The U.S. Department of Health and Human Services has launched an investigation into UnitedHealth Group following the cyberattack on its Change Healthcare unit that has disrupted crucial operations in pharmacies and hospitals across the U.S.
The HHS Office for Civil Rights said in a statement Wednesday that it’s investigating the incident due to the “unprecedented magnitude of the cyberattack.” The OCR enforces the Health Insurance Portability and Accountability Act’s security, privacy and breach notification rules, which most health plans, providers and clearinghouses such as Change Healthcare are required to follow to protect health information.
“OCR’s investigation of Change Healthcare and UHG will focus on whether a breach of protected health information occurred and Change Healthcare’s and UHG’s compliance with the HIPAA Rules,” the department said.
Change Healthcare offers electronic prescription software and tools for payment and revenue cycle management. Parent company UnitedHealth discovered that a cyber threat actor breached part of the unit’s information technology network on Feb. 21, according to a filing with the U.S. Securities and Exchange Commission.
UnitedHealth told CNBC in a statement that it will cooperate with the investigation from the OCR.
“Our immediate focus is to restore our systems, protect data and support those whose data may have been impacted,” the company said. “We are working with law enforcement to investigate the extent of impacted data.”
UnitedHealth took the affected systems offline after identifying the threat, according to the SEC filing. The company said on Thursday that it expects to restore its networks by mid-March. As of Friday, UnitedHealth said electronic prescribing is “fully functional,” and it expects electronic payment functionality to be available starting March 15. The company will “begin testing” to reestablish connectivity to its claims network on March 18.
In late February, Change Healthcare said that ransomware group Blackcat was behind the attack. Blackcat, also called Noberus and ALPHV, steals sensitive data from institutions and threatens to publish it unless a ransom is paid, according to a December release from the Department of Justice.
UnitedHealth has not disclosed what specific data was compromised in the attack, or if it has agreed to pay a ransom to bring systems back online.