The federal government has launched an investigation into the Change Healthcare cyberattack, authorities announced Wednesday.
Health and Human Services’ Office for Civil Rights is leading the inquiry, noting that the Feb. 21 incident “poses a direct threat to critically needed patient care and essential operations of the healthcare industry.”
The agency—which administers and enforces the Health Insurance Portability and Accountability Act of 1996—wants to know whether hackers captured sensitive patient information during the breach.
“Given the unprecedented magnitude of this cyberattack, and in the best interest of patients and healthcare providers, [the Office for Civil Rights] is initiating an investigation into this incident,” Director Melanie Fontes Rainer wrote in a March 13 letter to the industry. “OCR’s investigation of Change Healthcare and [UnitedHealth Group] will focus on whether a breach of protected health information occurred and Change Healthcare’s and UHG’s compliance with the HIPAA Rules.”
Fontes Rainer also highlighted the skyrocketing rate of cyberattacks in the U.S. Over the past five years, there has been a 256% increase in large hacking-related breaches reported to the Office for Civil Rights and 264% uptick in ransomware incidents. Large breaches reported in 2023 affected over 134 million individuals, a 141% increase from 2022.
“We are committed to ensuring access to care while enforcing laws that bolster patient privacy and security,” Fontes Rainer wrote. “Safeguarding protected health information is a top priority,” she added later.
Meanwhile, CMS Administrator Chiquita Brooks-LaSure participated in a roundtable with senior administration leaders to hear from providers about challenges they’re experiencing after the attack. The agency also used the forum to further urge insurers to “do more to support affected providers and suppliers.”
CMS announced at the March 12 roundtable that new guidance is forthcoming, which will provide flexibilities to allow states to support Medicaid providers during these disruptions.
“CMS recognizes that many Medicaid providers are deeply affected by the cyberattack,” the Centers for Medicare & Medicaid Services said in a Tuesday announcement. “We are continuing to work closely with states and are urging Medicaid managed care plans to make prospective payments to impacted providers.”
Brooks-LaSure said they’ll continue seeking ways to support providers “during this difficult situation.” Radiologists are encouraged to reach out to commercial health plans and other payers for assistance during the disruption, CMS said.
Change Healthcare/UnitedHealth Group issued a brief statement in response to the news.
“We will cooperate with the Office of Civil Rights investigation,” a spokesperson told Radiology Business Wednesday. “Our immediate focus is to restore our systems, protect data and support those whose data may have been impacted. We are working with law enforcement to investigate the extent of impacted data.”
Marty Stempniak has covered healthcare since 2012, with his byline appearing in the American Hospital Association's member magazine, Modern Healthcare and McKnight's. Prior to that, he wrote about village government and local business for his hometown newspaper in Oak Park, Illinois. He won a Peter Lisagor and Gold EXCEL awards in 2017 for his coverage of the opioid epidemic.