The U.S. Department of Health and Human Services (HHS) announced on Wednesday its decision to probe the significant cyberattack that recently affected UnitedHealth Group's Change Healthcare. The investigation aims to determine if there was a breach of protected health data and to assess compliance with U.S. health privacy laws. This is the first formal inquiry by HHS regarding the cyber incident that occurred on February 21, which has since disrupted healthcare operations nationwide.
"Given the unprecedented magnitude of this cyberattack and in the best interest of patients and health care providers, the HHS Office for Civil Rights is initiating an investigation into the incident," stated the health department. With Change Healthcare processing nearly half of all medical claims in the United States for a vast network of healthcare providers, the impact of this breach could be far-reaching.
"Given the unprecedented magnitude of this cyberattack and in the best interest of patients and health care providers, the HHS Office for Civil Rights is initiating an investigation into the incident,"
UnitedHealth Group has committed to cooperating fully with the investigation, although specifics regarding potentially compromised patient data have yet to be disclosed. A spokesperson for UnitedHealth commented, "Our immediate focus is to restore our systems, protect data and support those whose data may have been impacted."
According to Shannon Britton Hartsfield, a healthcare privacy lawyer at Holland & Knight, the company is facing a formidable task in adhering to the reporting obligations prescribed under the Health Insurance Portability and Accountability Act (HIPAA). Under HIPAA, covered entities must notify patients of breaches within 60 days of their discovery. Hartsfield noted, "The scale of the cyberattack could make it difficult for UnitedHealth and other businesses covered by HIPAA to comply with their reporting obligations in this case."
Hartsfield went on to emphasize the potential complexity: "Patients might be affected by this incident in many different ways through many different entities. Sorting through the data to figure out who was affected would be an extraordinary task."
The HHS Office for Civil Rights, responsible for enforcing HIPAA's regulations, aims to clarify if UnitedHealth adhered to the law during this incident and to assess the extent of the possible data breach. Investigations of this nature are not uncommon. In 2022, the office initiated 676 compliance reviews relating to alleged HIPAA violations, many of which did not arise from formal complaints.
By the Numbers
The full scope of the data breach remains uncertain. UnitedHealth has attributed the attack to the notorious BlackCat ransomware group, known for its history of causing major disruptions. It was reported that the hackers claimed, in a message shared and quickly removed from their darknet site, to have stolen millions of sensitive records, including vital medical insurance and health information from UnitedHealth.
As of now, the investigation continues, and both the extent of the breach and the implications for affected patients are still being assessed. Stakeholders across the healthcare landscape are on high alert, given the significant role Change Healthcare plays in the ecosystem.
Moving forward, healthcare organizations are likely to scrutinize their security practices and response protocols in light of this incident. The uncertainties around data breaches and the potential ramifications for patients and providers underscore the critical need for robust cybersecurity measures within the healthcare sector.
