The federal government has launched an investigation into UnitedHealth Group and its Change Healthcare subsidiary regarding the unprecedented cyberattack inflicted on the technology company that has wreaked havoc throughout the healthcare system.
Melanie Fontes Rainer, director of the Health and Human Services Department's Office for Civil Rights, announced the probe Wednesday in a letter addressed to colleagues.
Related: There's no relief from healthcare hackers in 2024
The agency is looking into whether protected health data was compromised and if UnitedHealth has complied with breach notification requirements and federal privacy and security rules. OCR is responsible for enforcing privacy rules under the Health Insurance Portability and Accountability Act of 1996.
“Given the unprecedented magnitude of this cyberattack, and in the best interest of patients and healthcare providers, OCR is initiating an investigation into this incident,” Fontes Rainer said.
The investigation follows a White House meeting Tuesday with senior federal officials and representatives from insurance companies, including UnitedHealth and payer and provider trade associations, concerning the response to the Change Healthcare network outage.
UnitedHealth said in a statement it will cooperate with the investigation.
“Our immediate focus is to restore our systems, protect data and support those whose data may have been impacted. We are working with law enforcement to investigate the extent of impacted data,” a spokesperson said.
The company’s most recent update to its status webpage on March 8 said it is evaluating whether patient health information was breached during the incident.
Change Healthcare was allegedly the victim of a cyberattack by ransomware group BlackCat (also called ALPHV or Noberus) on Feb. 21 that forced the company to disconnect its systems three weeks ago. The vendor provides vital functions, including claims submissions and billing operations relied on by hospitals, health systems, medical groups, nursing homes, pharmacies and other providers.
Affected organizations have had to pivot operations to work around the outage. Public and private sectors have stepped up to ease administrative burdens and offer financial support.
Fontes Rainer also said the agency is interested in making sure affected healthcare organizations contracted with Change Healthcare use business associate agreements and comply with HIPAA rules.
“While OCR is not prioritizing investigations of healthcare providers, health plans, and business associates that were tied to or impacted by this attack, we are reminding entities that have partnered with Change Healthcare and UHG of their regulatory obligations and responsibilities,” Fontes Rainer said.
Healthcare data breaches are on the rise. Ransomware attacks reported to OCR spiked 264% over the past five years, HHS said in a news release accompanying the letter.
Ransomware groups typically demand payment in exchange for returning stolen data. Reuters reported March 5 that UnitedHealth supposedly paid $22 million to recover access to data and systems.
Last year broke the record for the highest number of individuals affected by a healthcare data breach since full-year data was first collected in 2010. Nearly 133 million individuals were affected by breaches in which their information was compromised, according to the OCR breach portal.