The Department of Health and Human Services is questioning if Change Healthcare’s compliance (or potential lack thereof) with the Health Insurance Portability and Accountability Act led to a breach of protected health data in the ransomware attack it experienced last month.
On February 21, hackers within the BlackCat ransomware group infiltrated the IT network of Change, a revenue management and billing manufacturer and a subsidiary of UnitedHealth Group, the largest U.S. health insurance provider, causing “enterprisewide” connectivity issues that have prevented providers for weeks from submitting claims and processing reimbursements to pay expenses and employees. Pharmacists in all 50 states have also been unable to verify insurance coverage and copays to refill prescriptions.
Change processes 50% of U.S. medical claims for around 900,000 physicians, 33,000 pharmacies, 5,500 hospitals, and 600 laboratories, making it essential, according to the government, to determine the extent of the breach and find out if UnitedHealth was abiding by legal regulations in its handling and protection of patient data,
reported Reuters.
"Given the unprecedented magnitude of this cyberattack and in the best interest of patients and healthcare providers, the HHS Office for Civil Rights is initiating an investigation into the incident,” the health department said.
In a statement, UnitedHealth said it was cooperating with the investigation and that its “immediate focus is to restore our systems, protect data, and support those whose data may have been impacted.”
The company announced earlier this month that it was able to restore some systems and that its electronics payment platform would be back online on March 15, followed by its claims network and software on March 18. Initially, it said it would accelerate Medicare and Medicaid payments, but organizations such as the American Hospital Association and the American Medical Association
said this was not enough, prompting the company to announce that it would also provide advanced payments weekly to providers and expand its temporary financing program.
Under HIPAA, health IT data processors like Change must inform patients about breaches within 60 days of their discovery. This may be a challenge for Change, according to Shannon Britton Hartsfield, a healthcare privacy lawyer at Holland & Knight, due to the scale of the attack.
"Patients might be affected by this incident in many different ways through many different entities," she told Reuters, adding that sorting through the data to figure out who was affected would be an "extraordinary task."
The hackers say that they stole millions of sensitive data files, including medical and health insurance information, as well as data belonging to healthcare partners of Change, including Medicare and a host of other major insurance and pharmacy networks, according to Reuters.
A partner of the BlackCat group who helped the hackers infiltrate Change’s network says the company recently paid $22 million (350 bitcoin) as a ransom to retrieve protected information but that the ransomware group, which has shut down its site, has retained it. Change has not denied or confirmed this claim.
The full extent of the breach is still unknown.