BakerHostetler is closely monitoring imminent cybersecurity threats to healthcare revenue cycle management personnel and vendors.
Most recently, Change Healthcare (CHC), a healthcare technology and business management vendor for many healthcare systems and providers, announced that it experienced a data security incident.
Hundreds of healthcare providers throughout the country utilize CHC for eligibility clearance and revenue cycle management, and this incident has disrupted the availability of some of its services.
In addition to service disruptions, which may have financial implications for organizations, this incident could have Health Insurance Portability and Accountability Act (HIPAA) breach notification implications for healthcare providers. Depending on the services healthcare providers receive from CHC, CHC may act as a clearinghouse (in and of itself a HIPAA-covered entity) or a business associate of the healthcare entities. In both capacities, CHC collects a large amount of protected health information as part of the services it provides. If that data was accessed or acquired as a result of this incident, there could be a very large patient notification, and that notice responsibility may fall on healthcare systems and providers if CHC is acting as a business associate.
In addition to the CHC incident, BakerHostetler is working with a number of healthcare organizations that have experienced email phishing and other incidents targeting their healthcare revenue cycle workforce and vendors.
[View source.]