Change Healthcare Cybersecurity Incident Frequently Asked Questions

Updated as of March 14, 2025

1. Why did OCR issue the Dear Colleague letter about the Change Healthcare cybersecurity incident?

A: Given the unprecedented magnitude of this cyberattack, its widespread impact on patients and health care providers nationwide, and in the interest of patients and health care providers, OCR issued the Dear Colleague letter addressing the following:

• OCR confirmed that it prioritized and opened investigations of Change Healthcare and UnitedHealth Group (UHG), focused on whether a breach of protected health information (PHI) occurred and on the entities’ compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Rules. OCR did this because of the cyberattack’s unprecedented impact on patient care and privacy.
• OCR’s investigation interests in other entities that partnered with Change Healthcare and UHG is secondary. This would include those covered entities that have business associate relationships with Change Healthcare and UHG, and those organizations that are business associates to Change Healthcare and UHG.
• However, OCR reminded all of these entities of their HIPAA obligations to have business associate agreements in place and to ensure that timely breach notification to the Department of Health and Human Services (HHS) and affected individuals occurs.
• Safeguarding PHI is a top priority. OCR provided resources to help entities protect their record systems and patients from cyberattacks, including:
  • OCR HIPAA Security Rule Guidance Material – This webpage provides educational materials to learn more about the HIPAA Security Rule and other sources of standards for safeguarding electronic PHI. Materials include a Recognized Security Practices Video, Security Rule Educational Paper Series, HIPAA Security Rule Guidance, OCR Cybersecurity Newsletters, and more.
  • OCR Video on How the HIPAA Security Rule Protects Against Cyberattacks  – This video discusses how the HIPAA Security Rule can help covered entities and business associates defend against cyberattacks. Topics include breach trends, common attack vectors, and findings from OCR investigations.
  • OCR Webinar on HIPAA Security Rule Risk Analysis Requirement  – This webinar discusses the HIPAA Security Rule requirements for conducting an accurate and thorough assessment of potential risks and vulnerabilities to electronic PHI and reviews common risk analysis deficiencies OCR has identified in its investigations.
  • HHS Security Risk Assessment Tool – This tool is designed to assist small- to medium-sized entities in conducting an internal security risk assessment to aid in meeting the security risk analysis requirements of the HIPAA Security Rule.
  • Factsheet: Ransomware and HIPAA – This resource provides information on what is ransomware, what covered entities and business associates should do if their information systems are infected, and HIPAA breach reporting requirements.
  • Healthcare and Public Health (HPH) Cybersecurity Performance Goals – These voluntary, health care specific cybersecurity performance goals can help health care organizations strengthen cyber preparedness, improve cyber resiliency, and protect patient health information and safety.

2. Why is OCR initiating an investigation now and what does it cover?

A: Ensuring continuity of care and patient privacy is the utmost priority. In the interest of patients and health care providers who are reeling from the impact of this cyberattack of unprecedented magnitude, OCR initiated investigations of Change Healthcare and UHG. The investigations are primarily focused on whether a breach of unsecured PHI occurred and on Change Healthcare’s and UHG’s compliance with the HIPAA Rules.

3. Have Change Healthcare or UHG filed a breach report with HHS?

A: Yes, on July 19, 2024, Change Healthcare filed a breach report with OCR concerning a ransomware attack that resulted in a breach of protected health information. Change Healthcare’s breach report to OCR identifies 500 individuals as the “approximate number of individuals affected”. This is the minimum number of individuals affected that results in a posting of a breach on the HHS Breach Portal. Change Healthcare is still determining the number of individuals affected. The posting on the HHS Breach Portal will be amended if Change Healthcare updates the total number of individuals affected by this breach. HIPAA breach reports filed on the HHS Breach Portal may be amended as the breach report form allows a filer to file an initial breach report or an addendum to a previous report.

4. Are large breaches (those affecting 500 or more individuals) posted on the HHS Breach Portal on the same day that OCR receives a regulated entity’s breach report?

A: No. Before a breach is posted on the HHS Breach Portal, OCR verifies the report it receives. OCR discusses the breach reported with the regulated entity that reported the breach and verifies that the information in the breach report is accurate. Once breach verification is completed, the breach report will be posted on the HHS Breach Portal. The amount of time that the breach verification process takes can vary depending on the circumstances, but generally the verification process is completed within 14 days.

5. Is OCR’s 2016 ransomware guidance applicable to the Change Healthcare cyberattack?

A: Yes. OCR’s ransomware guidance provides specific information on the steps covered entities and business associates should take to determine if a ransomware incident is a HIPAA breach. A breach, under the HIPAA Rules, is defined as, “…the acquisition, access, use, or disclosure of [PHI] in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.” See 45 CFR 164.402. Whether the presence of ransomware would be a breach under the HIPAA Rules is a fact-specific determination.

