Navigate the healthcare industry
Healthcare Brew covers pharmaceutical developments, health startups, the latest tech, and how it impacts hospitals and providers to keep administrators and providers informed.
The US government opened on Wednesday an investigation into the Change Healthcare cyberattack that focuses on whether a breach of health information happened and if UnitedHealth Group is in compliance with Health Insurance Portability and Accountability Act (HIPAA) rules.
The investigation comes after the cyberattack on Change Healthcare caused a system outage on February 21, leaving health providers and pharmacies across the US unable to access patient insurance information or process prescriptions. UnitedHealth Group estimated that over 90% of the nation’s pharmacies had to modify insurance claim processing in response to the blowout of the cyberattack, according to KKTV.
The US Department of Health and Human Services’s Office for Civil Rights (OCR), which enforces HIPAA rules for “privacy, security, and breach notification,” will lead the investigation into the insurer. The OCR emphasized the importance of “[s]afeguarding protected health information.”
UnitedHealth Group acknowledged that it does not yet know if the cyberattack compromised any patient health information, and said it’s “working to understand the impact to members, patients, and customers.”
UnitedHealth Group has partnered with cybersecurity firms, such as Mandiant and Palo Alto Networks, to investigate and protect its systems, according to its website update. The company also said there is no evidence that the cyberattack moved beyond Change Healthcare’s environment to affect UnitedHealth Group or any of its other subsidiaries, including Optum and UnitedHealthcare.
“Anything available and up and running today has been deemed clean and appropriate for us to continue to operate,” according to UnitedHealth Group’s website update. “We have no suspicions about any of the production systems available to you.”
In a public letter, OCR urged healthcare companies and providers to “review the cybersecurity measures they have in place with urgency,” to ensure the continued provision and protection of patient care and information.