Following a cyberattack of "unprecedented magnitude" affecting the US health care sector, HHS's Office for Civil Rights (OCR) has launched an investigation of the health care technology company that experienced the attack (Change Healthcare)—and its parent company, a major US health insurer (UnitedHealth Group) (HHS memorandum (Mar. 13, 2024)). HHS's investigation of the target company—a HIPAA business associate (BA)—and its parent will focus on both entities' compliance with HIPAA's privacy, security, and breach notification requirements (see HIPAA Privacy, Security, and Breach Notification Toolkit).

In February 2024, the target company's insurer-parent disclosed in a Securities and Exchange Commission (SEC) Form 8-K filing that the target's information technology (IT) systems were breached in a cyberattack by a ransomware group identified as ALPHV/Blackcat (UnitedHealth Grp., Inc. SEC Form 8-K (Feb. 21, 2024)). The US government had disrupted some of the ransomware group's operations in late 2023, after which the group threatened to attack the US health care sector with ransomware in response. The group attacked the target company, which assists health providers with reimbursements for covered items and services from insurers, with malware in early 2024.

Upon identifying the attack, the insurer-parent isolated the target's compromised IT systems from related systems and disabled other systems to prevent the attack from spreading. (The insurer-parent indicated that the attack was limited to the target company, and that systems within the insurers' other divisions were not affected.) However, the remediation efforts resulted in:

In addition, some participants have been unable to use their insurance coverage for covered prescriptions.

In disclosing the attack, the insurer-parent indicated that although it was taking steps to restore affected systems, it could not estimate the duration or scope of the disruption.

According to HHS, the agency's investigation of the target company and its insurer-parent will focus on:

HHS is not currently focusing on investigations of health providers, health plans, and BAs that are either related to (or have been impacted by) the cyberattack. However, HHS expressly reminded partners of the targeted company and insurer-parent of HIPAA's requirements to:

In announcing its investigation, HHS highlighted several resources that HIPAA covered entities (CEs) and BAs may consult to prevent cyberattacks and comply with HIPAA. These resources include HHS's:

In a recent HHS/HIPAA settlement involving ransomware, the agency also provided best practices for avoiding cyberattacks (see Legal Update, In Its Second-Ever HIPAA Settlement on Ransomware, HHS Offers Best Practices for Avoiding Cyberattacks). For more information on HHS investigations and related HIPAA settlements, see Practice Notes, HIPAA Enforcement: Penalties and Investigations and HIPAA Enforcement: Settlement Agreements.

Although ransomware attacks in the US are not uncommon, the effects of the Change Healthcare attack have been especially disruptive to the US health sector—particularly in terms of patient health care and billing information systems. For more information, see Article, Health Care Provider Impacts from Change Healthcare Cyberattack.

In most HIPAA settlement situations, an HHS investigation usually occurs after the alleged noncompliance has occurred. Here, by contrast, HHS's investigation will take place regarding a cyberattack that is actively unfolding, far from resolved, and already the topic of litigation (see Legal Update, Cyberattack Against Change Healthcare Leads to Litigation). It will be interesting to see how that difference affects the severity of the monetary consequences and corrective actions that are ultimately imposed on the target and its parent company. For other HIPAA CEs and BAs, the attack should serve as a call to double down on HIPAA security compliance efforts—including using the security practices and resources HHS has identified in recent guidance (for example, see Legal Update, In Updated HIPAA Security Rule Guide, NIST Addresses Cybersecurity and Other Topics).