The cyberattack's widespread destruction underscores how threat actors can do significant damage by targeting a relatively unknown vendor that serves a vital operational function behind the scenes.
The AlphV ransomware group disrupted basic operations to the critical systems of US healthcare services by attacking a vital financial and claims processing link in a highly interconnected industry.
The outage and cascading effects of the cyberattack on the healthcare IT systems continued into the fourth week on Thursday.
UnitedHealth Group reported unauthorised access on its systems on February 21.
The reconnecting and testing of Change's claims systems will be completed in phases next week.
The US Department of Health and Human Services launched an inquiry into the incident on Wednesday to investigate whether protected health information was stolen and if Change met privacy and security standards.
The department's Office for Civil Rights (OCR) announced the investigation in a letter on Wednesday, with Director Melanie Fontes Rainer writing that it was necessary to look into the situation "given the unprecedented magnitude of this cyberattack, and in the best interests of patients and health care providers."
The statement comes following a crisis meeting on Tuesday with White House officials, medical sector leaders, HHS Secretary Xavier Becerra, and Andrew Witty, CEO of UnitedHealth Group, Change Healthcare's parent company.
According to Fontes Rainer, the investigation will focus on whether protected health information was compromised and if Change Healthcare and UHG followed Health Insurance Portability and Accountability Act (HIPAA) requirements.
“OCR’s interest in other entities that have partnered with Change Healthcare and UHG is secondary. While OCR is not prioritizing investigations of healthcare providers, health plans, and business associates that were tied to or impacted by this attack, we are reminding entities that have partnered with Change Healthcare and UHG of their regulatory obligations and responsibilities, including ensuring that business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs as required by the HIPAA Rules,” Rainer said.
The American Hospital Association referred to the attack as the most significant and consequential incident of its kind against the U.S. healthcare system in history.