6. Are covered entities whose patients’ or beneficiaries’ protected health information was impermissibly disclosed as a result of the cyberattack involving Change Healthcare and UHG required to perform HIPAA breach notifications?

A: A covered entity that discovers a breach, including when notified of a breach by their business associate, must comply with the applicable breach notification requirements, including notification to affected individuals without unreasonable delay, to the HHS Secretary, and to the media (for breaches affecting over 500 individuals). See 45 CFR 164.400-414. A breach of PHI is presumed to have occurred unless the covered entity can demonstrate that there is a “…low probability that the PHI has been compromised,” based on the factors in the Breach Notification Rule.

Under the HITECH Act and Breach Notification Rule, the covered entity is ultimately responsible for ensuring that such notifications occur. See 42 USC 17932 and 45 CFR 164.404. Affected covered entities should coordinate with Change Healthcare and UHG on who will be providing breach notifications.

The required breach notification to an individual must include, to the extent possible: a brief description of the breach; a description of the types of information that were involved in the breach; the steps affected individuals should take to protect themselves from potential harm; a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches; and contact information for the covered entity (or business associate, as applicable).

When a breach of unsecured PHI occurs at a business associate, the business associate must provide notice to affected covered entities without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach by the business associate. To the extent possible, a business associate is required to provide the covered entity with the identification of each individual affected by the breach. Additionally, the business associate must provide the covered entity with any other available information required to be provided by the covered entity in its notification to affected individuals, at the time the business associate notifies the covered entity or promptly thereafter as information becomes available. Because we allow this information to be provided to a covered entity after the initial notification of the breach as it becomes available, a business associate should not delay the initial notification to the covered entity of the breach in order to collect information needed for the notification to the individual.

OCR understands that in this case, business associate notification to affected covered entities has not occurred yet. UHG’s website states that they “are not announcing an official breach notification at this time. To help ease reporting obligations on other stakeholders whose data may have been compromised as part of this cyberattack, UnitedHealth Group has offered to make notifications and undertake related administrative requirements on behalf of any provider or customer.”¹ OCR will not consider the 60-calendar day period from discovery of a breach by a covered entity to start until affected covered entities have received the information needed from Change Healthcare or UHG.

7. May a covered entity delegate its breach notification obligations to Change Healthcare/UHG?

A: Yes, a covered entity may delegate to its business associate the tasks of providing the required HITECH Act and HIPAA Breach Notification Rule breach notifications on the covered entity’s behalf. Only one entity—which could be the covered entity itself or its business associate—needs to complete notifications to affected individuals, the HHS Secretary, and where applicable the media.

As such, if covered entities affected by this breach ensure that Change Healthcare performs the required breach notifications in a manner consistent with the HITECH Act and HIPAA Breach Notification Rule, those covered entities would not have additional HIPAA breach notification obligations.

8. What HIPAA breach notification duties do covered entities have with respect to the Change Healthcare cyberattack?

A: Following a breach of unsecured PHI, covered entities must provide notification of the breach to affected individuals, the HHS Secretary, and, in certain circumstances, to the media. In addition, business associates must notify covered entities if a breach occurs at or by the business associate. A covered entity may delegate to its business associate the tasks of providing these required notifications on the covered entity’s behalf. Only one entity—which could be the covered entity itself or its business associate—needs to complete notifications to affected individuals, the HHS Secretary, and where applicable the media. See FAQ #7 on delegation of this duty.

Please visit the OCR Breach Notification webpage for detailed guidance. Please visit the Breach Reporting webpage for instructions on how submit a breach notification to the HHS Secretary and to access the electronic breach notification form.

Below is a summary of breach notification requirements and reporting procedures for covered entities:

Breach Notification for Covered Entities (See 45 CFR 164.404 and 164.408)

A covered entity’s breach notification obligations differ, depending on whether the breach affects 500 or more individuals or fewer than 500 individuals.

Covered Entities: Submitting a Notice for a Breach Affecting 500 or More Individuals

If a breach of unsecured PHI affects 500 or more individuals, a covered entity must notify the HHS Secretary of the breach without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach. The covered entity must submit the notice electronically by clicking here to access the breach notification form and completing all of the required fields.

Covered Entities: Submit a Notice for a Breach Affecting Fewer than 500 Individuals

If a breach of unsecured PHI affects fewer than 500 individuals, a covered entity must notify the HHS Secretary of the breach within 60 calendar days of the end of the calendar year in which the breach was discovered. (A covered entity is not required to wait until the end of the reporting period to report breaches affecting fewer than 500 individuals; a covered entity may report these breaches at the time they are discovered.) The covered entity may report all of its breaches affecting fewer than 500 individuals on one date, but the covered entity must complete a separate notice for each breach incident. The covered entity must submit the notice electronically by clicking here to access the breach notification form and completing all of the required fields.

