Department Of Health Investigating UnitedHealth After ‘Unprecedented’ Cyber Attack


Topline

UnitedHealth Group and its subsidiary Change Healthcare will be investigated by a federal agency over last month’s cyber attacks that may have breached patient data—the latest fallout from what the department called an “unprecedented” attack on the U.S. healthcare system.

Key Facts

In a letter announcing the investigation, the Department of Health and Human Services’ Office for Civil Rights said “given the unprecedented magnitude of this cyberattack,” it would investigate “whether a breach of protected health information occurred” and assess the companies’ compliance with health privacy laws.

Steve Cagle, CEO of Clearwater, a healthcare cyber security consultant, told Forbes that the Department’s decision to make its letter public is an “unusual step” that communicates to the industry “that it is taking this matter seriously and treating the investigation with urgency.”

The office also reminded all entities partnered with Change or UnitedHealth to notify the Department of Health and Human Services of any potential breaches as required by health privacy law.

The announcement comes as at least six class action lawsuits have been filed in response to the Feb. 21 hack, according to Reuters.

One alleges that Change Healthcare failed “to take reasonable security measures to protect the confidential health and personal information of millions of Americans following what is being seen as the most significant data breach impacting the U.S. healthcare system,” according to Gibbs Law Group, which filed the suit.

The investigation was announced a day after UnitedHealth CEO Andrew Witty was asked to come to the White House, where Biden Administration officials reportedly urged him to take further action to fix the disruptions still affecting the system weeks after the attack, according to the Washington Post, which cited five unnamed sources.

In a statement to Forbes, UnitedHealth said it intended to cooperate with the investigation and noted its immediate focus is to “restore our systems, protect data and support those whose data may have been impacted.”

What We Don’t Know

The precise extent of the attack’s impact on patient data. UnitedHealth told Forbes in its statement that it’s working with law enforcement to determine that. Blackcat, the group that UnitedHealth has identified as the culprit, reportedly posted about the attack on the dark web, claiming it had accessed “more than 6 TB of highly selective data” that included medical and dental records, payment information and other private patient information.

Crucial Quote

“The Change Healthcare cyberattack is the most significant and consequential incident of its kind against the U.S. health care system in history,” said Rick Pollack, president and CEO of the American Hospital Association in a statement following the attack.

Key Background

The Department of Health’s Office for Civil Rights is charged with ensuring that health care entities comply with the Health Insurance Portability and Accountability Act, commonly known as HIPAA. The office ensures that those entities follow all requirements in securing sensitive patient data and make required notifications to the Department of Health and Human Services after a breach, according to the department’s Wednesday announcement. In 2020, Anthem Health agreed to a $16 million settlement with the Office for Civil Rights after a cyberattack. UnitedHealth has identified Blackcat as the entity responsible for the Feb. 21 hack. Change Healthcare, which was purchased by UnitedHealth despite initial concerns from the Justice Department, manages health care technology that helps providers process insurance claims and handle billing.

What To Watch For

Cagle, of Clearwater, told Forbes in a written statement that the Office for Civil Rights will likely probe whether Change Healthcare conducted appropriate risk assessments. “In close to 90% of the cases where there has been a civil money penalty or settlement related to HIPAA Security Rule violation, a primary violation involved failure to conduct risk analysis” per the office’s latest guidance.

Big Number

$100 million. That’s how much money U.S. health care providers are losing daily because of the attack, according to an estimate from digital health risk assurance firm First Health Advisory, as cash flows continue to be disrupted.

Tangent

Posts on online forums have suggested that UnitedHealth paid a $22 million ransom to Blackcat to access the stolen data, though UnitedHealth has not confirmed if this is true, according to Reuters.

Further Reading


Leave a Reply

Your email address will not be published. Required fields are marked *