The Change Health cyberattack

By Faiza Wasif, MPH, Associate Director, Practice Management, December 1, 2024

Each month, DermWorld tackles issues “in practice” for dermatologists. This month, Academy practice management staff discuss the importance of data privacy and protection amid increased cyberattacks on health care.

In recent years, the health care sector has become increasingly vulnerable to cyberattacks. The recent Change Health attack serves as a stark reminder of the potential consequences of inadequate cybersecurity measures. Change Health, a prominent health care technology company, was targeted by a sophisticated criminal group, resulting in unauthorized access to sensitive patient information. This incident not only raised alarms across the health care industry, but also highlighted the critical importance of bolstering compliance, particularly within dermatology practices that handle sensitive patient data.

Understanding the cyberattack

The Change Health cyberattack, which occurred in early 2024, involved the theft of personal health information, including patient names, Social Security numbers, and medical histories. This breach affected thousands of physicians and non-physician providers, prompting immediate investigations and a push for more stringent security measures across the board. Cybercriminals increasingly target health care organizations due to the sensitive nature of the data they possess and the potential for significant financial gain. The fallout from such attacks can include reputational damage, legal repercussions, and financial losses, further exacerbating the challenges that physicians face in an already strained environment.

The cyberattack prompted significant responses from health care organizations and government agencies to support affected physicians. The American Academy of Dermatology Association (AADA) and the American Medical Association (AMA) urged the U.S. Department of Health and Human Services (HHS) to provide immediate financial assistance, like the support offered during the COVID-19 Public Health Emergency (PHE). The Centers for Medicare & Medicaid Services (CMS) directed Medicare Administrative Contractors to accept paper claims and encouraged Medicare Advantage organizations to relax prior authorization and timely filing requirements during the disruption. UnitedHealthcare (UHC) expanded access to its temporary funding assistance program and provided advance payments to physicians based on historical levels, while suspending prior authorization for most outpatient services until March 31, 2024. Additionally, CMS reopened the Merit-based Incentive Payment System (MIPS) Extreme and Uncontrollable Circumstances Exception Application, allowing affected clinicians to seek relief from reporting requirements until October 2024. This coordinated response highlighted the attack’s significant impact on the health care industry and the urgent need for compliance and support for affected practices.

Learn more about MIPS reporting and exemptions.

Impact on dermatology practices

Dermatology practices, like all health care entities, are not immune to such cyber threats and attacks. They manage a wealth of patient information, from medical histories to photographs of skin conditions. The nature of dermatology, which often involves sensitive visuals, makes compliance with data protection regulations even more crucial. A breach in this context could result in not only the exposure of personal data, but also involve serious ethical implications, undermining the trust between patients and physicians.

Furthermore, dermatology practices often operate in a competitive landscape where reputation and patient trust are paramount. A cyberattack can lead to a significant loss of patient confidence, potentially driving clients to seek services elsewhere. The financial ramifications can be devastating, especially for small- to mid-sized practices that may lack the resources to recover from such an incident.

The importance of compliance

Physicians and staff share ethical and legal responsibilities to protect patient privacy under state laws and Health Insurance Portability and Accountability Act (HIPAA). Learn more about your responsibility to protect patient privacy under HIPAA. HIPAA establishes national standards for the protection of sensitive patient information, ensuring that health care entities implement the necessary safeguards to protect these data. Dermatology practices must prioritize compliance, not only to adhere to legal requirements, but also to foster a culture of security reassuring patients that their information is being handled responsibly.

• Data protection: Compliance with HIPAA requires identifying protected health information (PHI), which includes any data that can uniquely identify a patient. Patient confidentiality must be upheld in all communications; while PHI can be shared among physicians for treatment and payment without explicit consent, marketing materials require patient permission. Patients should have access to their health records within 30 days and receive a Notice of Privacy Practices (NPP) during their first visit. Appointing a privacy officer is essential for overseeing compliance. Comprehensive training for all staff on recognizing phishing attempts, secure password management, and handling sensitive information fosters a culture of vigilance that helps prevent breaches and protects patient data. Learn more about data protection by visiting the Academy’s HIPAA Resource Center.

• Risk management: Effective risk management in dermatology practices requires compliance frameworks to identify vulnerabilities and mitigate cyber threats. Conducting annual security risk analyses (SRAs) is essential for uncovering gaps and developing policies, along with regular HIPAA training for staff, as most breaches stem from human error. It’s crucial to identify business associates (BAs) with access to electronic protected health information (ePHI) and ensure contracts outline their data protection responsibilities. Regular backups, preferably via cloud services with business associate agreements (BAAs), help maintain data integrity. Finally, all security documentation, including SRAs and incident reports, must be kept for at least six years to comply with federal regulations, enhancing security and patient trust. Learn more about securing privacy and best practices for securing mobile devices.

• Preventing and managing breaches: Most breaches arise from human error or malware, with unsecured PHI losses requiring notification to patients and HHS. Encrypting data is vital, as it exempts practices from breach reporting. Breaches can lead to significant costs and fines of up to $1.5 million. Practices must notify affected patients within 60 days and report based on the number of records involved. Compliance requires ongoing vigilance through regular audits to identify gaps. To mitigate risks, practices should implement security policies, access controls, network protections, encryption, timeout settings, and staff training on phishing. Utilizing multi-factor authentication and strong password policies further enhances data security. Staying updated on technologic threats allows practices to adapt effectively, and immediate action is crucial following a cyberattack.

• Patient education: Dermatology practices also play a vital role in educating patients about their rights and the importance of safeguarding their information. By fostering open communication, practices empower patients to be more vigilant about their data privacy. This proactive approach not only enhances patient trust but also encourages collaboration in protecting sensitive information, ultimately benefiting both patients and practices alike.

In conclusion, the Change Health cyberattack serves as a critical reminder for dermatology practices on the urgent need for enhanced cybersecurity and compliance measures. To protect sensitive patient information, practices must prioritize robust data protection strategies, comprehensive staff training, and proactive risk management. By fostering a culture of compliance and vigilance, you not only safeguard your operations but also reinforce patient trust, ensuring responsible handling of sensitive data. In a landscape of increasingly sophisticated cyber threats, commitment to security and compliance is essential for ethical and optimal patient care and operational integrity.

Curious about your practice’s HIPAA compliance?

Take this brief educational quiz to discover any gaps and learn how to address them!

Be sure to visit the Academy’s Practice Management Center at staging.aad.org/practice to access a wealth of invaluable management resources and tools designed to support and elevate your professional journey and practice.

Additional DermWorld Resources