UnitedHealth issues breach notification on Change Healthcare hack

By Amina Niasse

NEW YORK (Reuters) – UnitedHealth Group issued a public notice about the February ransomware hack on its Change Healthcare unit on Thursday as part of its requirements to notify the estimated one-third of the country whose private data may have been exposed in the attack.

UnitedHealth said it expects to begin mailing letters to potentially affected individuals in late July but that it may not have addresses for all of them. The company said individuals can enroll in free credit monitoring for two years.

WHY IT MATTERS

Patient information is protected under the Health Insurance Portability and Accountability Act, or HIPAA. HIPAA regulation requires companies to notify patients of data exposures.

Information made vulnerable in the UnitedHealth attack is believed to include health insurance member IDs, patient diagnoses, treatment information and social security numbers, as well as billing codes used by providers.

In a May announcement, the U.S. Department of Health and Human Services said healthcare providers can ask UnitedHealth to notify people impacted by the hack on their behalf. Following the hack, some providers urged HHS to make UnitedHealth solely responsible for issuing breach notifications.

KEY QUOTE

After reviewing 90% of files breached, the insurer said it “found no evidence that materials such as doctors’ charts or full medical histories were exfiltrated from its systems.”

CONTEXT

Change Healthcare processes about half of all U.S. medical claims.

The Feb. 21 hack on the technology unit of the largest U.S. health insurer was carried out by Russian ransomware gang BlackCat, UnitedHealth CEO Andrew Witty said in May testimony to the Senate Committee on Finance. In exchange for patient data, UnitedHealth paid the group $22 million in Bitcoin, Witty said.

(Reporting by Amina Niasse; Editing by Bill Berkrot)