The US Department of Health and Human Services is investigating UnitedHealth Group for a cyberattack on its Change Healthcare company, which impacted pharmacy and hospital operations nationwide.
The HHS Office for Civil Rights stated in a statement Wednesday that it is looking into the event due to the “unprecedented magnitude of the cyberattack.” The OCR enforces the Health Insurance Portability and Accountability Act’s security, privacy, and breach reporting requirements, which most health insurers, providers, and clearinghouses, like Change Healthcare, must follow to secure health information.
“OCR’s investigation of Change Healthcare and UHG will focus on whether a breach of protected health information occurred and Change Healthcare’s and UHG’s compliance with the HIPAA Rules,” the agency said in a statement.
Change Healthcare provides electronic prescription software as well as tools for managing payments and the revenue cycle. According to a filing with the Securities and Exchange Commission, parent company UnitedHealth found on February 21 that a cyber threat actor accessed a portion of the unit’s information technology network.
UnitedHealth informed CNBC that it will comply with the OCR’s probe.
“Our immediate focus is to restore our systems, protect data and support those whose data may have been impacted,” the business stated in a statement. “We are working with law enforcement to investigate the extent of impacted data.”
According to the SEC filing, UnitedHealth took the affected systems offline after recognizing the danger. The business stated on Thursday that it intends to restore its networks by mid-March. As of Friday, UnitedHealth stated that electronic prescribing is “fully functional,” with electronic payment features expected to be accessible beginning March 15. On March 18, the corporation would “begin testing” to reestablish contact with its claims network.
Change Healthcare confirmed in late February that the attack was carried out by the ransomware gang Blackcat. Blackcat, also known as Noberus and ALPHV, takes sensitive material from institutions and threatens to disclose it unless a ransom is paid, according to a December Department of Justice announcement.
UnitedHealth has not said what specific data was compromised in the incident, nor has it committed to pay a ransom to bring systems back up.
