Feds launch probe into Change Healthcare cyberattack

Federal officials say they are opening an investigation into the Change Healthcare cyberattack, that will include the firm’s parent company, UnitedHealth Group.

The U.S. Department of Health & Human Services (HHS) said that its Office of Civil Rights will focus on whether Change Healthcare or UnitedHealth Group violated the Health Insurance Portability and Accountability Act (HIPAA).

“Given the unprecedented magnitude of this cyberattack, and in the best interest of patients and health care providers, OCR is initiating an investigation into this incident,” the department said in a “Dear Colleagues” letter to the industry.

HHS also noted the widespread disruption to hospitals, physicians, and health care providers nationwide.

“The incident poses a direct threat to critically needed patient care and essential operations of the health care industry,” the health department letter stated.

The American Hospital Association has described the cyberattack as “the most significant” attack in the health industry and U.S. history, an assessment that appears to be gaining widespread agreement. Health care groups have said the interruption in claims processing and delays in payments threatens the financial solvency of providers. Change Healthcare’s services include billing, claims processing, prescriptions, and insurance eligibility checks.

The HHS letter said the department’s interest in other entities that have partnered with Change Healthcare is “secondary,” and “OCR is not prioritizing investigations of health care providers.”

Still, the department also said that Change Healthcare’s partners must meet their “regulatory obligations,” which include ensuring that security agreements are in place with business associates. Health providers were also reminded about notifying HHS about breaches in a timely fashion.

Steve Cagle, CEO of Clearwater, a cybersecurity firm, told Medical Economics’ sister publication Chief Healthcare Executive® that the attack shows ransomware groups are posing ever-greater threats and that hospitals and health systems must be prepared.

“Attacks are becoming much more sophisticated, more frequent, more targeted at health care organizations,” Cagle said. “So that's one takeaway in itself. This is a moving target. So, what good looks like today in security may not necessarily be good enough for tomorrow.”

Lee Kim, senior principal of cybersecurity and privacy for the Health Information Management Systems Society, said the attack illustrates the dangers of cyberattacks to all health providers.

“No matter how large or how small the entity is, no one is immune,” Kim said.

In announcing the investigation, HHS also cited the surge of cyberattacks and breaches in the health care industry. In 2023, the number of large breaches reported to the government affected more than 134 million people, an increase of 141% from 2022, according to the department. Over the past five years, there’s been a 264% increase in ransomware attacks.

On March 8 UnitedHealth Group, Change Healthcare’s parent company, outlined a timeline for restoring connectivity to the medical claims network. The company said it expects to begin testing connectivity to the medical claims network and software on March 18 and hopes to restore service through that week.

HHS said it is accelerating Medicare payments to health care providers and has urged payers to advance payments and relax deadlines for filing claims and appeals.

UnitedHealth Group has said a ransomware group known as “Blackcat” is behind the Change Healthcare attack. Federal officials have said the group is known to target health care organizations.