On March 13, 2024, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced that it had opened an investigation into the monumental cyberattack on Change Healthcare (“Change”), a unit of UnitedHealth Group (“UHG”). The attack is one of the largest assaults against the U.S. health care system, with far-reaching effects on hospitals, physicians, and other health care providers across the nation. On April 19, OCR published a new FAQ webpage about the cybersecurity incident and the implications for covered entities and business associates with business associate relationships with Change. OCR does not provide any new bombshell details—the agency confirms it has not yet received breach reports from Change/UHG—though the site does include background information and early guidance for covered entities beginning to evaluate possible notification obligations.

Click here to read the Ropes & Gray client alert for more information on OCR’s guidance as well as recommended next steps.