The U.S. Department of Health and Human Services (HHS) launches investigation into ransomware attack on Change Healthcare after weeks of disruption to healthcare and billing operations at hospitals, clinics and pharmacies across the country .
The department’s Civil Rights Office (OCR) published a letter Wednesday announcing the investigation, with director Melanie Fontes Rainer writing that they needed to review the situation “given the unprecedented scale of this cyberattack, and in the best interest of patients and healthcare providers.”
The announcement follows a meeting to address the crisis Tuesday between White House officials, medical industry representatives, HHS Secretary Xavier Becerra and Andrew Witty, CEO of UnitedHealth Group, the parent company of Change Healthcare.
The investigation, Fontes Rainer said, will focus on whether protected health information was compromised and whether Change Healthcare and UHG complied with Health Insurance Portability and Accountability Act (HIPAA) rules.
“OCR’s interest in other entities that have partnered with Change Healthcare and UHG is secondary. Although OCR is not prioritizing investigations into healthcare providers, health plans, and business associates that were linked to or impacted by this attack, we remind entities that partnered with Change Healthcare and UHG fulfills their regulatory obligations and responsibilities, including ensuring that business associate agreements are in place and that timely notification of breaches to HHS and affected individuals occurs, as required by the HIPAA Rules,” she declared.
The incident “poses a direct threat to critically needed patient care and essential operations of the health care sector,” she added.
An expert told Recorded Future News last week that the incident was costing over $100 million per day — with hospitals across the United States reporting issues. Experts estimate that Change Healthcare processes about half of all medical claims in the United States.
The Washington Post reported As of Tuesday, Biden administration officials are furious with UnitedHealth for its handling of the fiasco.
Becerra published a letter Sunday urging UnitedHealth and other insurance companies to “help providers pay salaries and deliver timely care to the American people.”
Change Healthcare operates one of the most widely used e-prescription services for pharmacies. It took its systems offline when it detected a ransomware attack on February 21 by the AlphV/BlackCat gang. The breakdown had an immediate impact nationwide on pharmacies, hospital systems, physician networks and other healthcare organizations.
Healthcare providers have been unable to properly request and receive insurance payments, and large healthcare providers have reported cash flow problems hundreds of millions of dollars because they were unable to receive payments for their claims.
Even after would have paid a ransom To the now-defunct ransomware gang, the company struggled to restore its platform, fomenting a crisis that caused senior congressional leaders and the White House to get involved.
Last week, the company was able restore some systems but said the wider payments platform would not work again until March 15. Its medical claims technology will “begin testing and restoring connectivity” during the week of March 18.
American Hospital Association called the attack is “the largest and most consequential incident of its kind against the American health care system in history.”
The incident reignited concerns raised by the Justice Department over UnitedHealth’s purchase of Change Healthcare, which they initially sued to block in 2022. Through its subsidiary Optum, UnitedHealth already controlled one of the largest healthcare IT companies in the United States and Change Healthcare was one of its biggest competitors.
The Justice Department effectively lost the case centralize significant parts of the American health system in the hands of a single company.
HHS noted Wednesday that ransomware attacks targeting the healthcare industry have increased 256% over the past five years – with healthcare-related data breaches in 2023 affecting more than 134 million people.
Future saved
Intelligence cloud.