Federal government opens investigation into Change Healthcare cyberattack

The federal government has launched an investigation into the Change Healthcare cyberattack, authorities announced Wednesday.

Health and Human Services’ Office for Civil Rights is leading the inquiry, noting that the Feb. 21 incident “poses a direct threat to critically needed patient care and essential operations of the healthcare industry.”

The agency—which administers and enforces the Health Insurance Portability and Accountability Act of 1996—wants to know whether hackers captured sensitive patient information during the breach.

“Given the unprecedented magnitude of this cyberattack, and in the best interest of patients and healthcare providers, [the Office for Civil Rights] is initiating an investigation into this incident,” Director Melanie Fontes Rainer wrote in a March 13 letter to the industry. “OCR’s investigation of Change Healthcare and [UnitedHealth Group] will focus on whether a breach of protected health information occurred and Change Healthcare’s and UHG’s compliance with the HIPAA Rules.”

Fontes Rainer also highlighted the skyrocketing rate of cyberattacks in the U.S. Over the past five years, there has been a 256% increase in large hacking-related breaches reported to the Office for Civil Rights and 264% uptick in ransomware incidents. Large breaches reported in 2023 affected over 134 million individuals, a 141% increase from 2022.

“We are committed to ensuring access to care while enforcing laws that bolster patient privacy and security,” Fontes Rainer wrote. “Safeguarding protected health information is a top priority,” she added later.

Meanwhile, CMS Administrator Chiquita Brooks-LaSure participated in a roundtable with senior administration leaders to hear from providers about challenges they’re experiencing after the attack. The agency also used the forum to further urge insurers to “do more to support affected providers and suppliers.”

CMS announced at the March 12 roundtable that new guidance is forthcoming, which will provide flexibilities to allow states to support Medicaid providers during these disruptions.

“CMS recognizes that many Medicaid providers are deeply affected by the cyberattack,” the Centers for Medicare & Medicaid Services said in a Tuesday announcement. “We are continuing to work closely with states and are urging Medicaid managed care plans to make prospective payments to impacted providers.”

Brooks-LaSure said they’ll continue seeking ways to support providers “during this difficult situation.” Radiologists are encouraged to reach out to commercial health plans and other payers for assistance during the disruption, CMS said.

Change Healthcare/UnitedHealth Group issued a brief statement in response to the news.

“We will cooperate with the Office of Civil Rights investigation,” a spokesperson told Radiology Business Wednesday. “Our immediate focus is to restore our systems, protect data and support those whose data may have been impacted. We are working with law enforcement to investigate the extent of impacted data.”

Marty Stempniak

Marty Stempniak has covered healthcare since 2012, with his byline appearing in the American Hospital Association's member magazine, Modern Healthcare and McKnight's. Prior to that, he wrote about village government and local business for his hometown newspaper in Oak Park, Illinois. He won a Peter Lisagor and Gold EXCEL awards in 2017 for his coverage of the opioid epidemic. 

Around the web

The patient, who was being cared for in the ICU, was not accompanied or monitored by nursing staff during his exam, despite being sedated.

The nuclear imaging isotope shortage of molybdenum-99 may be over now that the sidelined reactor is restarting. ASNC's president says PET and new SPECT technologies helped cardiac imaging labs better weather the storm.

CMS has more than doubled the CCTA payment rate from $175 to $357.13. The move, expected to have a significant impact on the utilization of cardiac CT, received immediate praise from imaging specialists.