Federal government launches investigation into UnitedHealth over Change hack

The federal government is launching an investigation into UnitedHealth Group following the February cyberattack on its Change Healthcare subsidiary that has significantly affected providers' financial stability nationwide.

"Given the unprecedented magnitude of this cyberattack, and in the best interest of patients and health care providers, OCR is initiating an investigation into this incident," HHS' Office for Civil Rights said in a March 13 letter. "OCR's investigation of Change Healthcare and UHG will focus on whether a breach of protected health information occurred and Change Healthcare's and UHG's compliance with the HIPAA Rules." 

A spokesperson for UnitedHealth told Becker's the company would cooperate with the investigation.

"Our immediate focus is to restore our systems, protect data and support those whose data may have been impacted. We are working with law enforcement to investigate the extent of impacted data," the spokesperson said.

HHS noted that it is not investigating providers or payers that work with Change Healthcare, but it reminded healthcare organizations of their regulatory obligations and responsibilities under HIPAA. Large insurers have been penalized for data breaches by HHS in the past, with Anthem (now Elevance Health) agreeing to a $16 million settlement to resolve a 2015 data breach that exposed the personal information of more than 78 million members. Anthem also settled a class action lawsuit over the breach for $115 million.

Change Healthcare, which processes 1 in 3 healthcare claims in the U.S., was hacked by a ransomware group Feb. 21. UnitedHealth said Change was hit by BlackCat ransomware group, forcing its systems offline. BlackCat claims it stole 6 terabytes of data from Change, including medical records and Social Security numbers, and has since received $22 million in bitcoins, according to Reuters.

The attack has crippled many operations for hospitals, insurers, physician practices and pharmacies across the country, with the American Hospital Association calling it the "most significant cyberattack" on healthcare in U.S. history.

"OCR is doing the right thing by investigating the root cause and location of the fallout from this serious hack," Federation of American Hospitals President and CEO Chip Kahn said in a statement shared with Becker's. "Providers remain focused on getting back on track and ensuring that patient care doesn't suffer, while continuing to collaborate with federal government agencies and others to maintain strong cyber defenses that protect patient data and access to care."

Officials with the Biden administration summoned UnitedHealth CEO Andrew Witty to the White House on March 12, urging the company to provide more emergency funding to providers facing financial disruptions, people familiar with the meeting told The Washington Post.

CMS said March 9 it has made advance payments available to Medicare Part A providers and Part B suppliers that are experiencing financial challenges. On March 1, Change set up funding assistance for providers facing cash flow issues after losing access to its payer systems, which provider groups such as the AHA have called insufficient. 

AHIP President and CEO Mike Tuffin said March 12 that insurers have taken "immediate and comprehensive" steps to ensure providers are receiving timely payments during the outage. 

"Given the very wide variability of impact across the system, individual plans and providers are in the best position to assess how to maintain appropriate payments in a timely manner — and also to minimize the need for reconciliation processes," Mr. Tuffin said. 

As of March 7, Change Healthcare's pharmacy electronic prescribing is fully functional for claim submission and payment transmission. Change is expected to have its electronic payment platform available for connection March 15. Its medical claims network and software are expected to start testing for reconnection March 18, with the company working throughout that week to restore service. 

Separately, the Justice Department has begun an antitrust investigation into UnitedHealth Group, The Wall Street Journal reported Feb. 27.

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.


Featured Whitepapers

Featured Webinars