US Launches HIPAA Investigation Into Change Healthcare Breach

The Department of Health and Human Services says it aims to determine ‘whether a breach of protected health information occurred’ in the attack.

The U.S. government announced Wednesday it will investigate Change Healthcare and its owner, UnitedHealth Group, to determine if health data protected under federal law was stolen in the recent breach that impacted the company.

The ransomware attack against prescription processor Change Healthcare has been widely felt for three weeks. The attack has reportedly prevented many U.S.-based pharmacies and hospitals, as well as other health-care facilities and offices, from processing claims and receiving payments.

Reports have suggested some patients have had to pay for prescriptions out of pocket due to the disruptions to insurance processing.

The Russian-speaking cybercriminal gang known as AlphV and Blackcat claimed responsibility for the attack and said on its darkweb site that it exfiltrated 6 TB of data from Change Healthcare, a unit of UnitedHealth’s Optum subsidiary. UnitedHealth later confirmed that cybercriminals were behind the attack.

The Department of Health and Human Services, through its Office for Civil Rights (OCR), disclosed in a letter posted online Wednesday that the incident will now be investigated in connection with HIPAA (the Health Insurance Portability and Accountability Act of 1996) rules.

“Given the unprecedented magnitude of this cyberattack, and in the best interest of patients and health care providers, OCR is initiating an investigation into this incident,” wrote Melanie Fontes Rainer, director for the Office for Civil Rights, in the letter. “OCR’s investigation of Change Healthcare and UHG will focus on whether a breach of protected health information occurred and Change Healthcare’s and UHG’s compliance with the HIPAA Rules.”

UnitedHealth Group said in a statement Wednesday that it “will cooperate with the Office of Civil Rights (OCR) investigation.”

“We are working with law enforcement to investigate the extent of impacted data,” the company said in the statement.

Last week, UnitedHealth said that the Change Healthcare electronic prescribing system is “fully functional.” The next system expected to be restored is the Change Healthcare payment platform, with electronic payment functionality projected to be available starting Friday, according to UnitedHealth.

In an update to its site on the incident Wednesday, UnitedHealth said that “all major pharmacy and payment systems are up and more than 99 percent of pre-incident claim volume is flowing” for Change Healthcare.

As for Change Healthcare medical claims, “we will begin bringing up the claims system for reconnection and testing in a phased manner” starting next week, UnitedHealth said on its site.

If the timeline proves to be accurate, the disruptions from the attack will end up having lasted a month in total. UnitedHealth disclosed the incident in a Feb. 22 filing with the U.S. Securities and Exchange Commission.

Security researchers shared evidence suggesting UnitedHealth paid cybercriminals a $22 million ransom to regain access to its systems. The insurance giant has declined to comment on the reports.