Number Uncertain: If the number of individuals affected by a breach is uncertain at the time of notification submission, the covered entity should provide an estimate, and, if it discovers additional information, submit updates in the manner specified below. If only one option is available in a particular submission category, the covered entity should pick the best option, and may provide additional details in the free text portion of the submission.

Additional Information Discovered: If a covered entity discovers additional information that supplements, modifies, or clarifies a previously submitted notice to the HHS Secretary, it may submit an additional form by checking the appropriate box to indicate that it is an addendum to the initial report, using the transaction number it received after its submission of the initial breach report.

Covered Entities: Media Notice (See 45 CFR 164.406)

Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction. Covered entities may provide this notification in the form of a press release to appropriate media outlets serving the affected area. Like individual notice, this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include the same information required for the individual notice.

Covered Entities: Substitute Notice (See 45 CFR 164.404(d)(2))

The HIPAA Breach Notification Rule allows for the use of substitute notice to affected individuals where there is insufficient or out-of-date contact information that precludes written notification to the individual. In such instances, a substitute form of notice reasonably calculated to reach the individual shall be provided. Substitute notice can be provided in the following ways:

(i) In the case in which there is insufficient or out-of-date contact information for fewer than 10 individuals, then such substitute notice may be provided by an alternative form of written notice, telephone, or other means.

(ii) In the case in which there is insufficient or out-of-date contact information for 10 or more individuals, then such substitute notice shall:

(A) Be in the form of either a conspicuous posting for a period of 90 days on the home page of the Web site of the covered entity involved, or conspicuous notice in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside; and

(B) Include a toll-free phone number that remains active for at least 90 days where an individual can learn whether the individual's unsecured PHI may be included in the breach.

9.  What HIPAA breach notification duties do business associates have with respect to the Change Healthcare cyberattack?

A: Breach Notification for Business Associates (See 45 CFR 164.410)

If a breach of unsecured PHI occurs at or by a business associate, the business associate must notify the covered entity following the discovery of the breach. This notice must be provided without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach. To the extent possible, the business associate must provide the covered entity with the identification of each individual affected by the breach, or each individual reasonably believed to have been affected, as well as any other available information required to be provided by the covered entity in its notification to affected individuals.

Additionally, with respect to a breach at or by a business associate, while the covered entity is ultimately responsible for ensuring individuals are notified, the covered entity may delegate the task of providing individual notices to the business associate. Covered entities and business associates should consider which entity is in the best position to provide notice to the individual, which may vary depending on the circumstances, such as the functions the business associate performs on behalf of the covered entity and which entity has the relationship with the individual. Only one entity—which could be the covered entity itself or its business associate—needs to complete notifications to affected individuals, the HHS Secretary, and where applicable the media.

10. How will Change Healthcare notify affected covered entities and business associates of the breach?

A: HIPAA regulated entities affected by this incident should contact Change Healthcare and UHG with any questions on how HIPAA breach notification will occur.

11. Is Change Healthcare performing breach notification on behalf of affected entities to HHS and affected individuals?

A: Decisions about who will perform breach notification to HHS and affected individuals are up to the covered entities affected by this breach. On October 22, 2024, Change Healthcare notified OCR that approximately 100 million individual notices have been sent regarding this breach. On January 24, 2025, Change Healthcare notified OCR that approximately 130 million individual notices have been sent regarding this breach and approximately 190 million individuals have been impacted. See FAQ #7 on delegation of this duty.

12. Who is responsible for ensuring that individuals affected by the Change Healthcare breach receive notification?

A: Covered entities are responsible for ensuring that HHS, affected individuals, and, where applicable, the media, are timely notified of the breach of unsecured PHI. HIPAA breach notification to affected individuals (patients, beneficiaries, and others) is essential for providing transparency about what caused the breach, when the breach occurred, what PHI was disclosed, what steps affected individuals should take to protect themselves, and information about what the HIPAA regulated entity (health plans, health care clearing houses, most health care providers, and business associates) is doing to investigate the breach, mitigate harm to affected individuals, and protect against further breaches.

Business associates are responsible for ensuring that HIPAA covered entities are timely notified of the breach of unsecured PHI. To the extent possible, a business associate is required to provide the covered entity with the identification of each individual affected by the breach. Additionally, the business associate must provide the covered entity with any other available information required to be provided by the covered entity in its notification to affected individuals, at the time the business associate notifies the covered entity or promptly thereafter as information becomes available. Because we allow this information to be provided to a covered entity after the initial notification of the breach as it becomes available, a business associate should not delay the initial notification to the covered entity of the breach in order to collect information needed for the notification to the individual.

See FAQ #7 on delegation of this duty.

13. Does OCR plan to update this FAQ page?

A: OCR plans to update this page as needed.

Endnotes

¹ https://www.unitedhealthgroup.com/ns/changehealthcare/faq.html. As of July 30, 2024.