CNN
—
The US Department of Health and Human Services is opening an investigation into whether a major US health care firm that has been hobbled by a cyberattack complied with federal law to protect patient data, the department announced Wednesday.
The cyberattack on health insurance billing firm Change Healthcare, which handles one in every three patient records in the US, has for weeks disrupted payments from insurers to health providers, squeezing many clinics of cash.
“Given the unprecedented magnitude of this cyberattack, and in the best interest of patients and health care providers, [HHS’s Office for Civil Rights] is initiating an investigation into this incident,” the office said in a statement. The investigation of Change Healthcare and its parent firm UnitedHealth Group “will focus on whether a breach of protected health information occurred,” and whether the companies complied with a federal law that requires health care providers to safeguard patient information, the statement said.
“We will cooperate with the Office of Civil Rights investigation,” Tyler Mason, a spokesperson for Change Healthcare and UnitedHealth Group, said in a statement to CNN. “Our immediate focus is to restore our systems, protect data and support those whose data may have been impacted. We are working with law enforcement to investigate the extent of impacted data.”
The 1996 law — the Health Insurance Portability and Accountability Act — is one of the main levers that federal officials have to force health care firms to improve their security. Officials can levy fines for lack of HIPAA compliance. Last month, HHS announced a $4.75 million settlement with a nonprofit hospital system in New York for “data security failures” that the department said led to an employee stealing and selling patient data.
Change Healthcare has blamed its hack on a notorious criminal group called ALPHV or BlackCat that the Justice Department says has been responsible for ransomware attacks on victims around the world.
A hacker affiliated with ALPHV last week claimed that the company had paid a $22 million ransom to try to recover data stolen in the hack. Mason, the Change Healthcare spokesperson, has declined to comment when asked if the company had paid off the hackers.
The federal investigation comes a day after senior Biden administration officials held a blunt meeting with UnitedHealth Group CEO Andrew Witty and other health care providers urging them to get vital payments flowing to the health sector.
The ransomware attack has prevented some insurance payments on prescription drugs from processing, leaving many care providers footing the bill up front and hoping to get reimbursed.
Some health care providers have lost more than $100 million per day because of the outage, one industry analyst previously told CNN.
Change Healthcare announced plans last week to have its electronic payment platform back online by Friday and its network for submitting claims restored next week.
But the financial wreckage caused by the cyberattack will take a lot longer to clean up, health providers and analysts say.
“Billions of dollars” have stopped flowing to health care providers because of the hack, according to the American Hospital Association, which represents thousands of hospitals across the country.
In an AHA survey this week of nearly 1,000 US hospitals, 74% of them reported “direct patient care impact” from the Change Healthcare cyberattack, “including delays in authorizations for medically necessary care,” the AHA said in a letter on Wednesday to the leadership of the Senate Finance Committee.
Ninety-four percent of hospitals reported that the hack was impacting them financially, and more than half of them described that impact as “significant or serious,” according to the AHA. A third of the surveyed hospitals “indicated that the attack has disrupted more than half of their revenue,” according to the letter, which the AHA shared with CNN. “The urgency of this matter grows by the day.”
Click Here For The Original Source.
————————————————————————————-