Ultimate magazine theme for WordPress.

Feds Opens Investigation of Change Healthcare ransomware

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) issued an “Dear Colleague” letter addressing the cybersecurity attack that has affected Change Healthcare, a unit of UnitedHealthcare Group (UHG), as well as a variety of other health care entities. The cyberattack has impacted the health care and billing operations across the nation and directly threatens the critically needed care of patients and essential activities of the health care industry.

OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which sets forth the requirements that HIPAA insured entities (most health care providers, health plans, and health care clearinghouses) and their business associates must adhere to to ensure the privacy and security of health information that is protected and the mandatory notifications to HHS and affected individuals following the occurrence of a breach.

Ransomware and hacking are among the main cyber-attacks in healthcare. Over the past five years, there has seen a 25% increase in large breaches reported OCR involving hacking and an increase of 264% in ransomware. In 2023 hacking accounted for 79% in the massive breaches reported to OCR. The major breaches reported in 2023 affected more 135 million people, which is an increase of 141% over 2022.

Re: Cyberattack on Change Healthcare 

Dear Colleagues:

The Office for Civil Rights (OCR) is aware that Change Healthcare, a unit of UnitedHealth Group (UHG), was impacted by a cyber security incident in February. The incident has disrupted health billing and care information systems across the nation. The incident poses a direct threat to the critically needed care of patients and vital operations of the health healthcare industry.

OCR administers and enforces the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Security, Breach and Privacy Notification Rules, which define the minimum privacy and security obligations for protected health information and breach notification requirements that covered entities (health care providers health plans, health insurance companies, and clearinghouses) and their business partners must adhere to. We are dedicated to ensuring access to health care while enforcing laws which protect the privacy of patients and security.

Due to the colossal scope of this cyberattack, and also in the best interest of both health care providers, OCR is initiating an investigation into the incident. OCR’s investigation into Change Healthcare and UHG will examine whether or not a breach of secure health information occurred and on Change Healthcare’s and UHG’s adherence to the HIPAA Rules.

OCR’s concern for other organizations who have partnered with Change Healthcare and UHG is secondary. While OCR is not prioritizing investigations of health care providers or health plans, or business associates that were tied to or affected by this attack We are reminding those that have partnered with Change Healthcare and UHG of their obligations under the law and regulatory requirements such as ensuring that business associate agreements are in place and prompt breach notification to HHS and affected individuals occurs as required by the HIPAA Rules.

Safeguarding protected health information is of paramount importance. OCR would also like to provide the following resources to assist you in protecting your records as well as your patients from cyberattacks

  • OCR HIPAA Security Rule Guidance Material This page provides educational resources to learn more about the HIPAA Security Rule, as well as other sources of standards to protect electronic health information that is protected by encryption. Materials include a Recognized Security Practices video, Security Rule Education Paper Series, HIPAA Security Rule Guidance OCR Cybersecurity Newsletters and more.
  • OCR video on How the HIPAA Security Rule helps protect against Cyberattacks This video explains how the HIPAA Security Rule can help covered entities and business associates protect themselves against cyberattacks. Topics covered include breaches as well as common attack vectors and the findings of OCR investigations.
  • OCR Webinar on HIPAA Security Rule Risk Analysis Requirement This webinar focuses on the HIPAA Security Rule requirements for conducting a precise and thorough analysis of potential security and risks to electronic protect health information and analyzes the common risks that OCR has found through its investigations.
  • HHS Security Risk Assessment Tool This tool was designed to assist small- to medium-sized companies in conducting an internal security risk assessment to assist in fulfilling the security risk analysis requirements in the HIPAA Security Rule.
  • Factsheet: Ransomware and HIPAA This resource offers information on ransomware, what covered entities and business associates need to do if their information systems are affected, and HIPAA breach-reporting requirements.
  • Healthcare and Public Health (HPH) Cybersecurity Performance Goals These health care specific cybersecurity performance goals can help health care organizations improve their cyber readiness, enhance cybersecurity resilience, and protect the privacy of patient health information and security.

OCR is committed to assisting health care organizations to understand the regulations governing health information and working in collaboration with entities to address the arduous challenges we face together. OCR recommends all organizations examine the cybersecurity procedures they are in place to ensure that crucial patient care can continue to be delivered and that health information is protected.

Comments are closed.