The U.S. Department of Health and Human Services (HHS) has launched a wide-ranging investigation into Change Healthcare’s security and privacy practices in the wake of last month’s crippling ransomware attack.
The investigation by HHS’s Office for Civil Rights (OCR) will determine whether Change Healthcare and its parent company, UnitedHealthcare Group, met their compliance requirements under the Health Insurance Portability and Accountability Act (HIPAA).
Parts of the American healthcare system are still struggling to return to normal more than three weeks after UnitedHealthcare (UHG) disclosed the attack, which was subsequently attributed to the ALPHV/BlackCat ransomware gang.
The American Hospital Association labelled the breach “the most significant and consequential incident of its kind against the U.S. health care system in history.”
HIPAA compliance under the spotlight
In a March 13 open letter to healthcare providers (PDF), OCR director Melanie Fontes Rainer said the incident was being investigated due to “the unprecedented magnitude of this cyberattack, and in the best interest of patients and health care providers."
OCR enforces HIPAA’s privacy, security and breach notification rules covering the protection of health information by care providers and other organizations engaged in the health sector.
“OCR’s investigation of Change Healthcare and UHG will focus on whether a breach of protected health information occurred and Change Healthcare’s and UHG’s compliance with the HIPAA Rules,” Fontes Rainer said.
As the U.S. health system’s largest payment exchange platform, used by more than 70,000 pharmacies as well as doctors and other service providers, Change Healthcare’s interconnections with other organizations are extensive. However, Fontes Rainer said the inquiry’s interest in entities that had partnered with Change Healthcare and UHG was “secondary."
“While OCR is not prioritizing investigations of health care providers, health plans, and business associates that were tied to or impacted by this attack, we are reminding entities that have partnered with Change Healthcare and UHG of their regulatory obligations and responsibilities, including ensuring that business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs as required by the HIPAA Rules,” she said.
“OCR encourages all entities to review the cybersecurity measures they have in place with urgency to ensure that critically needed patient care can continue to be provided and that health information is protected.”
Large healthcare data breaches on the rise
HHS said ransomware and hacking were the primary cyber threats in health care. Over the past five years, there has been a 256% increase in large breaches reported to OCR involving hacking and a 264% increase in ransomware.
Collectively, large breaches of health information affected more than 134 million Americans last year, a 141% increase from 2022, HHS said. Hacking accounted for 79% of the large breaches reported to OCR in 2023.
Following its attack on Change Healthcare, and after pocketing a $22 million payment believed to have been made by UHG, the ALPHV/BlackCat gang shuttered their ransomware operation in an apparent exit scam. This left an affiliate of the group, who claimed to have carried out the hack, complaining about being swindled out of his share of the extortion bounty.
