In February 2024, Change Healthcare, a vendor for Clear Spring Health, suffered a ransomware attack, resulting in the theft of numerous individuals' sensitive personal and health information. Clear Spring recently released a breach notification as a result.
On June 26, 2024, Clear Spring Health issued a notice informing its members about a security breach at Change Healthcare, one of its vendors. The attack, carried out by the ransomware group BlackCat, resulted in the theft of a vast amount of sensitive data, affecting numerous Clear Spring Health members. This data included personal details like names, addresses, and Social Security numbers, as well as health-related information such as medical records and insurance details.
Change Healthcare, a subsidiary of UnitedHealth Group, experienced a cyberattack conducted by the ransomware group known as BlackCat. This incident led to the shutdown of over 100 applications related to various healthcare services, including pharmacy management, medical records, and payment systems. The disruption impacted numerous aspects of healthcare operations, notably delaying claims processing and disrupting the normal flow of medical and pharmacy services.
UnitedHealth Group, the parent company, responded promptly by mobilizing resources to mitigate the impact. Efforts included restoring system functionalities such as electronic prescribing and claims processing. Despite these challenges, the attack exposed the need for stronger cybersecurity measures within the healthcare sector, highlighting the potential risks to patient care and data security.
The breach affected a wide range of stakeholders, from individual patients and pharmacies to larger healthcare providers, who rely on Change Healthcare’s platforms for efficient service delivery. The incident has drawn attention from government agencies and industry bodies.
See also: What are the HIPAA breach notification requirements
The breach notification released by Clear Spring Health provided, “This notice provides details to Clear Spring Health members who may have been impacted by a recent security incident that occurred with our vendor, Change Healthcare (“CHC”). CHC recently experienced a cyberattack that exposed personal information and protected health information (“Sensitive Data”) of many individuals who may have participated in a health plan or visited a provider.”
See also: HIPAA Compliant Email: The Definitive Guide
The purpose of a breach notification is to inform affected individuals about a security incident involving their personal information so they can take protective actions.
It involved an amount of sensitive data across a wide network of healthcare services and providers.
Protected health information is any information in a medical record that can be used to identify an individual.