Frustrated with Change Healthcare breach, senators propose removing limits on HIPAA fines
Oct. 23, 2024
Health Tech Reporter
Linda Barbour thought she was more interested in the Change Healthcare cyberattack than most. Having worked as a medical director for several large health insurance companies and having suffered through the Change fiasco herself as a rehab doctor with a private practice in Kansas City, she figured that if her data had been exposed in that February breach, she would have been notified by now.
Barbour did finally get a letter from Change — in October. “Getting it at this point, this delayed, there’s really nothing that I could do because so much time had passed,” she said.
advertisement
By law, companies have 60 days to notify individual customers if their personally identifiable health data was compromised. Missing that deadline could attract fines from the HHS, but it’s unclear if that deadline applied to Change because it did not contract with patients directly, and because of a lack of clarity in how the Department of Health and Human Services defines when the clock starts after a breach.
STAT+ Exclusive Story
Already have an account? Log in
This article is exclusive to STAT+ subscribers
Unlock this article — and get additional analysis of the technologies disrupting health care — by subscribing to STAT+.
Already have an account? Log in
Monthly
$39
Totals $468 per year
$39/month Get StartedTotals $468 per year
Starter
$20
for 3 months, then $399/year
$20 for 3 months Get StartedThen $399/year
Annual
$399
Save 15%
$399/year Get StartedSave 15%
11+ Users
Custom
Savings start at 25%!
Request A Quote Request A QuoteSavings start at 25%!
2-10 Users
$300
Annually per user
$300/year Get Started$300 Annually per user
View All Plans
To read the rest of this story subscribe to STAT+.
Subscribe Log In health tech, patients, Policy, STAT+ Submit a correction requestReprints
Newsletter
Tech is transforming health care and life sciences. Our original reporting is here to keep you ahead of the curve.
