US to probe Change Healthcare's data protection standards as lawsuits mount

Change Healthcare is being investigated over the alleged 6 TB data theft by the ALPHV ransomware group as it continues recovery efforts.

The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) wrote to the healthcare IT company this week informing it that a formal inquiry into its data protection practices will soon begin.

The OCR cited the "unprecedented magnitude of this cyberattack" in its letter, referring to the widespread and substantial disruption the incident has had on thousands of pharmacies and hospitals across the US. Change's software is used for carrying out various critical functions including processing insurance claims, prescriptions, and billing operations.

It's also the entity responsible for enforcing the data protection and privacy rules set out in the Health Insurance Portability and Accountability Act 1996. The investigation will focus on the level of compliance with these rules and whether protected health information was breached.

The ALPHV/BlackCat ransomware group, which recently shut down via an exit scam, claimed responsibility for the February attack that would end up being one of its very last. It claimed to have stolen 6 TB of data, an assertion that Change Healthcare declined to confirm when asked about it.

Security researchers also spotted a $22 million Bitcoin payment made to a known ALPHV crypto wallet on March 1. Change also dodged our questioning about that.

It's unclear exactly what data was stolen by the criminals. The group claimed that health insurers, medical providers, and major pharmacies were affected. Among the "millions" of files the group stole, it also alluded to those relating to active US military personnel, patents, payment information, and source code.

ALPHV's websites have now shut down so at least the data won't be posted there, but defenders will be scouring underground forums for any attempts to sell it through other avenues.

As we know from the LockBit leaks, ransomware baddies can't be trusted to delete victim data, regardless of whether a payment was made or not.

"OCR is committed to helping health care entities understand health information regulations and to collaboratively working with entities to navigate the serious challenges we face together," said Melanie Fontes Rainer, OCR director, in the letter to Change Healthcare.

"OCR encourages all entities to review the cybersecurity measures they have in place with urgency to ensure that critically needed patient care can continue to be provided and that health information is protected."

Crippled business resuscitated

Over the past seven days, Change Healthcare has slowly started bringing services back online following the attack. Last week saw the return of its Rx Connect, Rx Edit, and Rx Assist services, as well as its prescription fulfillment operation.

Parent company UnitedHealth Group said at the time that other services were expected to resume in the coming weeks, including systems for managing medical claims that are poised for a return tomorrow.

Change Healthcare announced that its pharmacy network and associated payment systems were reinstated on March 13, and that it was managing 99 percent of the claim volume as it was doing before the cyberattack.

Some pharmacies in the US are still offline, but are receiving support from the company to rectify that, it said.

Mandiant and Palo Alto Networks are involved in the incident's forensic analysis and together with UnitedHealth Group have said they identified the source of the breach, without actually specifying what it was.

Speculation was flying around in the early days of the incident that ALPHV had used the recently disclosed critical bugs in ConnectWise to breach Change Healthcare, the bugs that researchers said were "embarrassingly easy" to exploit. ALPHV swiftly denied these claims, though.

Lawsuits inbound

Change Healthcare is facing an investigation from the OCR and may also soon be up to its neck in legal woes as at least six class action lawsuits have been filed against it, relating to the attack.

A motion [PDF] to consolidate the cases was filed on Tuesday, citing the number of current cases and the likelihood that more would be filed in the future.

Consolidating similar lawsuits also saves all parties fees associated with the litigation, rehashing common arguments and claims, as well as time spent on duplicated discovery efforts, for example.

Of the six current class actions, four were filed in Nashville, the location of Change Healthcare's HQ, and Minnesota, home to parent company UnitedHealth Group. ®