Dive Brief:
- The federal government opened an investigation into the Change Healthcare cyberattack, the HHS’ Office for Civil Rights said Wednesday.
- OCR, which enforces the HIPAA privacy and security rule, will probe technology firm Change and parent company UnitedHealth Group on whether protected health information was breached and if UnitedHealth complied with the law’s requirements.
- The amount of data exposed could be significant: Change is one of the nation’s largest insurance claims processing centers and touches one in every three patient records.
Dive Insight:
The cyberattack on Change has upended the healthcare sector for three weeks. Providers have reported a range of operational challenges during the outage, including problems receiving payment from patients and insurers, verifying coverage, submitting prior authorization requests and exchanging clinical records.
In a Wednesday letter on the investigation, OCR Director Melanie Fontes Rainer noted the “unprecedented magnitude” of the Change cyberattack, adding it posed a threat to patient care and industry operations.
The agency won’t prioritize investigations of providers, health plans and business associates that were impacted. But OCR reminded the industry of their obligations under the HIPAA rule, including the requirement to file timely breach notifications with the HHS.
The Change attack comes as regulators have raised red flags about cybersecurity in the sector, urging healthcare organizations to boost their cyber protections and proposing future cybersecurity requirements for hospitals.
“We are intent on getting the healthcare sector to recognize how critical it is that they take up whatever measures they can because they are subject to be attacked, as we see now with Change Healthcare and what that has meant to the entire healthcare sector,” HHS Secretary Xavier Becerra said during a press conference Monday.
Ransomware and hacking are the primary cyber threats to the industry, according to OCR. The agency tracked a 256% increase in large breaches involving hacking and a 264% increase in ransomware over the past five years.
Large healthcare data breaches reported last year affected more than 134 million people, a 141% increase from 2022, according to OCR.
UnitedHealth confirmed late last month that the ransomware group AlphV, also known as BlackCat — which has recently targeted the healthcare industry — had claimed responsibility for the attack.
Last week, UnitedHealth, which acquired Change in 2022, said systems are expected to begin coming back online in mid-March.
In a statement, the company said it would cooperate with the OCR investigation.
“Our immediate focus is to restore our systems, protect data and support those whose data may have been impacted,” a UnitedHealth spokesperson told Healthcare Dive. “We are working with law enforcement to investigate the extent of impacted data.”