US gov opens probe into UnitedHealth hack as systems come back online

The US Department of Health and Human Services (HHS) is opening an investigation into last month's cyberattack on UnitedHealth Group’s health tech subsidiary Change Healthcare. This is as UnitedHealth announces that 99% of Change's pharmacy and payment platforms are back online.

The HHS Office for Civil Rights (OCR) issued a “Dear Colleague” letter addressing the cybersecurity incident and its impact on Change as well as other healthcare entities throughout the nation.

The goal of the investigation, the letter states, is whether the breach of protected health information occurred, as laid out in the US The Health Insurance Portability and Accountability Act of 1996 (HIPAA) which enforces the proper protection of a person's private health information among healthcare entities in the US.

The investigation will determine if Change Healthcare and UnitedHealth Group (UHG) were in compliance with the HIPAA Rules.

“Given the unprecedented magnitude of this cyberattack, and in the best interest of patients and health care providers, OCR is initiating an investigation into this incident,” the letter said.

The February 21st Change Healthcare attack disrupted healthcare and billing information operations nationwide, posing a direct threat to critically needed patient care and essential operations of the healthcare industry, the OCR said.

Under HIPAA Rules, healthcare providers, health plans, and healthcare clearinghouses, as well as business associates must adhere to the ACT’s data processing and security requirements, as well as the regulations to notify the HHS and affected individuals following a breach.

The OCR noted its interest in other healthcare entities “tied to or impacted by” the breach was secondary, but was “reminding entities partnered with Change and UHG of their regulatory obligations and responsibilities.”

Safeguarding protected health information is a top priority, the OCR said.

HHS letter to Change UnitedHealth hack
US Department of Health and Human Services Office for Civil Rights launches an investigation into UnitedHealth Group's Change Healthcare cyberattack. Image by Cybernews.

The March 13th letter then provided nearly a dozen links to HIPAA compliance and cybersecurity resources for reference.

Change Healthcare processes about 50% of medical claims in the United States for around 900,000 physicians, 33,000 pharmacies, 5,500 hospitals and 600 laboratories, according to Reuters.

UnitedHealth said it would cooperate with the OCR investigation, although it has not yet said what types of information or how much patient data may have been exposed in the attack. .

"Our immediate focus is to restore our systems, protect data and support those whose data may have been impacted," UHG said.

Healthcare entities under HIPAA, which includes health insurance plans, have within 60 days of discovery to report breaches to patients whose data may have been compromised.

Change Healthcare processes about 50% of medical claims in the U.S. for around 900,000 physicians, 33,000 pharmacies, 5,500 hospitals and 600 laboratories, .

Due to the large scope of the breach, it may be difficult for Change and UHG to stay compliant with the regulations, which could result in monetary fines and/or legal action.

Change Pharmacy Network back online

Also Wednesday, UHG announced Change Healthcare’s all major pharmacy network services and its payment systems have been restored and are up and running. This is in addition to ePrescribing services for pharmacists which had been restored earlier in the week.

The company, which is still working closely with security teams from Mandiant and Palo Alto Networks on forensic analysis, expects electronic provider payments to come back online by Friday, March 15th and will continue phased testing and reconnection of claims systems starting the following week.

Meantime, UnitedHealth is alleged to have paid the notorious ransomware gang responsible for the attack – the Russian-linked ALPHV/BlackCat – a whopping $22 million ransom demand the weekend of March 1st.

Only a few days after the supposed payment, ALPHV/BlackCat, known for selling its ransomware to criminal affiliates and then pocketing a cut of the profits, quietly closed up operations and took the entire $22 million with them to the dismay of many disgruntled affiliates who were expecting payments from the gang.

One of those ransomware affiliates claims to have retained at least 4TB of sensitive data (out of 6TB) ALPHV boasted was stolen in the breach, leaving the personal information of millions of UHG patients at risk.

UnitedHealth Group and Change Healthcare have not addressed the ransom payment or the supposed vast amounts of stolen data claimed by the ransom groups.

On Tuesday, the White House pushed for the healthcare giant to offer up more emergency funding to help bail out cash-strapped hospitals and medical providers unable to pay their bills.