Change Healthcare Ransomware Attack Highlights Importance of Cybersecurity

On February 21, 2024, Change Healthcare, a subsidiary of UnitedHealth Group and one of the largest healthcare technology companies in the United States, experienced a crippling ransomware cyberattack, considered to be the most serious incident of its kind against a U.S. healthcare organization. Thirteen days into the cyberattack, effects are reverberating throughout the entire healthcare system.

According to Change Healthcare, the company processes 15 billion healthcare transactions annually, touching approximately 1 in every 3 patient records. These transactions include a range of services that directly affect patient care, including eligibility verifications, pharmacy operations, and claims transmittals and payment.

On February 29, Change Healthcare confirmed that ransomware group ALPHV Blackcat made the breach. The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the US Department of Health and Human Services (HHS) issued a joint advisory regarding the ransomware crime syndicate that is said to have perpetrated the cyberattack on Change Healthcare, with the implication that ALPHV Blackcat is planning to continue targeting the healthcare sector.

Ransomware Incidents on the Rise

In recent years, ransomware attacks have increased substantially, especially in the healthcare sector. Ransomware is a type of malware that denies access to a computer system until a ransom is paid. In a typical attack, an employee unknowingly clicks on an email attachment or visits a website where malicious code is lurking in the background. With one keystroke, software is installed that locks you out of your own files. This most recent cyberattack differed in that instead of targeting a healthcare provider directly, it went after Change Healthcare.

For Dental Practices…

Effective cybersecurity is more important than ever for dental practices to prevent cyberattacks and thereby maintain compliance with HIPAA requirements. The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities, including dental offices, to ensure the privacy and security of individuals’ protected health information (PHI).

In response to the Change Healthcare cyberattack, on February 27, the American Dental Association (ADA) published an article on ADA News, advising affected dental practices “to watch for communication from vendors and payers regarding restoration of services. Providers should seek alternate options including using payer portals or provider service lines for eligibility and benefits verification, asking vendors for alternative clearinghouse options, and carefully tracking claims, or consider using paper claim forms until services are restored.”

Additionally, some general tips for dental practices to help prevent cyberattacks include ensuring all dental healthcare personnel (DHCP) are trained on and do the following:

• Make sure DHCP know with whom they are communicating.
• Report suspicious texts and emails.
• Don’t download any unknown software or click on unknown links.
• Layer technology protection with, at a minimum, strong passwords and multifactor authentication.
• Watch out for phishing attempts.
• Monitor online accounts regularly.
• Train DHCP on cybersecurity and how to mitigate cyberthreats. – Under HIPAA, this training is required for DHCP with access to PHI.

As cyberattacks become more sophisticated, it is even more important for dental offices to ensure that DHCP are properly informed and trained on how to protect PHI, and how to detect and properly respond to cyberthreats. Additionally, all covered entities are expected to conduct a security risk analysis regularly to assess security vulnerabilities and the mechanisms currently in place to mitigate them, and then to determine what additional controls, if any, should be implemented.

For our OSHA Review Subscribers… A checklist to help dental offices conduct a HIPAA security risk analysis is available from OSHA Review’s website, in the clients-only section under OSHA Review/Professional Documents. For more information on HIPAA compliance, refer to Section X of your OSHA Review binder.

Since 1992, OSHA Review, Inc. has provided dental professionals with comprehensive programs to support regulatory compliance and infection control. We are a registered continuing education provider in the state of California, specializing in Dental Practice Act, infection control, and OSHA training.