The Office for Civil Rights (OCR) in the U.S. Department of Health and Human Services (HHS) recently announced that it has initiated an investigation into the cyberattack that targeted UnitedHealthcare Group's Change Healthcare subsidiary. This breach has caused significant disruption and poses a direct threat to patient care and the healthcare industry as a whole.
The cyberattack on Change Healthcare took place on September 28th, 2023. The attackers employed the double-extortion tactic, first exfiltrating data and then encrypting several company systems. As a result, approximately 2.7 million patients have been affected by the breach. While there is no evidence that this information has been misused, the OCR's investigation aims to determine the extent of the breach and evaluate Change Healthcare's compliance with HIPAA regulations.
HIPAA regulations require covered entities like Change Healthcare, to safeguard the privacy and security of protected health information. In the event of a breach, covered entities must notify HHS and affected individuals. Given the magnitude of this cyberattack, OCR Director Melanie Fontes Rainer emphasized the need to investigate the incident to ensure patient safety and evaluate compliance with HIPAA rules.
Pollack voiced his concerns regarding the proposed cybersecurity mandates from HHS for hospitals, stressing the surge in cyberattacks targeting healthcare systems frequently originating from third-party technology providers. "No organization, including federal agencies, is or can be immune from cyberattacks," he emphasized. He cautioned against imposing fines or reducing Medicare payments, arguing that such actions would deplete important hospital resources necessary for combating cybercrime and would run counter to the collective objective of thwarting cyber threats.
By the numbers
Change Healthcare is now part of a long list of reported breach cases under OCR investigation. Over the past five years, OCR has witnessed a significant increase of more than 250% in large breaches involving hacking. Additionally, there has been a more than 260% increase in ransomware attacks. In 2023 alone, hacking accounted for 79% of the large breaches reported to OCR, affecting over 134 million individuals.
As the healthcare industry continues to face escalating cyber threats, there is a growing recognition of the need to prioritize cybersecurity. The Change Healthcare breach proves the vulnerabilities of healthcare organizations. With millions of patients affected, the incident is disrupting healthcare, as well as billing information operations nationwide, posing a direct threat to patient care and essential operations.