HHS Office for Civil Rights opens investigation into UnitedHealthcareGroup cyberattack

Abstract

Last week, the U.S. Department of Health and Human Services' Office for Civil Rights (OCR) issued a “Dear Colleague” letter addressing the cybersecurity incident impacting Change Healthcare, a unit of UnitedHealthcare Group (UHG), and many other health care entities. The cyberattack is disrupting health care and billing information operations nationwide and poses a direct threat to critically needed patient care and essential operations of the health care industry. OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which require that HIPAA covered entities – virtually all health care providers, clearinghouses, and insurance companies – protect the privacy and security of protected health information. The likelihood that substance use disorder (SUD) treatment information was included in the breach is very likely. However, OCR does not mention 42 CFR Part 2, just HIPAA. HHS views ransomware and hacking as the “primary cyber threats in health care.” There has been a 256% increase in large breaches involving hacking, and a 264% increase in ransomware, over the last 5 years, and this only includes those breaches OCR was notified of. $22 million was reportedly paid to the Change Healthcare hackers, in the form of bitcoin, likely from UHG, according to news reports. HHS OCR says: “If you believe that your or another person's health information privacy or civil rights have been violated, you can file a complaint with OCR at https://www.hhs.gov/ocr/complaints/index.html.” The one bright side of the new Part 2 rules are that OCR now enforces the regulation.