Change Healthcare Cyberattack: HHS OCR Publishes Early Guidance on Breach and UnitedHealth Group Provides Critical Status Update

Introduction

On March 13, 2024, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced that it had opened an investigation into the monumental cyberattack on Change Healthcare (“Change”), a unit of UnitedHealth Group (“UHG”). The attack is one of the largest assaults against the U.S. health care system, with far-reaching effects on hospitals, physicians, and other health care providers across the nation. On April 19, OCR published a new FAQ webpage about the cybersecurity incident and the implications for covered entities and business associates with business associate relationships with Change. OCR does not provide any new bombshell details—the agency confirms it has not yet received breach reports from Change/UHG—though the site does include background information and early guidance for covered entities beginning to evaluate possible notification obligations.

OCR does not yet explicitly direct affected covered entities to make breach notifications at this time, likely because Change has not officially reported a breach. However, given the extraordinary scale of this cyberattack, the agency appears committed to firmly reminding interested parties of their likely forthcoming notification responsibilities.

Three days after the FAQ webpage went live, UHG—likely in response to OCR publishing this early guidance—issued a press release on April 22 regarding the cyberattack and its related response. As addressed in further detail below, UHG announced, among other things, that its data assessment discovered compromised files containing protected health information (“PHI”) and personally identifiable information (“PII”) that could “cover a substantial proportion of people in America.” UHG also stated that it will contact “stakeholders” when there is enough information for notifications. The company notably offered to make breach notifications and undertake related administrative requirements on behalf of any provider or customer in order to “help ease reporting obligations on other stakeholders whose data may have been compromised as part of this cyberattack.”

Below are key takeaways from the OCR webpage and the UHG press release, as well as some suggested next steps. OCR will update its site as needed, and we will continue to monitor all agency actions and other Change/UHG matters as they unfold with an eye toward implications for HIPAA covered entities and business associates.

Key Takeaways from OCR’s Guidance and UHG’s Press Release

Explanation of OCR Investigation and “Dear Colleague” Letter

On March 13, OCR issued a “Dear Colleague” letter addressing the cybersecurity incident and announcing it had opened an investigation into the matter. The letter states that the investigation will focus on whether a breach of PHI occurred, including Change/UHG’s compliance with HIPAA. OCR also confirms in the letter that its interest in entities that partnered with Change and UHG is only “secondary” at this time.

The March letter—a somewhat unusual publication from OCR at this stage of the OCR investigation—struck some as odd, but the new webpage explains that OCR issued the bulletin because of the “unprecedented magnitude of this cyberattack, its widespread impact on patients and health care providers nationwide, and in the interest of patients and health care providers.” While reiterating that its investigation into covered entities/business associates is indeed “secondary,” OCR again reminds HIPAA-regulated entities that timely breach notification to HHS and affected individuals must occur.

Notably, since OCR published its webpage on April 19, it has been reported by news outlets that (1) the cybercriminals gained entry into the Change network earlier than previously disclosed (on February 12, 2024), (2) multi-factor authentication protocols typically used to guard against such intrusions were not enabled in this case, and (3) UHG indeed paid a ransom to the attackers. The webpage, which not been updated since its initial publication on April 19, does not address these developments or the updates provided by UHG on April 22.

Status of Change/UHG Breach Reports

OCR confirmed that it has not yet received breach reports from Change, UHG, or any affected health care entities. As noted, the agency is nonetheless actively investigating Change and UHG in connection with this incident, and specifically noted that:

If the incident caused a breach of unsecured PHI affecting 500 or more individuals, Change/UHG must file breach reports to OCR’s portal within 60 calendar days from the date of discovery of the breach.

Change initially reported that it discovered that a threat actor gained access to one of its environments on February 21, 2024, and by HHS/OCR’s standard, Change/UHG should have submitted a breach report by April 21. However, reports relating to breaches of this magnitude are not posted on the portal the same day OCR receives the report. The agency first verifies the report—a process that typically takes 14 days, though OCR notes that the timeline for breach-verification can vary depending on the nature of the incident.

OCR’s Reminder of Covered Entities’ Breach Notification Obligations

OCR again reminds covered entities that under HIPAA they are ultimately responsible for the provision of breach notices to HHS, affected individuals, and the media in certain circumstances. The agency does not at this time explicitly direct covered entities to provide any notifications—without more information from Change, many entities will not know the individuals who are impacted (if any) or what data was even compromised. OCR encourages entities that could be affected by this incident to contact Change/UHG with questions about the breach and notification process.

UHG’s Statement on Breach Notification and Update on Cyberattack

As noted, UHG announced on April 22 that it will contact “stakeholders” when there is enough information for notifications and will be “transparent with the process.” UHG also stated that it has offered to make breach notifications on behalf of “any provider or customer” in order to “help ease reporting obligations on other stakeholders whose data may have been compromised as a part of this cyberattack.”

Additionally, UHG established a dedicated website to provide updates and resources (including its own FAQ page), as well as a call center (1-866-262-5342) to offer free credit monitoring and identity theft protections for two years to anyone impacted by the cyberattack.

UHG confirmed it is monitoring the dark web to determine if any data related to the cyberattack has been published. In the press release, UHG stated that “[t]here were 22 screenshots, allegedly from exfiltrated files, some containing PHI and PII, posted for about a week on the dark web by a malicious threat actor.” According to UHG, no further publication of PHI or PII has occurred at this time. There has purportedly been no evidence of exfiltration of materials such as doctors’ charts or full medical histories among the data.

Recommended Next Steps

Covered entities and business associates should carefully review the FAQ webpage, in conjunction with all UHG/Change statements, and consider taking the following steps:

1. Contact Change/UHG about Notifications and Compromised Data. Even though Change has not yet officially reported the breach, we recommend that you contact Change/UHG in writing to inquire about the breach notification process and if Change determined whether patient information was impacted. As noted, UHG has offered to make notifications on behalf of any provider or customer whose data may have been compromised as a part of this cyberattack. However, on this important issue, OCR only states that “HIPAA regulated entities affected by this incident should contact Change Healthcare and UHG with any questions on how HIPAA breach notification will occur.” Be sure to record and maintain all correspondence with Change/UHG.
2. Prepare to Evaluate Whether Patients Are Impacted. As suggested above, attempt to evaluate whether any patient information was affected by this incident and, if so, how many individuals were impacted. This might be difficult to do before Change provides its reports; however, based on OCR’s unusual “reminders” about covered entity responsibilities under HIPAA, we suggest gathering as much information as possible now.
3. Review BAAs with Change. If you have not done so already, evaluate whether Change agreed in your BAA to handle reporting obligations with respect to sending breach notices to HHS and affected individuals.
4. Conduct a Dark Web Investigation. Though UHG stated it has not yet found further publication of PHI or PII beyond the 22 screenshots, we nevertheless recommend that affected entities consider conducting their own dark web investigation to search for potentially compromised information.
5. Continue to Monitor Relevant Sites for Updates. It appears that both OCR and UHG/Change will be continuing to update their respective webpages and resources, particularly as additional details about the cyberattack surface. We recommend that affected covered entities and business associates regularly monitor the OCR FAQ webpage and all UHG/Change sites dedicated to the cyberattack and related investigation.

If you have any questions about interpreting or implementing guidance from OCR, or about the Change cybersecurity incident, please do not hesitate to contact one of the authors or your Ropes & Gray advisor. We will continue to monitor this matter as it develops.