On Wednesday, the U.S. government announced an inquiry into the cyberattack on the UnitedHealth Group’s (UNH.N) Change Healthcare. The investigation aims to determine if protected health information was compromised and assess the business’s compliance with federal health privacy laws. The probe was prompted by concerns regarding the severity of the breach.
This marks the Department of Health and Human Services’ initial declaration as it launches an investigation into the cyberattack that took place on February 21, causing widespread healthcare disruptions. HIPAA, known as the Health Insurance Portability and Accountability Act, safeguards patient information against such breaches.
The HHS Office for Civil Rights is opening an investigation into the event “given the unprecedented magnitude of this cyberattack and in the best interest of patients and health care providers,” the health department stated.
In the United States, Change Healthcare processes over half of all medical claims. It serves approximately 900,000 doctors, 33,000 pharmacies, 5,500 hospitals, and 600 labs.
UnitedHealth declared that it will assist with the inquiry. It has not revealed any details on the patient data that might have been accessed.
“Our immediate focus is to restore our systems, protect data and support those whose data may have been impacted,” added the statement.
Shannon Britton Hartsfield, a healthcare privacy attorney at Holland & Knight, asserts that under HIPAA, healthcare clearinghouses, insurers, and providers must notify individual patients of breaches within 60 days of becoming aware of them. This obligation is fundamental to maintaining patient confidentiality and trust in the healthcare system.
She stated that UnitedHealth and other HIPAA-covered companies would find it challenging to meet their reporting requirements in this particular scenario. This is because of the scope of the intrusion.
She stated, “Patients might be affected by this incident in many different ways through many different entities.” She also expressed that it would be an “extraordinary task” to sift through the data and ascertain who was impacted.
The Office for Civil Rights, responsible for enforcing HIPAA regulations in healthcare, announced that assessing UnitedHealth’s compliance with the law and identifying the extent of any breaches are key focuses of the investigation. Furthermore, determining the potential scope of the breaches is critical for understanding the implications for patient privacy and data security. This inquiry underscores the importance of maintaining rigorous standards in safeguarding sensitive healthcare information.
The Office for Civil Rights frequently conducts HIPAA-related investigations. The office started 676 compliance reviews in 2022 in order to look into claims of non-complaint HIPAA violations.
UnitedHealth has stated that it is currently conducting an investigation, but the entire scope of the data breach is still unknown.
UnitedHealth attributes the hack to the “Blackcat” gang, a notorious ransomware group known for its history of disruptive attacks. This group is well-known for its track record of disruptive attacks.
On February 21, the hackers asserted in a statement, swiftly removed from their darknet site, that they had obtained millions of private documents from the business. These documents included health and medical insurance records.
Click here for more news on Technology.