Change Healthcare cyberattack: Federal investigation begins, HHS cites ‘unprecedented magnitude’

Federal officials say they are opening an investigation into the Change Healthcare cyberattack, and it will include the firm’s parent company, UnitedHealth Group.

The U.S. Department of Health & Human Services said Wednesday that its Office of Civil Rights will focus on whether Change Healthcare or UnitedHealth Group violated the Health Insurance Portability and Accountability Act (the law known as HIPAA).

“Given the unprecedented magnitude of this cyberattack, and in the best interest of patients and health care providers, OCR is initiating an investigation into this incident,” the health department said in a “Dear Colleagues” letter to the industry.

The health department also noted the widespread disruption to hospitals, physicians, and healthcare providers of all kinds nationwide.

“The incident poses a direct threat to critically needed patient care and essential operations of the health care industry,” the health department letter stated.

• Read more: A health system’s lessons from a ransomware attack | HIMSS 2024

The American Hospital Association has described the Change Healthcare cyberattack as “the most significant” attack in the health industry and U.S. history, an assessment that appears to be gaining widespread agreement. Healthcare groups have said the interruption in claims processing and delays in payments has threatened the solvency of providers. Change Healthcare’s services include billing, claims processing, prescriptions, and insurance eligibility checks.

The health department said in the letter that its interest in other entities that have partnered with Change Healthcare is “secondary,” and “OCR is not prioritizing investigations of health care providers.”

Still, the department also said that Change Healthcare’s partners must meet their “regulatory obligations,” which include ensuring that agreements are in place with business associates. Health providers were also reminded about notifying the health department about breaches in a timely fashion.

Steve Cagle, CEO of Clearwater, a cybersecurity firm, said ransomware attacks are becoming more sophisticated.

The Change Healthcare cyberattack has been a frequent topic of discussion at the HIMSS Global Health Conference & Exhibition. Steve Cagle, CEO of Clearwater, a cybersecurity firm, told Chief Healthcare Executive® that the attack shows ransomware groups are posing greater threats and hospitals and health systems must be prepared.

“Attacks are becoming much more sophisticated, more frequent, more targeted at healthcare organizations,” Cagle said. “So that's one takeaway in itself. This is a moving target. So, what good looks like today in security may not necessarily be good enough for tomorrow.”

Lee Kim, senior principal of cybersecurity and privacy for HIMSS, said the attack illustrates the dangers of cyberattacks to all health providers.

“No matter how large or how small the entity is, no one is immune,” Kim said at the conference.

In announcing the investigation, the health department also cited the surge of cyberattacks and breaches in the healthcare industry. In 2023, the number of large breaches reported to the government affected more than 134 million people, more than 1 in 3 Americans, an increase of 141% from 2022, according to the department. Over the past five years, there’s been a 264% increase in ransomware attacks.

• Read more: These are the 11 biggest healthcare breaches in 2023

UnitedHealth Group, Change Healthcare’s parent company, outlined a timeline Friday for the restoration of connectivity to the medical claims network. The company said it expects to begin testing connectivity to the medical claims network and software on March 18, and hopes to restore service through that week.

The health department said it is accelerating Medicare payments to healthcare providers and has urged payers to advance payments and relax deadlines to file claims and appeals.

UnitedHealth Group has said a ransomware group known as “Blackcat” is behind the Change Healthcare attack. Federal officials have said the group is known to target healthcare organizations.

• Read more: Understanding the ‘blast radius’ of cyberattacks of hospitals | HIMSS 2024