The federal government is launching an investigation into UnitedHealth Group following the February cyberattack into its Change Healthcare subsidiary that has significantly affected providers’ financial stability nationwide.
“Given the unprecedented magnitude of this cyberattack, and in the best interest of patients and health care providers, OCR is initiating an investigation into this incident,” HHS’ Office for Civil Rights said in a March 13 letter. “OCR’s investigation of Change Healthcare and UHG will focus on whether a breach of protected health information occurred and Change Healthcare’s and UHG’s compliance with the HIPAA Rules.”
A spokesperson for UnitedHealth told Becker’s the company would cooperate with the investigation.
“Our immediate focus is to restore our systems, protect data and support those whose data may have been impacted. We are working with law enforcement to investigate the extent of impacted data,” the spokesperson said.
HHS noted that it is not investigating providers or payers that work with Change Healthcare, but reminded healthcare organizations of their regulatory obligations and responsibilities under HIPAA. Large insurers have been penalized for data breaches in the past, with Anthem (now Elevance Health) agreeing to a $115 million settlement to resolve a 2015 data breach that exposed 78 million members’ personal information.
Change Healthcare, which processes 1 in 3 healthcare claims in the U.S., was hacked by a ransomware group on Feb. 21. UnitedHealth said Change was hit by BlackCat ransomware group, forcing its systems offline. BlackCat claims it stole 6 terabytes of data from Change, including medical records and Social Security numbers, and has since received $22 million in bitcoins, according to Reuters.
The attack has crippled many operations for hospitals, insurers, physician practices and pharmacies across the country, with the American Hospital Association calling it the “most significant cyberattack” on healthcare in American history.
Officials with the Biden administration summoned UnitedHealth’s CEO Andrew Witty to the White House on March 12, urging the company to provide more emergency funding to providers facing financial disruptions, people familiar with the meeting told The Washington Post.
CMS said March 9 it has made advance payments available to Medicare Part A providers and Part B suppliers that are experiencing financial challenges. On March 1, Change set up funding assistance for providers facing cash flow issues after losing access to its payer systems, which provider groups like the AHA have called insufficient.
AHIP President and CEO Mike Tuffin said March 12 that insurers have taken “immediate and comprehensive” steps to ensure providers are receiving timely payments during the outage.
“Given the very wide variability of impact across the system, individual plans and providers are in the best position to assess how to maintain appropriate payments in a timely manner — and also to minimize the need for reconciliation processes,” Mr. Tuffin said.
As of March 7, Change Healthcare’s pharmacy electronic prescribing is fully functional for claim submission and payment transmission. Change is expected to have its electronic payment platform available for connection on March 15. Its medical claims network and software is expected to start testing for reconnection on March 18, with the company working throughout that week to restore service.
Separately, the Justice Department has begun an antitrust investigation into UnitedHealth Group, The Wall Street Journal reported Feb. 27.