HHS to Investigate Change’s Security in Wake of Crippling Cyberattack – Source: securityboulevard.com

The U.S. Department of Health and Human Services (HHS) is opening an investigation into UnitedHealth and its Change Healthcare subsidiary following a ransomware attack that for three weeks has essentially shut down payments to health care providers and hobbled pharmacies trying to fill prescriptions.

Noting the “unprecedented magnitude of this cyberattack” that has rippled across the country’s health care industry disrupting patient care and hospital billing, HHS’ Office for Civil Rights (OCR) said Wednesday it will look into the extent and reach of the attack, whether protected health information was stolen, and determine if UnitedHealth (UHG) and Change were had complied with federal HIPAA rules protecting that data.

The OCR also examine other entities that have partnered with Change and UHG, though that part of the investigation is secondary, OCR Director Melanie Fontes Rainer wrote in a letter.

“While OCR is not prioritizing investigations of health care providers, health plans, and business associates that were tied to or impacted by this attack, we are reminding entities that have partnered with Change Healthcare and UHG of their regulatory obligations and responsibilities, including ensuring that business associate agreements are in place and that timely,” Raines wrote.

Federal Government Taking Charge

HHS’ investigation is the latest indication of the federal government becoming more deeply involved in the investigation into the ransomware attack and the ensuing health care chaos. Raines’ letter was sent a day after the Biden Administration met with UHG CEO Andrew Witty and representatives from three dozen health care providers, hospitals, health insurers, and other organizations to develop steps that could help mitigate the problems caused by the attack.

At the meeting, White House officials stressed then need for the federal government and private sector to work together to help health care facilities deliver care to patients and meet payroll, with HHS noting that once the attack on Change became publish, the department has been in “near-constant communication with countless stakeholders to understand the impact on the group and step in to help facilitate solutions with urgency.”

In addition, Chiquita Brooks-LaSure, administrators for the U.S. Centers for Medicare and Medicaid Services (CMS), said in a statement that the office was pulling together guidance to enables states to offer more flexibility in supporting Medicaid providers and suppliers.

“We are continuing to work closely with states and are urging Medicaid managed care plans to make prospective payments to impacted providers,” Brooks-LaSure said. “Medicaid managed care plans do not need CMS authority make prospective payments to providers and suppliers who need them; we are encouraging Medicaid managed care plans to make prospective payments as soon as possible.”

Pressure to Pay

Over the weekend, the Biden Administration ramped up the pressure on both UHG and health insurers to ease the flow of money during the crisis. HHS and the Labor Department in an open letter pushed UHG to “take responsibility to ensure not provider is compromised by their cash flow challenges” stemming from the attack, including expediting money to affected providers and make accessing UHG programs easier by “providing less restrictive terms and by addressing providers’ concerns regarding indemnification and arbitration requirements.”

In addition, the White House told insurance companies and other payers to make interim payments to providers, particularly for Medicaid plans and to ease restrictions on electronic payment systems, including by accepting paper claims.

HHS last week listed steps it was taking to help reduce payment barriers and the National Security Council also reportedly was examining options for getting money to hard-hit hospitals.

A Voice From Congress

Such pressure since the attack has come from other corners as well, including the American Hospital Association and Sen. Ron Wyden (D-OR), who in a statement last week wrote that “a hack of this magnitude is inexcusable and every American who is impacted has a right to be outraged” and calling adding that “it is completely inexcusable” that UHG and federal agencies seemingly were unprepared for such an incident even though the health care industry has become a key target of ransomware groups and other bad actors.

“There’s no shortage of blame to go around,” Wyden wrote. “United Health Group botched basic cybersecurity practices by allowing a single hack to create chaos across the nation’s health care system and should be held accountable. At the same time, federal regulators have asleep at the wheel on cybersecurity.”

BlackCat Exits Scene After Causing Chaos

The ransomware-as-a-service (RaaS) group BlackCat – also known as ALPHV – has taken credit for the attack, saying on its leak site that it had stolen sensitive health and patient data. BlackCat also appears to have disappeared with $22 million in ransom paid by Change, shutting down its operations and refusing to share the money with the affiliate group that purportedly helped it gain entrance into the Change systems.

The attack has had a crippling effect on wide swaths of the U.S. health care industry. Change operates as a go-between for hospitals and clinics and health insurance companies for processing payments, medical and insurance claims, and prescription orders, along with other tasks.

Change reportedly processes about half of the medical claims in the United States for about 900,000 physicians, 33,000 pharmacies, 5,500 hospitals, and 600 laboratories. HHS said the company processes 15 billion health care transactions every year and is involved in one of every three patient records.

“The Change Healthcare breach is a stunning example of just how bad one of these events can be under the right circumstances,” Mac McMillan, strategic advisory board member with First Health Advisory, a digital health risk assurance company, wrote in a column. “It will no doubt go down as one of the costliest breaches in healthcare and will have repercussions for months and possibly years to come.”