HHS launches probe into UnitedHealth over ransomware attack on subsidiary

The Department of Health and Human Services is probing Change Healthcare parent company UnitedHealth amid several weeks of prescription routing backlogs and clinical disruptions that resulted from a crippling ransomware attack late last month, the agency announced Wednesday.

The probe will specifically examine UnitedHealth’s compliance with the Health Insurance Portability and Accountability Act, or HIPPA, that is meant to enforce safeguards for patients’ healthcare data.

The HHS Office of Civil Rights said that it’s in “the best interest of patients and health care providers” to examine the healthcare giant, which provides health insurance services for millions of Americans and participating employers.

“Our immediate focus is to restore our systems, protect data and support those whose data may have been impacted,” UnitedHealth said in a press statement, which adds the company is “working with law enforcement to investigate the extent of impacted data.”

White House officials on Tuesday met with healthcare policy participants and agency heads to discuss the incident, which included UnitedHealth CEO Andrew Witty. 

The cyberattack, claimed by the ALPHV/Blackcat ransomware gang, has roiled Change Healthcare, one of the largest healthcare payment systems in the U.S. The incident has delayed prescription fillings and has led to cash crunches at clinics and other facilities. The disruptions are causing some providers to lose upwards of $1 billion per day in revenues.

Change Healthcare reportedly made a $22 million ransom payment to the hackers. Soon after, the cybercrime collective appeared to stage a fake takedown of their site. Analysts expect the group to reemerge under a new name.

Officials this past week rolled out emergency financing plans that would accelerate payments to certain providers and suppliers experiencing shortfalls in funding.

The cyberattack is arguably the most consequential cyberthreat facing a major U.S. healthcare service in recent memory, with some lawmakers including Senate Intelligence Committee Chair Mark Warner, D-Va., ready to introduce legislation to provide for accelerated and advanced payments to providers and vendors affected by future incidents.

“Sterilization and hand hygiene practices prevent infections — and cyber hygiene practices prevent cyber intrusions. Both are critical to protect patients,” the senator said last week.

A coalition of lawmakers on Wednesday wrote to Health Secretary Xavier Becerra, arguing that UnitedHealth must be “held accountable” and that “emergency funding and administrative flexibility must be a priority for hospitals and health care providers” as they continue navigating the incident.

The HHS OCR office has previously levied penalties against healthcare providers for not complying with or meeting standards tucked into HIPAA data breach rules. The agency collected some $4.1 million in fines from providers last year over alleged violations, some from major medical centers and other providers.