Why Europe Must End Its 30-Year Digital Winter to Ensure Its Long-Run Future

HHS Launches HIPAA Rules-Focused Investigation of UnitedHealth Group Cyberattack

HHS, Department of Health and Human Services

An office of the U.S. Department of Health and Human Services (HHS) has opened an investigation into the cyberattack that is impacting the UnitedHealth Group (UHG) subsidiary, Change Healthcare.

The investigation was launched by HHS’ Office for Civil Rights (OCR), which enforces HIPAA privacy, security and breach notification rules, HHS said in a Wednesday (March 13) press release.

“Given the unprecedented magnitude of this cyberattack, and in the best interest of patients and health care providers, OCR is initiating an investigation into this incident,” OCR said in a Wednesday “Dear Colleague” letter that addresses the incident and was posted along with the press release. “OCR’s investigation of Change Healthcare and UHG will focus on whether a breach of protected health information occurred and Change Healthcare’s and UHG’s compliance with the HIPAA Rules.”

Reached for comment by PYMNTS, UHG provided an emailed statement: “We will cooperate with the Office of Civil Rights (OCR) investigation. Our immediate focus is to restore our systems, protect data and support those whose data may have been impacted. We are working with law enforcement to investigate the extent of impacted data.”

The company also posted an update to its cyber response page saying that as of Wednesday, all major pharmacy and payment systems are up and more than 99% of pre-incident claim volume is flowing.

OCR also has a secondary interest in health care providers, health plans and business associates that have partnered with Change Healthcare and UHG, according to its letter. While OCR is not prioritizing investigations of these entities, it reminded them of their obligations and responsibilities, such as the timely breach notification required by HIPAA Rules.

The letter also shared resources that help organizations guard against cyberattacks, including OCR HIPAA Security Rule Guidance Material, an OCR Video on How the HIPAA Security Rule Protects Against Cyberattacks, an OCR Webinar on HIPAA Security Rule Risk Analysis Requirement, an HHS Security Risk Assessment Tool, a Factsheet: Ransomware and HIPAA and Healthcare and Public Health (HPH) Cybersecurity Performance Goals.

“OCR encourages all entities to review the cybersecurity measures they have in place with urgency to ensure that critically needed patient care can continue to be provided and that health information is protected,” the letter said.

This announcement comes a day after White House officials met with UHG CEO Andrew Witty and other health insurers to urge them to accelerate their payments to healthcare providers that have been impacted by unpaid medical bills since the Feb. 21 launch of the cyberattack on Change Healthcare.