OCR Investigates Change Healthcare After Major Cyber Incident

Commentary by Nick Kathmann, LogicGate CISO

In an unusual move signifying the severity of the huge cyberattack on Change Healthcare, a unit of UnitedHealth Group breach, the Office of Civil Rights (OCR) is formally investigating the incident. The cyberattack is one of the largest ever against the U.S. healthcare system, disrupting healthcare services and billing across the country.

The wide impact of the attack and the seemingly slow response of Change Healthcare apparently prompted the OCR investigation, says John F. Howard, JD, senior attorney with the Clark Hill law firm in Scottsdale, AZ.

“What I think is pretty telling is how long it took them to respond and recover, which is essentially, I think, what also got OCR’s attention. This is shutting everybody down, and it took them two weeks to get fixes in place that would allow the health system in which they are a huge player to start to function again,” he says. “So that’s a huge red flag.”

Being able to recover from any known vulnerability or potential attack is required under the rule, Howard says, which means having plans in place and testing them to make sure that you are able to implement them effectively.

OCR investigating Change Healthcare compliance with HIPAA should be a wake-up call to healthcare companies of all sizes, says Nicholas Kathmann, chief information security officer at LogicGate, an information technology security company. Due to complex systems and interdependencies, whether you work in a regional health center or at a national chain, healthcare entities are a juicy target for bad actors, he says.

Healthcare risk