HHS's Office of Civil Rights Launches Investigation into Cyberattack on UnitedHealth's Subsidiary, Change Healthcare

On Feb. 12, Change Healthcare experienced a ransomware attack. Most of us had not heard of Change Healthcare before then, but the effect of the cyberattack was felt widely around the country. Associated Press states that "Change Healthcare provides technology used to submit and process insurance claims — and handles about 14 billion transactions a year."As reported by Becker's CFO Report (3/13/24), 

Change Healthcare . . . processes 1 in 3 healthcare claims in the U.S. . . .  The attack has crippled many operations for hospitals, insurers, physician practices and pharmacies across the country, with the American Hospital Association calling it the "most significant cyberattack" on healthcare in U.S. history.

The attackers (identified as the BlackCat Group) allegedly "stole 6 terabytes of data from Change, including medical records and Social Security numbers, and has since received $22 million in bitcoins, according to Reuters."

Getting back to business as usual is taking a lot of time:

As of March 7, Change Healthcare's pharmacy electronic prescribing is fully functional for claim submission and payment transmission. Change is expected to have its electronic payment platform available for connection March 15. Its medical claims network and software are expected to start testing for reconnection March 18, with the company working throughout that week to restore service. 

Meanwhile, AP reports that "[t]he Office for Civil Rights said Wednesday that it also will examine whether Change Healthcare followed laws protecting patient privacy." The HHS press release (3/13/24) is here. It states in part (emphasis added):

The cyberattack is disrupting health care and billing information operations nationwide and poses a direct threat to critically needed patient care and essential operations of the health care industry.

OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which sets forth the requirements that HIPAA covered entities (most health care providers, health plans, and health care clearinghouses) and their business associates must follow to protect the privacy and security of protected health information and the required notifications to HHS and affected individuals following a breach.

Ransomware and hacking are the primary cyber-threats in health care. Over the past five years, there has been a 256% increase in large breaches reported to OCR involving hacking and a 264% increase in ransomware. In 2023, hacking accounted for 79% of the large breaches reported to OCR. The large breaches reported in 2023 affected over 134 million individuals, a 141% increase from 2022.