OCR Investigates Change Healthcare Over Ransomware Attack

It has been three weeks since Change Healthcare experienced a Blackcat ransomware attack that caused massive disruption to healthcare operations across the country due to providers not being able to access its systems. Change Healthcare has set up new instances of its systems after outages that have lasted three weeks, and the company reports that 99% of pharmacy and payment systems are back online. Change Healthcare has yet to confirm the extent of the data breach.

It is highly probable that protected health information was stolen in the attack. The Blackcat ransomware-as-a-service (RaaS) group recruits affiliates to conduct attacks and pays them a percentage of any ransomws they generate. The group engages in double extortion tactics and after gaining access to networks, sensitive data is stolen, and then files are encrypted. Victims have to pay to obtain the keys to decrypt their data and to prevent the publication or their stolen data.

The Blackcat affiliate behind the attack claims to have stolen 6TB of data and said Optum paid a $22 million ransom to have the data deleted. The affiliate maintains that they were not paid by the Blackcat group and still hold the data. While the extent of the data breach has yet to be confirmed, the affiliate claims to possess patient data. Change Healthcare says its systems touch the data of 1 in 3 patients in the United States so this could well turn out to be a massive data breach, and potentially the largest healthcare data breach ever experienced in the United States.

The outages caused by the attack have had a far-reaching effect. Hospitals and pharmacies that rely on Change Healthcare’s systems for eligibility checks and billing have faced massive disruption and severe financial difficulties. While support has been provided, healthcare providers have had to rely on limited cash reserves to keep their businesses open since they have been unable to receive reimbursement for their services. Patients have also been severely impacted, with many having to pay out of pocket for their prescriptions or go without.

In a welcome but unusual move, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced that it has opened an investigation of the cyberattack to determine if Change Healthcare and its parent company, UnitedHealth Group (UHG), are in compliance with the HIPAA Rules. OCR investigates all breaches of the protected health information of 500 or more patients, but it does not usually investigate breaches so quickly, and Change Healthcare has yet to confirm there has been a data breach.

“Given the unprecedented magnitude of this cyberattack, and in the best interest of patients and health care providers, OCR is initiating an investigation into this incident,” explained OCR Director Melanie Fontes Rainer in a “Dear Colleague” letter announcing the investigation. “OCR’s investigation of Change Healthcare and UHG will focus on whether a breach of protected health information occurred and Change Healthcare’s and UHG’s compliance with the HIPAA Rules.”


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

It is not only Change Healthcare and UHG that will face scrutiny over the cyberattack and data breach. OCR explained in the letter that while the primary focus of OCR’s investigation is Change Healthcare and UHG to determine if they are in compliance with the HIPAA Rules, all healthcare providers, health plans, and business associates that partner with Change Healthcare and UHG may also be investigated to determine if they are in compliance with HIPAA.

“While OCR is not prioritizing investigations of health care providers, health plans, and business associates that were tied to or impacted by this attack, we are reminding entities that have partnered with Change Healthcare and UHG of their regulatory obligations and responsibilities, including ensuring that business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs as required by the HIPAA Rules,” explained Melanie Fontes Rainer in the letter.

That statement suggests that OCR will be watching closely to make sure that all entities that have experienced data breaches as a result of the Change Healthcare ransomware attack issue prompt notifications to OCR and the affected individuals unless their business associate agreements require Change Healthcare to issue notifications.

Melanie Fontes Rainer also took the opportunity to remind HIPAA-regulated entities of their responsibilities under HIPAA and shared previously issued OCR guidance on HIPAA Security Rule compliance, risk assessments, ransomware, and the recently announced Healthcare and Public Health Cybersecurity Performance Goals.

“OCR encourages all entities to review the cybersecurity measures they have in place with urgency to ensure that critically needed patient care can continue to be provided and that health information is protected.”

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/