The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) on Wednesday announced it will investigate the February 21 cyberattack that hit Change Healthcare, a unit of UnitedHealth Group (UHG), and has disrupted health care and billing information systems throughout the country.
The probe will focus on a potential breach of protected health information and Change Healthcare and UGH’s compliance with the HIPAA rules, wrote OCR Director Melanie Fontes Rainer in the March 13 letter.
The ransomware attack, she said, “poses a direct threat to critically needed patient care and essential operations of the health care industry.”
While the investigation is primarily focused on Change Healthcare and UHG, Rainer reminded organizations that have partnered with Change and UHG of their regulatory obligations and responsibilities, including performing breach notifications to HHS and to individuals as required by HIPAA. They also urged all entities to review their current cybersecurity measures. “Safeguarding protected health information is a top priority,” she wrote.
The OCR announcement is a “game changer,” said Ana Handshuh, CHC, principal, CAT5 Strategies, who will review strategies that organizations can take in the wake of the cyberattack at RISE National next week during a session with Melissa Newton Smith, founder and senior advisor, Newton Smith Group, and Rex Wallace, founder & principal, Rex Wallace Consulting. The three will have an in-depth discussion about the cyberattack, the OCR investigation, and the next steps organizations must take.
In a news release, OCR said that ransomware and hacking are the primary cyberthreats in health care. Over the past five years, there has been a 256 percent increase in large breaches reported to OCR involving hacking and a 264 percent increase in ransomware. In 2023, hacking accounted for 79 percent of the large breaches reported to OCR. The large breaches reported in 2023 affected over 134 million individuals, a 141 percent increase from 2022.
UHG and Change Healthcare confirmed that the ransomware group Blackcat was behind the Feb. 21 cyberattack and hindered its ability to process transactions, including payments and requests for insurance authorizations. UHG is regularly updating the progress on restoring its systems on its website, noting on Thursday that it is working closely with the cybersecurity company Palo Alto Network and has been able to bring some services back online that allowed for nine million prescriptions to be filled.
In other developments this week:
- The Centers for Medicare & Medicaid Services (CMS) Administrator Chiquita Brooks-LaSure participated in a roundtable discussion with health care providers about their challenges due to the cyberattack and to urge health insurers to do more to support affected providers and suppliers. She said guidance to states is forthcoming and will provide flexibilities to allow states to support Medicaid providers and suppliers, particularly those that operate in fee-for-service delivery systems.
“We are continuing to work closely with states and are urging Medicaid managed care plans to make prospective payments to impacted providers,” CMS said in the announcement. “Medicaid managed care plans do not need CMS authority to make prospective payments to providers and suppliers who need them; we are encouraging Medicaid managed care plans to make prospective payments as soon as possible.” CMS has also encouraged other payers, including Medicare Advantage organizations, to offer advance funding to providers affected by the cyberattack.
- On Tuesday, HHS Secretary Xavier Becerra and Deputy Secretary Andrea Palm met with health care community leaders and White House officials to discuss concrete actions to mitigate harms to patients and providers caused by the cyberattack on Change Healthcare. They said the government and private sector must work together to help providers make payroll and deliver care and that insurers must help providers meet the challenge.
- On Wednesday, CMS issued a frequently asked questions fact sheet about emergency payments to providers and suppliers affected by the Change Healthcare cybercrisis.
- On Monday, President Biden submitted his budget request for fiscal year 2025, which includes funds to protect the health care system from future cyber threats. The wishlist would provide $800 million to help high-need, low-resourced hospitals cover the upfront costs associated with implementing cybersecurity practices, $500 million for an incentive program to encourage all hospitals to invest in advanced cybersecurity practices, $141 million to strengthening HHS’ ability to protect and defend systems, including $11 million to expand HHS’ capacity to protect the privacy and security of health information through HIPAA.