Feds Launch Investigation into Change Healthcare Attack – Source: www.databreachtoday.com

Healthcare
,
HIPAA/HITECH
,
Industry Specific

HHS OCR Tells UnitedHealth Group it Will Scrutinize Co.’s HIPAA Compliance

Marianne Kolbasuk McGee (HealthInfoSec) •
March 13, 2024    

UnitedHealth Group has yet to publicly confirm whether the cyberattack on its Change Healthcare IT services unit has resulted in a data breach. That’s not stopping federal regulators from launching a full-fledged investigation into a massive compromise of protected health information potentially affecting millions of individuals.

See Also: Live Webinar | Secrets Detection: Why Coverage Throughout the SDLC is Critical to Your Security Posture

The Department of Health and Human Services’ Office for Civil Rights on Wednesday said it informed the company that the agency will investigate the cybersecurity incident impacting Change Healthcare and scores of other healthcare entities that uses the company’s services.

“The cyberattack is disrupting healthcare and billing information operations nationwide and poses a direct threat to critically needed patient care and essential operations of the healthcare industry,” Melanie Fontes Rainer, HHS OCR director wrote in a “Dear Colleague” letter.

“Given the unprecedented magnitude of this cyberattack, and in the best interest of patients and healthcare providers, OCR is initiating an investigation into this incident. OCR’s investigation of Change Healthcare and UHG will focus on whether a breach of protected health information occurred and Change Healthcare’s and UHG’s compliance with the HIPAA Rules,” the letter said.

“OCR’s interest in other entities that have partnered with Change Healthcare and UHG is secondary,” the letter said.

The agency typically doesn’t launch HIPAA investigations until it receives a breach report. Change Healthcare boasts on its website that it handles 15 billion transactions annually, touching 1 in 3 patients.

Some experts attending the Healthcare Information and Management Systems Society in Orlando, Florida this week said the extent of a potential PHI compromise involving the Change Healthcare attack could possibly eclipse the nearly 79 million individuals affected by the cyberattack on health insurer Anthem in late 2014 (see: Concentrated Cyber Risk Posed by Enormous Vendors).

The Anthem incident has held the notorious record for nearly a decade of being the largest health data breach ever reported to U.S. federal regulators.

UnitedHealth Group on its latest update Wednesday said its privacy office and security information teams “are actively engaged and working to understand the impact to members, patients and customers” in terms of whether personal information was compromised (see: Some Change Healthcare Services Will Be Back By Mid-March).

BlackCat ransomware attackers claim to have stolen at least 6 terabytes of data in the incident involving “all” Change Healthcare clients (see: BlackCat Ransomware Group Seizure Appears to Be Exit Scam).

UnitedHealth Group also says the company is making progress in restoring the more than 100 Change Healthcare IT services and products that were affected by the attack and the resulting IT outage to contain the incident.

The company said its pharmacy e-prescribing is fully functional, and that provider electronic payments are expected to be available for connection on Friday. A phased reconnection and testing of the company’s claims systems is expected the week of March 18.

On Saturday, HHS Secretary Xavier Becerra and Department of Labor Acting Secretary Julie Su issued a joint letter to the U.S. healthcare sector saying that the Biden administration has taken action “by removing challenges for healthcare providers and addressing this cyberattack head on” to ensure that providers affected by the outage can make payroll and deliver timely care to the American people.

Becerra and Su also called on the private sector – especially payers – “to meet the moment” by addressing the Change Healthcare situation and the massive disruption it is causing healthcare providers across the nation.

“Specifically, we call on UHG, other insurance companies, clearinghouses, and health care entities to take additional actions to mitigate the harms this attack places on patients and providers, particularly our safety net providers,” the statement said.

The government officials said UnitedHealth Group should ensure that no provider is compromised by their cash flow challenges stemming from this cyberattack on Change Healthcare and to ensure expedited delivery of funds to impacted providers for all receiving advanced payment from UnitedHealth Care.

The Biden administration is also urging insurance companies and other payers to take action, including making interim payments to impacted providers. “Larger payers in particular have the balance sheet stability to advance payments. Payers have the opportunity to stop-gap the cash flow concerns by stepping in with bridge payments” (see: Next Big Bombs to Drop in Change Healthcare Fiasco).