OCR Issues Update on Change Healthcare Cybersecurity Breach
Per the notice below, the Office for Civil Rights (OCR) of the United States Department of Health and Human Services (HHS) has issued an update on the Change Healthcare cybersecurity breach.
Update to HHS OCR’s Change Healthcare Cybersecurity Incident FAQ Webpage
On July 19, 2024, Change Healthcare filed a breach report with the HHS Office for Civil Rights (OCR) concerning a ransomware attack that resulted in a breach of protected health information. Change Healthcare’s breach report to OCR identifies 500 individuals as the “approximate number of individuals affected”. This is the minimum number of individuals affected that results in a posting of a breach on the HHS Breach Portal. Change Healthcare is still determining the number of individuals affected. The posting on the HHS Breach Portal will be amended if Change Healthcare updates the total number of individuals affected by this breach. HIPAA breach reports filed on the HHS Breach Portal may be amended as the breach report form allows a filer to file an initial breach report or an addendum to a previous report. OCR has updated the answer to question #3 on OCR’s “Change Healthcare Cybersecurity Incident Frequently Asked Questions” webpage to address this issue. OCR will continue to update the FAQs as needed.