breach notification duties do covered entities have with respect to the Change Healthcare cyberattack? ... What HIPAA breach notification duties do business associates have with respect to the Change Healthcare cyberattack?"

"Witnesses shared stories of interrupted cash flows, high-interest loans, substantial administrative burdens, fragmented care coordination and resulting confusion for patients in testimony before the House Energy and Commerce Committee's Subcommittee on Health.... UnitedHealth Group, the parent company of Change Healthcare, was invited to participate in the session but did not attend. "

"[A] new ransomware and extortion gang that calls itself RansomHub published several files on its dark web leak site containing personal information about patients across different documents, including billing files, insurance records and medical information. Some of the files ... also contain contracts and agreements between Change Healthcare and its partners."

"The health care system is rapidly consolidating at virtually every level, creating fewer redundancies and more vulnerability to the entire system if an entity with significant market share at any level of the system is compromised. It is important for policymakers to understand the events leading up to, during, and after the Change Healthcare cyberattack. In order to understand better the steps UnitedHealth has taken to address this situation, we request information about the impact of the cyberattack, the actions the company is taking to secure its systems, and the outreach to the health care community in the aftermath."

"Plan participants need to take common sense measures to safeguard their accounts. Plan sponsors now face the dual challenge of providing online access to participants' retirement plans while keeping their information secure. Implementing and maintaining a proactive cybersecurity strategy is key for both parties."

"As a group health plan sponsor, an employer's responsive obligations arising in the context of certain cybercrime events depends largely upon the underlying funding status of the employer's core employee benefit plans ... Additional privacy and security related obligations for the employer may be detailed in various state-level statutory mandates or even within certain international laws or other global-scope regulations.... Several notifications may be required as a consequence of a data breach.... Communication with employees is important[.]"

"The agreement, if approved by a Georgia federal judge, would resolve all claims brought against Horizon in response to a cyberattack that exposed the personally identifiable information (PII) of more than 100,000 Horizon customers and a potential settlement class of over four million individuals." [Sherwood v. Horizon Actuarial Services LLC, No. 22-1495 (N.D. Ga. settlement agreement filed Mar. 11, 2024)]

"Hospitals are still struggling to get paid even as the damage from last month's Change Healthcare cyberattack is slowly remediated -- and they are pointing the finger at insurers. Thirty to 40 percent of claims continue to be denied, compared with 5 percent before the attack[.]"

"Ransomware attacks ... affected 46 hospital systems last year, up from 25 in 2022 ... Hackers have also taken down companies that provide services such as medical transcription and billing in recent years.... [H]ospital mortality rises in the aftermath of an attack. Scheduled surgeries are canceled, and ambulances are sometimes rerouted to other hospitals even in emergencies because the cyberattack has disrupted electronic communications or medical records and other systems."

"[As of March 27,] CHC is still determining the contents of the 'data that was taken by the threat actor.' ... A third-party vendor has been engaged to assist with data analysis.... It could be some time before CHC announces the scope of data involved.... CHC data has not been found on the dark web.... CHC will be offering to provide notifications for customers 'where permitted.' ... The latest statement from CHC itself does not start any covered entity's '60-day timeline.' "

"Having created significant challenges for both patients and providers, the cyberattack is spurring new questions and actions in the insurance space regarding digital healthcare security. While the industry response is continuing to evolve, we'll likely see increasingly robust notifications efforts from insurers and health systems as they attempt to keep users in the loop."

"44% of respondents surveyed said they are uncertain about how the SEC will enforce the [new cybersecurity] rules, while 36% of compliance professionals cited concerns with complying with cyber-incident reporting requirements and timeframes.... While 38% of respondents have yet to identify AI as a cybersecurity risk, and 27% do not consider AI relevant to cybersecurity, roughly half (49%) said they are in the early stages of exploring AI as a tool for cybersecurity risk management."

"Although the OCR stated it is not prioritizing investigations of health care providers, health plans or business associates that were impacted by this cyberattack, the OCR did remind entities that have partnered with Change Healthcare and UHG of their regulatory obligations and responsibilities, including ensuring that up-to-date business associate agreements are in effect, and that timely breach notifications to HHS and the affected individuals are provided."