Biden administration investigates Change Healthcare cyber attack

The US Department of Health and Human Services has an investigation was launched in UnitedHealth Group after the cyberattack on its Change Healthcare division disrupted critical operations at pharmacies and hospitals across the US

The HHS Office for Civil Rights said in a statement Wednesday that it was investigating the incident due to the “unprecedented scale of the cyber attack”. OCR enforces the Health Insurance Portability and Accountability Act security, privacy and breach notification rules that most health plans, providers and clearinghouses like Change Healthcare are required to follow to protect health information.

“OCR’s investigation of Change Healthcare and UHG will focus on whether a breach of protected health information occurred and Change Healthcare’s and UHG’s compliance with HIPAA rules,” the department said.

Change Healthcare offers electronic prescription software and billing and revenue cycle management tools. Parent company UnitedHealth discovered that a cyber threat actor breached part of the unit’s information technology network on Feb. 21, according to submission with the US Securities and Exchange Commission.

UnitedHealth told CNBC in a statement that it will cooperate with the investigation by OCR.

“Our immediate focus is to restore our systems, protect data and support those whose data may have been affected,” the company said. “We are working with law enforcement to investigate the extent of the data affected.”

UnitedHealth took the affected systems offline after identifying the threat, according to the SEC filing. The company said Thursday it expects to restore its networks by mid-March. As of Friday, UnitedHealth said e-prescribing is “fully functional” and expects e-payment functionality to be available starting March 15. The company will “begin testing” to restore connectivity to its claims network on March 18.

In late February, Change Healthcare said the Blackcat ransomware group was behind the attack. Blackcat, also called Noberus and ALPHV, steals sensitive data from institutions and threatens to publish it unless a ransom is paid, according to Release in December from the Ministry of Justice.

UnitedHealth did not disclose what specific data was compromised in the attack or whether it agreed to pay a ransom to bring systems back online.