We’re following up on the Kaiser Permanente and Change Healthcare breaches. Below you will find updated information as well as some general guidance. As always please consult your leadership/counsel prior to implementing any breach related actions.


Kaiser Permanente Breach Guidance:

For healthcare organizations that have filed claims for patients with Kaiser Permanente, and suspect that patient information may have been compromised in the breach, there are specific steps to consider to protect both patients and operations:

  • Communication with Kaiser Permanente: Establish contact with Kaiser to understand the extent of the breach, specifically how it might impact their patients’ data. It’s vital to determine whether the data involved included information submitted through their claims.
  • Internal Assessment: Conduct an internal review to identify any potential risks to patient data that might stem from the breach at Kaiser. This involves checking if their system’s integration with Kaiser’s might have exposed additional vulnerabilities.
  • Patient Notification: Notify any patients potentially affected by the breach. Transparency is crucial in maintaining trust. Patients should be informed about what data was potentially exposed, the implications, and what steps they can take to protect themselves.
  • Regulatory Reporting: Depending on the nature of the breach and the data involved, the healthcare organization may need to report the incident to regulatory bodies, such as the Department of Health and Human Services (HHS) under HIPAA regulations, even if the breach originated with Kaiser.
  • Enhanced Security Measures: Evaluate and strengthen security protocols to prevent similar breaches. This might include enhancing data encryption, tightening access controls, and implementing more robust data monitoring systems.
  • Legal Consultation: Consult with legal experts to understand their obligations and liabilities in this situation. Legal advice will help navigate the complexities of data breach laws and regulations.
  • Credit Monitoring Services: Consider offering credit monitoring services to affected patients, especially if sensitive information like Social Security numbers was involved.
  • Ongoing Monitoring: Monitor for unusual activity within patient accounts that could indicate misuse of the breached data. Keep patients informed about any new developments related to the breach.

Change Healthcare Update:

More information has come to light through the testimony of Andrew Witty, CEO of UnitedHealth Group, before the House Energy and Commerce Committee Subcommittee on Oversight and Investigations (LINK). The cyberattack on Change Healthcare involved the exploitation of accounts that lacked multi-factor authentication (MFA) on Citrix systems. This security lapse allowed hackers to gain unauthorized access and deploy ransomware. Citrix systems are commonly used in large organizations for secure and flexible access to networks and applications. When MFA is not enabled, these systems can become vulnerable entry points for attackers.

This will be even further justification for cyber insurance to require MFA for remote access and systems with sensitive information. BlueOrange would strongly encourage all of our clients to require MFA on all systems that have any chance of containing sensitive information/ePHI.