The US Department of Health and Human Services is opening an investigation into whether a major US health care firm that has been hobbled by a cyberattack complied with federal law to protect patient data, the department announced Wednesday.
The cyberattack on health insurance billing firm Change Healthcare, which handles one in every three patient records in the US, has for weeks disrupted payments from insurers to health providers, squeezing many clinics of cash.
“Given the unprecedented magnitude of this cyberattack, and in the best interest of patients and health care providers, [HHS’s Office for Civil Rights] is initiating an investigation into this incident,” the office said in a statement. The investigation of Change Healthcare and its parent firm UnitedHealth Group “will focus on whether a breach of protected health information occurred,” and whether the companies complied with a federal law that requires health care providers to safeguard patient information, the statement said.
“We will cooperate with the Office of Civil Rights investigation,” Tyler Mason, a spokesperson for Change Healthcare and UnitedHealth Group, said in a statement to CNN. “Our immediate focus is to restore our systems, protect data and support those whose data may have been impacted. We are working with law enforcement to investigate the extent of impacted data.”
The 1996 law — the Health Insurance Portability and Accountability Act — is one of the main levers that federal officials have to force health care firms to improve their security. Officials can levy fines for lack of HIPAA compliance. Last month, HHS announced a $4.75 million settlement with a nonprofit hospital system in New York for “data security failures” that the department said led to an employee stealing and selling patient data.
…
Read the full article here
