US health department opens probe into UnitedHealth hack

FILE PHOTO: Picture illustration of a UnitedHealth Group health insurance card in a wallet

By Sriparna Roy and Patrick Wingrove

(Reuters) -The U.S. government on Wednesday said it has opened an investigation into the cyberattack at UnitedHealth Group's Change Healthcare to find out whether there was a breach of protected health data and if the company followed U.S. health privacy law.

It is the first announcement of a probe by the Department Of Health and Human Services into the Feb. 21 cyberattack that has disrupted healthcare across the United States. Patient information is protected under the Health Insurance Portability and Accountability Act, or HIPAA.

"Given the unprecedented magnitude of this cyberattack and in the best interest of patients and health care providers" the HHS Office for Civil Rights is initiating an investigation into the incident, the health department said.

Change Healthcare processes about 50% of medical claims in the U.S. for around 900,000 physicians, 33,000 pharmacies, 5,500 hospitals and 600 laboratories.

UnitedHealth said it would cooperate with the investigation. It has not disclosed information about what patient data may have been exposed.

"Our immediate focus is to restore our systems, protect data and support those whose data may have been impacted," it said.

Under HIPAA, healthcare clearinghouses, plans and providers must report breaches to individual patients within 60 days of discovery, according to Shannon Britton Hartsfield, a healthcare privacy lawyer at Holland & Knight.

She said the scale of the cyberattack could make it difficult for UnitedHealth and other businesses covered by HIPAA to comply with their reporting obligations in this case.

"Patients might be affected by this incident in many different ways through many different entities" she said, adding that sorting through the data to figure out who was affected would be an "extraordinary task."

The Office for Civil Rights, responsible for administering and enforcing the rules for the healthcare sector under HIPAA, said a key focus of the investigation was to find out if UnitedHealth complied with that law and to identify the extent of the possible breach.

Investigations from the Office for Civil Rights over HIPAA are common. In 2022, the office initiated 676 compliance reviews to investigate allegations of HIPAA violations that did not arise from complaints.

The full extent of the data breach remains unknown, and UnitedHealth has said it was still investigating.

UnitedHealth has blamed the hack on the "Blackcat" gang, a notorious ransomware group that has a history of disruptive attacks.

In a message posted to, and then quickly deleted from their darknet site, the hackers said on Feb. 21 that they stole millions of sensitive records, including medical insurance and health data, from the company.

(Reporting by Sriparna Roy in Bengaluru and Patrick Wingrove in New York; Editing by Arun Koyyur, Sriraj Kalluvila, Shounak Dasgupta and Marguerita Choy)