Latest Insights into HIPAA Violations Shaping the Future of U.S. Healthcare Compliance
October 17, 2024: Change Healthcare Ransomware Attack Cost to Rise to $2.87bn in 2024
UnitedHealth Group reported a significant financial impact from the Change Healthcare ransomware attack, estimating losses to rise to $2.87 billion by year-end. Despite this, the company achieved a 9% revenue increase in Q3 2024, reaching $100.8 billion. The attack’s costs escalated from $1.6 billion in Q1 to $2.457 billion by Q3, with $1.521 billion attributed to direct response efforts. Adjusted Q3 earnings per share were $7.15, including $0.12 from business disruptions but excluding $0.28 in direct response costs. CEO Andrew Witty noted the company’s resource allocation towards supporting affected healthcare providers over share buybacks, with $8.9 billion in loans disbursed to providers. While most systems are back online, transaction volumes remain below pre-attack levels, though full recovery is anticipated by 2025, for more details visit here: www.hipaajournal.com
Source: HIPAA Journal
HHS Office for Civil Rights Imposes a $240,000 Civil Monetary Penalty Against Providence Medical Institute in HIPAA Ransomware Cybersecurity Investigation
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has imposed a $240,000 civil monetary penalty on Providence Medical Institute in Southern California for violating the HIPAA Security Rule following a ransomware attack that compromised the ePHI of 85,000 individuals in early 2018. This penalty highlights a troubling trend, with ransomware-related breaches in healthcare increasing by 264% since 2018. OCR's investigation revealed compliance failures, including the lack of a business associate agreement and inadequate access controls for ePHI. Providence did not contest the findings, and OCR Director Melanie Fontes Rainer emphasized the urgent need for the healthcare sector to improve cybersecurity measures to protect patient privacy, for more details visit here: www.hhs.gov
Source: Health and Human Services
HHS Office for Civil Rights Imposes a Civil Monetary Penalty of $115,200 Against American Medical Response for Failure to Provide Timely Access to Patient Records
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has imposed a civil monetary penalty of $115,200 on American Medical Response (AMR) for failing to provide timely access to a patient's medical records, as required by the HIPAA Privacy Rule. Following a complaint about AMR's repeated failures to fulfill the request, OCR's investigation confirmed the violations. Although AMR eventually provided the requested records and revised its internal procedures for handling access requests, it did not contest the findings. OCR Director Melanie Fontes Rainer emphasized the importance of enforcing patients' rights to access their medical information promptly, for more details visit here: www.hhs.gov
Source: Health and Human Services
Cybersecurity certification is high in demand
October 21, 2024: Senate Finance Committee Chair Seeks Further Information on Change Healthcare Cyberattack
UnitedHealth Group CEO Andrew Witty testified on the February 2024 ransomware attack affecting Change Healthcare, with Senate Finance Chair Ron Wyden recently demanding further clarification on cybersecurity practices, audit processes, and preventive measures. Wyden's letter cited vague responses and questioned whether UnitedHealth's cybersecurity gaps worsened the breach, requesting detailed answers by November 22, 2024, including five years of Change Healthcare's security audits, for more details visit here: www.hipaajournal.com
Source: HIPAA Journal
September 19, 2024: Initial Conference Takes Place for Consolidated Change Healthcare Data Breach Lawsuit
UnitedHealth Group's Q3 2024 earnings report reveals that the financial impact of the ransomware attack on Change Healthcare has risen to $2.457 billion. Despite these challenges, the company achieved a 9% revenue growth year-over-year, reaching $100.8 billion for the quarter. Initial 2024 loss estimates of $1.6 billion were revised up by Q2 to between $2.3 billion and $2.45 billion. By September 30, UnitedHealth recorded $1.521 billion in direct response costs, with the projected year-end total expected to be $2.87 billion, for more details visit here: www.hipaajournal.com
Source: HIPAA Journal
HHS Office for Civil Rights Imposes a $70,000 Civil Monetary Penalty Against Gums Dental Care for Failure to Provide Timely Access to Patient Records
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has imposed a $70,000 penalty on Gums Dental Care, LLC, a Maryland dental practice, for failing to provide timely access to a patient’s medical records, violating the HIPAA Privacy Rule. After OCR received repeated complaints from a patient, they investigated and found that Gums Dental Care delayed record provision for nearly three years despite multiple requests. An Administrative Law Judge and the Departmental Appeals Board upheld the penalty, emphasizing the critical nature of patient access rights under HIPAA. OCR Director Melanie Fontes Rainer underscored that healthcare providers must comply with such requests to avoid enforcement actions, for more details visit here: www.hhs.gov
Source: Health and Human Services