The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has issued guidance indicating that it has not yet received mandatory HIPAA breach reports from Change Healthcare or its parent company UnitedHealth Group (UHG) following a significant cyberattack. The guidance underscores the requirement for HIPAA-covered entities and their vendors to report breaches of protected health information (PHI) within 60 days of discovery for incidents affecting 500 or more individuals. The notice also discusses the obligations of these entities to notify affected individuals and outlines the unclear timeline for when Change Healthcare and UHG discovered the breach and the extent of their notification responsibilities. Further, HHS has initiated an investigation into the incident due to its broad impact on patient privacy and healthcare provider operations, emphasizing the importance of compliance with HIPAA rules in the wake of the cyberattack's implications.

Feds Issue Guide for Change Health Breach Reporting Duties BankInfoSecurity

A division head of the Russian Federal Security Service (FSB) was sentenced to nine years in a penal colony for accepting a $1.7 million bribe to overlook the activities of a cybercrime group involved in hacking thousands of e-commerce sites, selling stolen payment card details online. Russian authorities dismantled this operation in 2022, arresting six members and seizing several carding shops, including Trump’s Dumps, which promised to "make credit card fraud great again." The IT firm Get-net LLC, linked to one of the arrested and leased services to the FSB, was implicated in the registration of the seized domains. Following an investigation that revealed the FSB head’s promise to transfer and potentially dismiss the hackers' case—a promise he couldn't fulfill—the case unraveled, leading to his arrest alongside the seizure of significant assets. The article also touches on historical attacks by these cybercriminals exploiting vulnerabilities in e-commerce platforms to steal and sell credit card information.

Russian FSB Counterintelligence Chief Gets 9 Years in Cybercrime Bribery Scheme Krebs on Security

Hugging Face has introduced Open Medical-LLM, a benchmark for evaluating generative AI models in healthcare. This initiative, developed with Open Life Science AI and the University of Edinburgh, amalgamates various existing test sets to assess AI performance on medical tasks, aiming to improve patient care by identifying models' strengths and weaknesses. While the benchmark is positioned as a robust tool, experts emphasize the significant difference between test environments and actual clinical settings, suggesting that these AI models should complement, not replace, medical professionals in practice.

Hugging Face releases a benchmark for testing generative AI on health tasks | TechCrunch publication

UnitedHealth Group has disclosed that its subsidiary, Change Healthcare, was subjected to a ransomware attack which resulted in the large-scale theft of private healthcare data. The stolen data includes personal and protected health information that could affect a significant portion of the U.S. population. Despite paying ransoms to two different hacking groups, including a new entity named RansomHub, the data has been partly leaked online. UnitedHealth is still assessing the full extent of the breach, expecting to spend several months reviewing the compromised data before notifying affected individuals. This cyberattack has caused widespread operational disruptions across U.S. healthcare facilities, with UnitedHealth projecting losses over $870 million due to the incident.

UnitedHealth says Change hackers stole health data on 'substantial proportion of people in America' | TechCrunch publication