Healthcare , HIPAA/HITECH , Industry Specific

Feds Launch Investigation Into Change Healthcare Attack

HHS OCR Tells UnitedHealth Group It Will Scrutinize the Company's HIPAA Compliance
Feds Launch Investigation Into Change Healthcare Attack
Image: HHS

UnitedHealth Group has yet to publicly confirm whether the cyberattack on its Change Healthcare IT services unit has resulted in a data breach. That's not stopping federal regulators from launching a full-fledged investigation into a massive compromise of protected health information potentially affecting millions of individuals.

See Also: Panel Discussion | Accelerate HITRUST certification for faster time-to-market and improved ROI

The Department of Health and Human Services' Office for Civil Rights on Wednesday said it informed the company that the agency will investigate the cybersecurity incident affecting Change Healthcare and scores of other healthcare entities that use the company's services.

"The cyberattack is disrupting healthcare and billing information operations nationwide and poses a direct threat to critically needed patient care and essential operations of the healthcare industry," Melanie Fontes Rainer, HHS OCR director, said in a "Dear Colleagues" letter.

"Given the unprecedented magnitude of this cyberattack, and in the best interest of patients and healthcare providers, OCR is initiating an investigation into this incident. OCR's investigation of Change Healthcare and UHG will focus on whether a breach of protected health information occurred and Change Healthcare's and UHG's compliance with the HIPAA Rules," the letter says.

"OCR's interest in other entities that have partnered with Change Healthcare and UHG is secondary," the letter says.

The agency typically doesn't launch HIPAA investigations until it receives a breach report. Change Healthcare boasts on its website that it handles 15 billion transactions annually, touching 1 in 3 patients.

Some experts attending the Healthcare Information and Management Systems Society in Orlando, Florida, this week said the extent of a potential PHI compromise involving the Change Healthcare attack could possibly eclipse the nearly 79 million individuals affected by the cyberattack on health insurer Anthem in late 2014 (see: Concentrated Cyber Risk Posed by Enormous Vendors).

The Anthem incident has held the notorious record for nearly a decade of being the largest health data breach ever reported to U.S. federal regulators.

UnitedHealth Group in its latest update Wednesday said its privacy office and security information teams "are actively engaged and working to understand the impact to members, patients and customers" in terms of whether personal information was compromised (see: Some Change Healthcare IT Services Will Be Back By Mid-March).

BlackCat ransomware attackers claim to have stolen at least 6 terabytes of data in the incident involving "all" Change Healthcare clients (see: BlackCat Ransomware Group Seizure Appears to Be Exit Scam).

UnitedHealth Group also says the company is making progress in restoring the more than 100 Change Healthcare IT services and products that were affected by the attack and the resulting IT outage to contain the incident.

The company said its pharmacy e-prescribing is fully functional, and that provider electronic payments are expected to be available for connection on Friday. A phased reconnection and testing of the company's claims systems is expected the week of March 18.

On Saturday, HHS Secretary Xavier Becerra and Department of Labor acting Secretary Julie Su issued a joint letter to the U.S. healthcare sector saying that the Biden administration has taken action "by removing challenges for healthcare providers and addressing this cyberattack head on" to ensure that providers affected by the outage can make payroll and deliver timely care to the American people.

Becerra and Su also called on the private sector - especially payers - "to meet the moment" by addressing the Change Healthcare situation and the massive disruption it is causing healthcare providers across the nation.

"Specifically, we call on UHG, other insurance companies, clearinghouses, and health care entities to take additional actions to mitigate the harms this attack places on patients and providers, particularly our safety net providers," the statement said.

The government officials said UnitedHealth Group should ensure that no provider is compromised by their cash flow challenges stemming from this cyberattack on Change Healthcare and to ensure expedited delivery of funds to affected providers for all receiving advanced payment from UnitedHealth Care.

The Biden administration is also urging insurance companies and other payers to take action, including making interim payments to affected providers. "Larger payers in particular have the balance sheet stability to advance payments. Payers have the opportunity to stop-gap the cash flow concerns by stepping in with bridge payments" (see: The Next Big Bombs to Drop in the Change Healthcare Fiasco).

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.