Written by Sriparna Roy and Patrick Wingrove
(Reuters) – The U.S. government on Wednesday will examine the cyberattack on UnitedHealth Group Inc.'s Change Healthcare to determine whether there was a breach of protected health data and whether the company complied with U.S. medical privacy laws. announced that it had begun an investigation.
This is the first announcement of an investigation by the Department of Health and Human Services into the Feb. 21 cyberattack that disrupted health care across the United States. Patient information is protected under the Health Insurance Portability and Accountability Act (HIPAA).
“Given the unprecedented scale of this cyberattack and the best interests of patients and health care providers,” the Department of Health's Office for Civil Rights is opening an investigation into the incident, the Department of Health said.
Change Healthcare processes approximately 50% of medical claims for approximately 900,000 physicians, 33,000 pharmacies, 5,500 hospitals, and 600 laboratories in the United States.
UnitedHealth said it would cooperate with the investigation. No information has been released about what patient data may have been compromised.
“Our immediate focus is to restore our systems, protect our data, and support those whose data may have been affected,” the company said.
Under HIPAA, health clearinghouses, plans and providers have 60 days after discovering a violation to notify individual Must be reported to the patient.
He said the scale of the cyberattack could make it difficult for UnitedHealth and other companies covered by HIPAA to comply with reporting requirements in this case.
“Patients can be affected by this incident in many different ways through different organizations,” he said, adding that organizing the data to understand who has been affected is “an extraordinary task. ”, he added.
The Office of Civil Rights, which is responsible for administering and enforcing health care regulations under HIPAA, said the primary focus of its investigation will be to examine UnitedHealth's compliance with the law and determine the scope of potential violations. He said that there is.
Investigations from the Office of Civil Rights surrounding HIPAA are common. In 2022, the agency initiated 676 compliance reviews to investigate allegations of HIPAA violations that did not arise from complaints.
The full extent of the data breach remains unclear, and UnitedHealth said it is continuing to investigate.
UnitedHealth blamed the hack on the Black Cat gang, a notorious ransomware group with a history of devastating attacks.
In a message posted to the company's darknet site on February 21 and quickly deleted, the hackers said they had stolen millions of confidential records from the company, including medical insurance and health data.
(Reporting by Sriparna Roy in Bengaluru and Patrick Wingrove in New York; Editing by Arun Koyur, Sriraj Kaluvila, Shonak Dasgupta and Margherita Choi)
