OCR Investigating Health Information Security Following Change Healthcare Attack

March 14, 2024

The U.S. Department of Health and Human Services’ Office for Civil Right (OCR) has opened an investigation into whether UnitedHealth Group and Change Healthcare are taking appropriate steps to protect patients’ health information following the February cyberattack that continues to disrupt hospital operations and finances.

OCR enforces Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy, security, and breach notification rules. In a “Dear Colleague” letter, the agency said its investigation will focus on “whether a breach of protected health information occurred and Change Healthcare’s and UHG’s compliance with the HIPAA Rules.”

OCR emphasized that its investigation is focused on Change Healthcare and UnitedHealth Group and that it is not prioritizing investigations into other affected organizations. However, the agency reminded other entities to ensure they are meeting their regulatory obligations and responsibilities, including ensuring business associate agreements are in place and following breach notification rules.

“Given the unprecedented magnitude of this cyberattack, and in the best interest of patients and health care providers, OCR is initiating an investigation into this incident,” the letter said.

The agency shared the following resources for the health care community:

• OCR HIPAA Security Rule Guidance Material 
• OCR Video on How the HIPAA Security Rule Protects Against Cyberattacks
• HHS Security Risk Assessment Tool
• Factsheet: Ransomware and HIPAA
• Healthcare and Public Health (HPH) Cybersecurity Performance Goals

HAP continues to monitor the latest Change Healthcare cybersecurity news and advocate on behalf of our members. Earlier this month, HAP created a one-stop shop to offer the latest resources online, including exclusive member-only information (login required).