HHS to investigate Change Healthcare cyberattack

Evan Godt | | Health Exec | Policy & Regulations

In an announcement calling the cyberattack that crippled Change Healthcare a “direct threat to critically needed patient care,” the HHS Office for Civil Rights (OCR) said it would open an investigation into the incident focused on Change and its parent company, UnitedHealth Group (UHG).

“Given the unprecedented magnitude of this cyberattack, and in the best interest of patients and health care providers, OCR is initiating an investigation into this incident,” states a “Dear Colleague” letter from OCR director, Melanie Fontes Rainer. “OCR’s investigation of Change Healthcare and UHG will focus on whether a breach of protected health information occurred and [on] Change Healthcare’s and UHG’s compliance with the HIPAA Rules.”

Fontes Rainer adds that, while OCR isn’t prioritizing investigations of any specific Change or UHG partner, providers or health plans should still ensure they are aware of their “regulatory obligations and responsibilities, including ensuring that business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs as required by the HIPAA Rules.”

To that end, Fontes Rainer ends the letter by linking to a variety of cybersecurity and HIPAA guidance materials for partners of Change and UHG.

Related Content:

Provider orgs on Change Healthcare cybersecurity crisis: ‘Help!’
Notorious hospital cybervillain acknowledges guilt, heads to prison
ECRI: Top 10 healthcare technology hazards that are avoidable (by suppliers) and/or minimizable (by providers)
Evan Godt
Evan Godt, Writer

Evan joined TriMed in 2011, writing primarily for Health Imaging. Prior to diving into medical journalism, Evan worked for the Nine Network of Public Media in St. Louis. He also has worked in public relations and education. Evan studied journalism at the University of Missouri, with an emphasis on broadcast media.

Related Content

Public health contrarian RFK Jr. nominated to HHS secretary
Surgical devices recalled after 17 serious injuries—FDA warns of possible shortage
Cardiologist demand is on the rise—can hospitals keep up?
AdvaMed itemizes AI imperatives for ‘the entire healthcare ecosystem’
UnitedHealth defends $3.3B Amedisys acquisition
DOJ sues to block UnitedHealth’s $3.3B acquisition of home health giant

Around the web

Cardiovascular Business
Payment cuts and beyond: Key takeaways for cardiologists from the 2025 Medicare Physician Fee Schedule

The American College of Cardiology has shared its perspective on new CMS payment policies, highlighting revenue concerns while providing key details for cardiologists and other cardiology professionals. 

AI in Healthcare
A modest proposal to rally AI regulators around a simple game plan

As debate simmers over how best to regulate AI, experts continue to offer guidance on where to start, how to proceed and what to emphasize. A new resource models its recommendations on what its authors call the “SETO Loop.”

Cardiovascular Business
FDA commissioner urges clinicians to join fight against medical misinformation

FDA Commissioner Robert Califf, MD, said the clinical community needs to combat health misinformation at a grassroots level. He warned that patients are immersed in a "sea of misinformation without a compass."

Design by Adaptive Theme
Trimed Popup
Trimed Popup