HHS is investigating UnitedHealth after cyberattack, focusing on HIPAA rules

The Department of Health & Human Services announced this week that it will investigate the recent cyberattack on UnitedHealth Group’s (UHG’s) Change Healthcare, given “the unprecedented magnitude” of the breach, according to the agency. The investigation is being led by HHS’s Office for Civil Rights, which enforces HIPAA rules.

“The cyberattack is disrupting health care and billing information operations nationwide and poses a direct threat to critically needed patient care and essential operations of the health-care industry,” the agency said in a letter announcing the probe. The office asked organizations associated with Change or UnitedHealth to notify HHS of any potential breaches as required by health privacy rules.

“In close to 90% of the cases where there has been a civil money penalty or settlement related to HIPAA Security Rule violations, a primary violation involved failure to conduct risk analysis,” according to office’s latest guidance.

CEO Steve Cagle of Clearwater, a health-care cyber security consultant, told Forbes that the decision to make the letter public is an unusual step that communicates to the industry “that it is taking this matter seriously and treating the investigation with urgency.” He said investigators will try to determine whether Change Healthcare conducted appropriate risk assessments.

The investigation will focus on whether “a breach of protected health information occurred and Change Healthcare’s and UHG’s compliance with the HIPAA Rules,” according to the letter.

The announcement comes as at least six-class action lawsuits have been filed in response to the Feb. 21 hack, according to Reuters. One alleges that Change Healthcare failed “to take reasonable security measures to protect the confidential health and personal information of millions of Americans following what is being seen as the most significant data breach impacting the U.S. health-care system,” according to Gibbs Law Group, which filed the suit.

In a statement to Forbes, UnitedHealth said it intends to cooperate with the investigation and said its immediate focus is to “restore our systems, protect data and support those whose data may have been impacted.” Blackcat, the group that UnitedHealth has identified as the perpetrator, reportedly posted about the attack on the dark web, claiming it had accessed “more than 6 TB of highly selective data” that included medical and dental records, payment information and other private patient information.

U.S. health-care providers are losing $100 million daily as cash flows continue to be disrupted because of the attack, according to an estimate from digital health risk assurance firm First Health Advisory. “The Change Healthcare cyberattack is the most significant and consequential incident of its kind against the U.S. health-care system in history,” Rick Pollack, president and CEO of the American Hospital Association, said in a statement following the attack.

Related: UnitedHealth’s crippling cyberattack: Are the feds doing enough to restore systems?

Ransomware and hacking are the primary cyber threats in health care. Over the past five years, there has been a 256% increase in large breaches reported to the HHS Office of Civil Rights involving hacking and a 264% increase in ransomware. In 2023, hacking accounted for 79% of the large breaches reported. The large breaches reported in 2023 affected more than 134 million individuals, a 141% increase from 2022.