Change Healthcare Faces Second Attack – This Time from the Regulators


March 14, 2024

World map

The US Department of Health & Human (HHS) Services Office for Civil Rights (OCR) is investigating medical payments giant Change Healthcare, the victim of a recent ransomware attack, in an effort to enforce rules designed to safeguard the Protected Healthcare Information (PHI) of patients.

American Hospital Association CEO Rick Pollack described the attack, which has disrupted the distribution of prescription drugs nationwide for weeks, as “the most serious incident of its kind leveled against a U.S. health care organization.”  

The OCR claims the investigation is required given the “unprecedented magnitude of this cyber-attack,” with a mission to see if Change Healthcare was in regulatory compliance at the time of the attack, specifically with regard to the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules.

“This law sets out minimum privacy and security requirements for protected healthcare information and breach notification requirements covered entities must follow. For example, covered organizations that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction,” Infosecurity Magazine reports.

“The OCR also reminded organizations that have partnered with Change Healthcare and UnitedHealth of their regulatory obligations and responsibilities, such as ensuring that business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs.”

Takeaway: Very few would argue that we don’t need regulations to govern the handling of our most sensitive personal information. But given the fact that the government can do little in the way of protecting organizations from this onslaught of ransomware operators and other threat actors, the current regulatory environment only serves to revictimize the victims.

This is increasingly putting company executives and Boards of Directors in the crosshairs. Until recently, even after a serious security event, everyone went home at the end of the day. That is likely not going to be the case moving forward.

Recent developments suggest we will see more putative class action lawsuits, regulatory actions, criminal prosecutions and potentially even jailtime for leadership following successful attacks – especially if sensitive or regulated data was compromised.

The legal and regulatory actions taken against the former CISO for Uber, and the more recent cases brought against SolarWinds and their CISO, represent a significant uptick in liability for those responsible for security-related decisions.

The picture this paints is not pretty. Basically, all the government can do today to prevent organizations from suffering costly and disruptive ransomware attacks (that usually include the exfiltration of sensitive data) is offer guidelines and frameworks.

But once attacked, the full force of the government regulatory machine kicks in, and regardless of whether there are valid concerns about security operations, the effect is to essentially revictimize the victims.

Anyone who knows anything about cybersecurity knows that a determined attacker with enough time and resources will eventually be successful in penetrating a target. This means that any and every organization who handles sensitive data is going to face regulatory – and now potentially - criminal jeopardy if and when they are attacked.

Take the recently enacted reporting rule implemented by the Securities and Exchange Commission (SEC) in December. The new rules require publicly traded companies to disclose a “material” security event within four days or face regulatory actions.

Forensic investigations are difficult, and they take a lot of time. The disclosure rule set by the SEC has the potential to create a situation where an attack is disclosed but the details are murky because it could be weeks or months before the organization can adequately assess the information the SEC is requiring be reported.

At least the OCR ruleset gives victims up to 60 days to disclose, which is somewhat mor realistic than the SEC’s requirements.  

But either way, as an executive, it’s what you know before, during and after a major security event that can put you in legal or regulatory jeopardy. So, a punitive legal and regulatory tone from the government will likely create top-down pressure on CISOs and security teams to be less forthcoming with the C-level and BoD when faced with a security event.

It’s not hard to see that security teams will feel pressure to not report events to leadership unless they absolutely have to, and this has the potential to negatively impact security operations.

All of these factors add up to one thing: organizations who were already struggling to defend themselves against the threat from ransomware and data extortion attacks now also face the threat of being re-victimized by an overzealous legal and regulatory landscape. is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.