In today’s digital age, cybersecurity is of paramount importance, particularly in industries that handle sensitive information such as healthcare. Recently, our prior clearinghouse partner, Change Healthcare (CHC), faced a significant cyberattack. Although our systems at Henry Schein One remained secure, CHC has reported that some patient data was compromised.
While only a small fraction of our customers’ patient data was affected, we believe it is crucial to inform all our clients about the situation and the steps being taken to address it. In this blog entry, we will provide detailed information on the incident, the measures being taken by CHC, and how you can stay informed and protect your patients’ data.
Details of the Incident and Next Steps
As you are likely aware, Henry Schein One’s prior clearinghouse partner, Change Healthcare (CHC), experienced a criminal cyberattack in February of this year. While Henry Schein One systems were not compromised, CHC has indicated that patient data has been exfiltrated from its environment. Based on CHC’s analysis to date, a small percentage of Henry Schein One customer’s patient data was affected (at this time, less than 1%), but because CHC is not able to tie affected individuals to practices we are providing this notice to all Henry Schein One practice management customers that utilized claims or eligibility services through CHC.
CHC has provided a HIPAA substitute notice with additional information here: HIPAA Substitute Notice. The notice includes a description of information which may have been involved based on CHC’s review to date, a toll-free call center number, and information on complimentary credit monitoring and identity protection services available to all individuals. CHC recommends that covered entities post a link to the substitute notice on their home page for at least 90 consecutive days.
Beginning in late July, CHC has informed us that CHC will send direct notice (written letters) to affected individuals for whom CHC has a sufficient address. CHC will make HIPAA and state attorney general notifications as required by state law on behalf of covered entities as a delegate. You do not need to do anything for CHC to process required notifications. CHC will proceed as a delegate on your behalf to provide the following notifications:
- HIPAA substitute notice
- HIPAA media notice
- OCR report, when data review is completed
- Individual notifications under HIPAA and state law, for impacted individuals with sufficient information
- Impacted individuals with an unknown or insufficient address will be provided notice via substitute notice
- Notice to state attorneys general as appropriate
If your patients would like additional information regarding the cyberattack or the complimentary credit monitoring and identity protection services, you can refer them to the CHC substitute notice at the link above. If you have any questions, please contact CHC directly as set forth in the notice.
Leave a Reply
You must be logged in to post a comment.