UnitedHealth Group and hospitals need to notify patients about the Change Healthcare cyberattack hack and the scope and scale of exposed patient medical records - Andrew Witty to testify publicly
March 27, 2024 | Jakob Emerson - 19 hours ago for Becker’s Hospital Review
(UnitedHealth Group Andrew Witty.)
Following the Change Healthcare cyberattack in February, questions remain around what data may have been stolen and how patients would be notified if needed — the issue is top of mind for hospitals nationwide.
On March 13, HHS launched an investigation into UnitedHealth Group and Change over the cyberattack within the context of HIPAA compliance. The agency noted that it is not investigating providers or payers that work with Change Healthcare, but it reminded organizations "of their regulatory obligations and responsibilities, including ensuring that business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs as required by the HIPAA Rules."
On March 21, the American Hospital Association wrote to HHS, urging it to clarify whether that statement meant hospitals and health systems should be notifying patients that protected health information may have been compromised.
"We remain concerned, however, that OCR may require hospitals to make breach notifications to HHS and affected individuals, if it is later determined that a breach occurred," the letter reads. "We are seeking additional clarification that hospitals and other providers do not have to make additional notifications if UnitedHealth Group and Change Healthcare are doing so already."
The AHA stated that Change Healthcare should be responsible for notifying individuals if their protected health information has been compromised due to the attack.
"As a covered entity, Change Healthcare has the duty to notify OCR and the impacted individuals. Even where Change Healthcare acts as a business associate, HIPAA authorizes Change Healthcare to issue these notifications for a more streamlined approach," the letter said.
The AHA is seeking a "unified notification process" so that patients don't receive multiple notifications regarding the same breach.
"Our concern is simply that requiring breach notifications in these circumstances will confuse patients and impose unnecessary costs on hospitals, particularly when they have already suffered so greatly from this attack," the AHA said.
“Given your company’s dominant position in the nation’s healthcare and health insurance industry, Change Healthcare’s prolonged outage as a result of the cyberattack has already had ‘significant and far-reaching’ consequences for patients, physicians, and thousands of hospitals, pharmacies and medical practices, and is disrupting patients’ timely access to affordable medication and treatments. Patients who rely on life-saving medications may have to choose between paying high out-of-pocket prescription medication costs, devote significant time and resources to finding affordable alternatives, or delay obtaining their medication altogether if their pharmacy’s billing and coverage services were disrupted as a result of the cyberattack.”
—Rep. Jamie Raskin, Ranking Member of the Committee on Oversight and Accountability, sent a letter to Mr. Andrew Witty, CEO of UnitedHealth Group, requesting a briefing and information on the Change Healthcare cyberattack and subsequent system outages starting on February 21, 2024.
In Washington state, the hospital association reminded facilities of state-level data breach notification laws and said March 21 that hospitals "can get ahead of this issue by reviewing now the various sets of obligations on both their part and the part of Change contained in the BAAs they have in place. Examples of these obligations include breach notification timing and who provides the notice, indemnification, and insurance requirements."
Change Healthcare confirmed ALPHV/BlackCat has represented itself as the group behind the attack. The ransomware group claims it stole 6 terabytes worth of data, including medical records, patient Social Security numbers, and information on active military personnel. Ransomware groups are known to exaggerate the amount of data they have to demand higher payments.
Change has not said if protected health information has been compromised due to the cyberattack.
Editor’s Note: If you have questions about identitfy theft and your medical records privacy being violated, contact the Office of the Minnesota Attorney General and UnitedHealth Group’s legal division directly.
UnitedHealth Group CEO Andrew Witty will appear before the Senate Finance Committee in roughly the next month to deliver testimony on a February hack that has cascaded through the U.S. health care sector, a company spokesperson confirmed to POLITICO.
The hearing would mark the first time that a senior executive from UnitedHealth has testified before Congress since a ransomware attack against the (commerical health) insurance giant’s widely used billing subsidiary, Change Healthcare, prevented pharmacies, hospitals and health clinics nationwide from processing insurance claims and fulfilling other basic medical services. The company has since restored some but not all of those systems.
UnitedHealth Group is also being investigated by the United States Department of Justice for an array of White Collar Healthcare Crimes including antitrust crimes, methodical over-billing, Denial of Care by PxDx and nH AI and more.
In addition to the investigations by the DoJ and Department of Health and Human Services, CISA reportedly expressed concerns about UnitedHealth Group’s transparency and track record of intimidation.