Important Information on the Change HealthCare Cybersecurity Incident

As you are aware, Change Healthcare experienced a cyberattack in early 2024. Change Healthcare is owned by UnitedHealth Group and manages healthcare technology connected to processing insurance claims and billing. This includes Practice Works, SoftDent, Dentrix, EagleSoft, Open Dental, and many more companies. They serve essentially as the business associate to the covered entity. Please review your Business Associate Agreements in place with these companies.

HIPAA Breach Notification Requirements

The Office of Civil Rights enforces the HIPAA Privacy, Security, and Breach Notification Rules. Affected individuals must be notified of this breach. This includes notifying patients and individuals whose information was in your breached system. You must also notify the Department of Health and Human Services and comply with state breach notification requirements.

Challenges for Dental Practices

Most of the dental practices we serve do not have the time or resources to manage breach notifications. The Office of Civil Rights Director indicated that affected covered entities wanting Change Healthcare to provide breach notifications on their behalf should contact Change Healthcare.

60-Day Breach Notification Timeline

HIPAA’s breach notification requires notification within 60 days of discovering the breach. The 60-day clock for Change Healthcare to notify their covered entity customers begins when the breach was discovered. The Office of Civil Rights has yet to receive a breach report from Change Healthcare.

Delegating Breach Notification Responsibilities

We are sending you this letter to alert you of the required breach notification and that, according to the Department of Health and Human Services, you may delegate to Change Healthcare the tasks of providing the required HIPAA breach notifications on your behalf. If Change Healthcare performs the required breach notifications in a manner consistent with the HITECH Act and HIPAA’s Breach Notification Rule, you would not have any additional HIPAA breach notification obligations.

Correspondence with Optum Privacy

I personally corresponded with Optum Privacy, which is handling the breach incident for Change Healthcare.

Investigation and Notification Plan

According to the Associate Director, Shelley Violette, they are conducting an investigation, and no final incident report was available at that time. However, to help ease reporting obligations on stakeholders whose data may have been compromised, UnitedHealth Group has offered to make notifications and undertake related administrative requirements on behalf of any customer.

Notification Process

Shelley Violette indicated they would provide appropriate notifications in the most efficient way possible as required by law. This would involve some form of direct mail, website notice, and other notices required by HIPAA and applicable state laws. She hopes to provide additional information very soon on an opt-out process to ease the burden on dental practices.

Commitment to Updates

As we learn more information, we will continue to update you.