You may be aware of a cyber attack earlier this year that affected many medical-related practices in the US and Canada. CTMAX was not directly impacted NOR our systems compromised by the cyber attack. Likewise, our practice management system (Hernry Schein One) ALSO was not directly affected, but utilized claims or eligibility services through Change Health Care (CHC). CHC was direct target of the attack.
Based on CHC’s analysis to date, a small percentage of Henry Schein One (HSO) customer’s patient data was affected (at this time, less than 1%), but because CHC is not able to tie affected individuals to practices we are providing this notice to all Henry Schein One practice management customers (ie CTMAX) that utilized claims or eligibility services through CHC.
CHC has provided a HIPAA substitute notice with additional information here: HERNRYSCHEINONE. The notice includes a description of information which may have been involved based on CHC’s review to date, a toll-free call center number, and information on complimentary credit monitoring and identity protection services available to all individuals. CHC recommends that covered entities post a link to the substitute notice on their home page for at least 90 consecutive days.
Beginning in late July, CHC has informed HSO that CHC will send direct notice (written letters) to affected individuals for whom CHC has a sufficient address. CHC will make HIPAA and state attorney general notifications as required by state law on behalf of covered entities as a delegate. You do not need to do anything for CHC to process required notifications. CHC will proceed as a delegate on your behalf to provide the following notifications:
- HIPAA substitute notice
- HIPAA media notice
- OCR report, when data review is completed
- Individual notifications under HIPAA and state law, for impacted individuals with sufficient information
- Impacted individuals with an unknown or insufficient address will be provided notice via substitute notice
- Notice to state attorneys general as appropriate
If you would like additional information regarding the cyberattack or the complimentary credit monitoring and identity protection services, please refer to the CHC substitute notice at the link above. If you have any questions, please contact CHC directly as set forth in the notice.