As the after effects of the Change Healthcare ransomware attack continue to spread, hamstringing providers, pharmacies, and hospitals across the United States, the federal government is now getting involved, opening an investigation into the incident and whether protected health information was compromised.
In late February, Change Heathcare, a subsidiary of UnitedHealth Group, disclosed a ransomware attack that affected a wide swath of its internal systems. The company was forced to take many of those systems offline, which has had ripple effects for not just the company’s customers, but many other organizations in the health care sector. Change Healthcare provides payment clearinghouse services for a significant chunk of health care providers in the U.S., along with other services, and the ransomware attack has affected the ability of providers to submit claims, fill prescriptions, and receive payments. The company has been working to restore its systems since the attack, while providers and industry groups have called on the government for assistance.
On Wednesday, the Department of Health and Human Services Office for Civil Rights released a letter saying that the incident is a “direct threat to critically needed patient care and essential operations of the health care industry”. OCR is the portion of HHS that is responsible for enforcing the Health Insurance Portability and Accountability Act (HIPAA), the main federal health information privacy law, as well as the breach notification rules. In the letter, OCR Director Melanie Fontes Rainer said the office would be looking specifically at the possibility of consumer health information being involved in the Change Healthcare intrusion.
"OCR’s investigation of Change Healthcare and UHG will focus on whether a breach of protected health information occurred."
“Given the unprecedented magnitude of this cyberattack, and in the best interest of patients and health care providers, OCR is initiating an investigation into this incident. OCR’s investigation of Change Healthcare and UHG will focus on whether a breach of protected health information occurred and Change Healthcare’s and UHG’s compliance with the HIPAA Rules,” the letter says.
“OCR’s interest in other entities that have partnered with Change Healthcare and UHG is secondary. While OCR is not prioritizing investigations of health care providers, health plans, and business associates that were tied to or impacted by this attack, we are reminding entities that have partnered with Change Healthcare and UHG of their regulatory obligations and responsibilities, including ensuring that business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs as required by the HIPAA Rules.”
The BackCat/ALPHV ransomware group claimed responsibility for the attack on Change and the company is still working to get the affected systems back to full functionality. In its latest timeline, Change said that its pharmacy services are back online, and it restored its payment processing platform on March 15. On Monday, the company began releasing medical claims preparation software to customers, a further step in fully restoring its services.
This story was updated on March 18 to add new information about UHG service restoration.