Federal civil rights investigators are looking into whether protected health information was exposed in the recent cyberattack on Change Healthcare.
The Office for Civil Rights said Wednesday it will also review whether Change Healthcare followed laws protecting patient privacy.
Change Healthcare provides the technology used to submit and process insurance claims — and handles approximately 14 billion transactions a year.
The investigation was spurred by the “unprecedented magnitude” of the attack, Office for Civil Rights Director Melanie Fontes Rainer said in a letter.
The Office for Civil Rights, part of the US Department of Health and Human Services, enforces federal rules that establish privacy and security requirements for patient health information.
UnitedHealth Group, which owns Change Healthcare, said it would cooperate. Spokesman Eric Hausman added that UnitedHealth Group is working with law enforcement to investigate the extent of the attack.
Attackers gained access to some of Change Healthcare’s information technology systems last month, disrupting billing and care authorization systems across the country.
The American Hospital Association recently said some patients have seen delays in getting prescriptions, and hospitals have had issues processing claims, billing patients and checking insurance coverage.
Change Healthcare said Wednesday that all of its major pharmacies and payment systems are back online. Last week, the company said it expected to begin re-establishing connections to its claims network and software by March 18.
The company also said last month that the ransomware group ALPHV, or Blackcat, committed the breach.
Cybersecurity experts say that ransomware attacks have increased significantly in recent years, especially in the healthcare sector.
