Read more on the Change Healthcare Attack:
- Change Healthcare Cyber-Attack Leads to Prescription Delays
- UnitedHealth Sets Timeline to Restore Change Healthcare Systems After BlackCat Hit
- US Government Warns Healthcare is Biggest Target for BlackCat Affiliates
The US government will investigate the Change Healthcare ransomware attack to determine whether protected healthcare information was breached and if the firm complied with its regulatory duties.
The Office for Civil Rights (OCR), part of the US Department of Health & Human Services, said the investigation was necessary due to the “unprecedented magnitude of this cyber-attack,” which was first identified on February 21, 2024.
The ongoing incident has caused delays to patient care across the US, including medicine prescriptions.
The American Hospital Association (AHA) detailed how the attack on the health payment provider has impacted on hospitals’ ability to provide patient care, fill prescriptions, submit insurance claims and receive payment for their healthcare services.
Melanie Fontes Rainer, Director of the OCR, commented: “OCR encourages all entities to review the cybersecurity measures they have in place with urgency to ensure that critically needed patient care can continue to be provided and that health information is protected.”
Safeguarding Protected Health Information
The OCR emphasized that safeguarding protected healthcare information must be a top priority for healthcare providers.
The investigation will focus on whether such information was breached and whether UnitedHealth Group, which owns Change Healthcare, complied with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules.
This law sets out minimum privacy and security requirements for protected healthcare information and breach notification requirements covered entities must follow.
For example, covered organizations that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction.
Protected healthcare information is defined in the Health Insurance Portability and Accountability Act as:
- The individual's past, present or future physical or mental health or condition
- The provision of healthcare to the individual
- The past, present, or future payment for the provision of health care to the individual
The OCR also reminded organizations that have partnered with Change Healthcare and UnitedHealth of their regulatory obligations and responsibilities, such as ensuring that business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs.
UnitedHealth Group has confirmed that the recovery of its systems and services are underway. In its latest update on March 13, the healthcare conglomerate said it has identified the source of the intrusion, and with high confidence, established a safe restore point.
This follows unconfirmed reports that UnitedHealth paid a $22m ransom to the BlackCat ransomware gang to recover access to data and systems encrypted by the group.