Health Dept Office of Civil Rights Starts Probe into UnitedHealth Hack

Written by Gabby Lee

March 14, 2024

Health Dept Office of Civil Rights Starts Probe into UnitedHealth Hack

The U.S. Department of Health and Human Services (HHS) is conducting an investigation into the UnitedHealth Hack caused by the Optum ransomware attack.

Optum operates the Change Healthcare platform, and the attack occurred in late February. The investigation is being coordinated by HHS’ Office for Civil Rights (OCR), the entity responsible for enforcing the Health Insurance Portability and Accountability Act (HIPAA) rules.

UnitedHealth Hacked in Change Healthcare Cyberattack

UnitedHealth Group, in late February, confirmed that the cyberattack on Change Healthcare systems and services was carried out by hackers described as “nation-state” actors. Subsequently, the attack was linked to the BlackCat (ALPHV) ransomware gang.

Change Healthcare serves as the primary payment exchange platform for doctors, healthcare providers, and patients within the U.S. healthcare system. It also extends its services to over 70,000 pharmacies.

UnitedHealth Group (UHG), on the other hand, has extensive contracts with a vast network of healthcare professionals, amounting to over 1.6 million, as well as approximately 8,000 healthcare facilities across all 50 states in the United States.

“We cannot say this more clearly – the Change Healthcare cyberattack is the most significant and consequential incident of its kind against the U.S. health care system in history,”

“For nearly two weeks, this attack has made it harder for hospitals to provide patient care, fill prescriptions, submit insurance claims, and receive payment for the essential health care services they provide.”

Rick Pollack, the President and CEO of the American Hospital Association said in a statement

Despite Efforts to Contain Fallout from Optum Ransomware Attack, Outages Continue

Despite UnitedHealth Group’s efforts to restore some of the affected systems following the severe Optum ransomware attack in February, the resulting outage from UnitedHealth Hack continues to have a significant impact on operations throughout the U.S. healthcare industry.

The company has provided estimated timelines for the revival of its various services. It anticipates that its payments platform will be fully operational again by March 15, while the medical claims network and software are expected to be restored by March 18.

“Given the unprecedented magnitude of this cyberattack, and in the best interest of patients and health care providers, OCR is initiating an investigation into this incident,”

“OCR’s investigation of Change Healthcare and UHG will focus on whether a breach of protected health information occurred and Change Healthcare’s and UHG’s compliance with the HIPAA Rules.”

OCR head Melanie Fontes Rainer.

BlackCat Ransomware Claims 6TB Data Theft

The ongoing investigation is in response to claims made by the BlackCat ransomware gang. They assert that they have successfully exfiltrated a substantial amount of data, totaling 6TB, from Change Healthcare’s network. This data is said to belong to numerous healthcare providers, insurance providers, and pharmacies, among others.

According to the claims, the stolen data includes sensitive information from various partners, such as the U.S. military’s Tricare healthcare program, the Medicare federal health insurance program, CVS Caremark, MetLife, Health Net, and several other healthcare insurance providers.

Additionally, the gang alleges that they have obtained the source code for Change Healthcare solutions.

According to reports, the compromised systems of Change Healthcare allegedly contain sensitive data relating to millions of individuals. This includes personally identifiable information (PII), medical records, insurance records, dental records, payment information, claims information, and PII data of active U.S. military/navy personnel.

BlackCat/AlphV Ransomware Ceased Operations but Received $22 Million Ransom from Optum

In recent developments, the BlackCat ransomware group, believed to be associated with DarkSide and BlackMatter operations, unexpectedly ceased operations, raising suspicions of an exit scam.

There are claims that the group absconded with the $22 million ransom paid by Optum, for the Change Healthcare attack.

This aligns with previous instances where ransomware groups, such as DarkSide, shut down operations following high-profile attacks, like the one on Colonial Pipeline in May 2021.

Despite the shutdown, the ransomware affiliate responsible for the Change Healthcare attack has indicated that they still possess the stolen data.

This suggests that they may attempt to extort the company once again, posing ongoing threats to the compromised data and potentially escalating the situation further.

The FBI has disclosed that the BlackCat ransomware gang amassed a substantial sum of at least $300 million in ransom payments from over 1,000 victims until September 2023. This staggering figure highlights the financial success and impact of their criminal activities.

In response to the threat posed by the BlackCat ransomware gang, the U.S. State Department has announced a reward of up to $15 million for any information that could aid in locating the leaders of the group and individuals connected to their attacks.

Ransomware and hacking are the primary cyber-threats in health care. Over the past five years, there has been a 256% increase in large breaches reported to OCR involving hacking and a 264% increase in ransomware,”

“In 2023, hacking accounted for 79% of the large breaches reported to OCR. The large breaches reported in 2023 affected over 134 million individuals, a 141% increase from 2022.”

HHS added .

Related Articles

Stay Up to Date With The Latest News & Updates

Join Our Newsletter


Subscribe To Our Newsletter

Sign up to our weekly newsletter summarizing everything thats happened in data security, storage, and backup and disaster recovery

You have Successfully Subscribed!