HHS to investigate UnitedHealth and ransomware attack on Change Healthcare

The U.S. Department of Health and Human Services (HHS) is launching an investigation into the ransomware attack on Change Healthcare following weeks of disruption to healthcare and billing operations at hospitals, clinics and pharmacies across the country. 

The department’s Office for Civil Rights (OCR) published a letter on Wednesday announcing the investigation, with Director Melanie Fontes Rainer writing that they needed to look into the situation “given the unprecedented magnitude of this cyberattack, and in the best interest of patients and health care providers.” 

The announcement follows a meeting to address the crisis on Tuesday between White House officials, medical industry representatives, HHS Secretary Xavier Becerra and Andrew Witty, the CEO of UnitedHealth Group, Change Healthcare’s parent company. 

The investigation, Fontes Rainer said, will focus on whether protected health information was compromised and if Change Healthcare and UHG complied with Health Insurance Portability and Accountability Act (HIPAA) rules.

“OCR’s interest in other entities that have partnered with Change Healthcare and UHG is secondary. While OCR is not prioritizing investigations of health care providers, health plans, and business associates that were tied to or impacted by this attack, we are reminding entities that have partnered with Change Healthcare and UHG of their regulatory obligations and responsibilities, including ensuring that business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs as required by the HIPAA Rules,” she said.

The incident “poses a direct threat to critically needed patient care and essential operations of the health care industry,” she added. 

On Wednesday, UnitedHealth said it had “established a safe restore point” for eventually bringing systems back online. Analysts from cybersecurity companies Mandiant and Palo Alto Networks have located the “source of the intrusion,” the corporation said in a statement posted to its status page for the incident.

Establishing the restore point “allows us to move forward safely and securely in restoring our data and systems,” UnitedHealth said. “We will provide a further update in the coming days on the next steps in our analysis, recovery and restoration efforts.”

One expert told Recorded Future News last week that the incident is costing some organizations upwards of $100 million a day — with hospitals across the U.S. reporting issues. Experts believe Change Healthcare processes about half of all medical claims in the U.S.

The Washington Post reported on Tuesday that Biden administration officials are livid with UnitedHealth for its handling of the fiasco.

Becerra published a letter on Sunday urging UnitedHealth and other insurance companies to “help providers make payroll and deliver timely care to the American people.”

Change Healthcare runs one of the most widely used electronic prescribing services for pharmacies. It took its systems offline when it detected a ransomware attack on February 21 by the AlphV/BlackCat gang. The outage had an immediate impact nationwide on pharmacies, hospital systems, physician networks and other healthcare organizations. 

Health providers have been unable to properly file for and receive insurance payments, and large healthcare providers have reported cash flow problems of hundreds of millions of dollars as they were unable to receive payments for claims.

Even after allegedly paying a ransom to the now-defunct ransomware gang, the company has struggled to restore its platform, fomenting a crisis that has prompted senior Congressional leaders and the White House to get involved. 

Last week, the company was able to restore some systems but said the broader payments platform will not be running again until March 15. Its medical claims technology will “begin testing and reestablish connectivity” through the week of March 18.

The American Hospital Association called the attack “the most significant and consequential incident of its kind against the U.S. healthcare system in history.” 

The incident has reignited concerns raised by the Justice Department over UnitedHealth’s purchase of Change Healthcare,  which they initially sued to block in 2022. Through its subsidiary Optum, UnitedHealth already controlled one of the biggest healthcare IT companies in the U.S. and Change Healthcare was one of its biggest rivals. 

The Justice Department lost the lawsuit, effectively centralizing significant parts of the U.S. healthcare system into one company’s hands. 

HHS noted on Wednesday that ransomware attacks targeting the healthcare industry have increased 256% over the last five years — with healthcare-related data breaches in 2023 affecting more than 134 million people. 

Editor's note: Updated March 14, 7:55 a.m., with statement from UnitedHealth about the ongoing internal investigation.