Lawmakers call for UnitedHealth to take responsibility for patient data breach.
New Hampshire Democratic Senator Maggie Hassan and Tennessee Republican Senator Marsha Blackburn penned a letter to UnitedHealth Group CEO Andrew Witty this week, urging the healthcare conglomerate to take complete accountability for informing patients and healthcare providers about the breach that affected their personal data. According to the Health Information Portability and Accountability Act (HIPAA), healthcare providers are typically required to alert individuals within sixty days of detecting a security incident that compromised their personal health information.
The United States Department of Health and Human Services (HHS) is currently investigating whether UnitedHealth is aligned with its obligations to shield patient data under the HIPAA. The department cannot disclose any details about active investigations, an HHS spokesperson informed CNN.
HHS has the ability to penalize companies financially if they do not appropriately protect patient data. In February, HHS unveiled a $4.75 million settlement with a New York-based nonprofit hospital network for "data security failures" that the department felt led to one of their employees stealing and selling confidential healthcare data from patients.
The ransomware attack against Change Healthcare, a subsidiary of UnitedHealth, has been much messier and more intricate than other ransomware attacks in the healthcare sector. The incident crippled computer systems utilized by Change Healthcare to process medical claims nationwide. This ultimately deprived healthcare providers of access to billions of dollars in payments, as per one hospital association. Moreover, some healthcare facilities were teetering on the verge of bankruptcy due to their inability to receive payment.
Witty revealed to Congress in April that approximately one-third of Americans had their personal information possibly stolen in the hack, and it was likely to take "several months" before UnitedHealth could find the affected individuals and notify them. He explained that files with patient data were damaged during the ransomware attack.
Post-hack, healthcare providers were unsure if they or Change Healthcare were liable for notifying patients of the data breach. On May 31, the HHS Office for Civil Rights highlighted that healthcare providers could pass on the responsibility of alerting victims to Change Healthcare.
UnitedHealth responded to the development by emailing a statement to CNN: "We appreciate OCR's recent clarification that providers and other HIPAA covered entities can delegate their notice obligations to Change, which reiterated our previously stated preference to ease the reporting obligations of our customers. As a result, we are working with our customers to ensure the notification process meets their needs and satisfies legal obligations."
The high-profile hacking incident has attracted attention to UnitedHealth's dominance in the healthcare industry. The company recorded $371 billion in revenue last year. Change Healthcare manages about 1/3 of American patient records, as per the American Hospital Association. Meanwhile, UnitedHealth's subsidiary Optum employs around 90,000 physicians.
The UnitedHealth subsidiary breach, along with a ransomware attack on one of the country's biggest hospital chains, has intensified calls for more laws on Capitol Hill and from the White House that mandate minimum cybersecurity standards for health care organizations.
In addition to the Hassan-Blackburn inquiry, Senator Ron Wyden (Democrat from Oregon), who serves as the committee chairman, has urged the Federal Trade Commission (FTC) and the Securities and Exchange Commission (SEC) to scrutinize UnitedHealth's cybersecurity practices. The FTC has refused to comment, while an SEC spokesperson told CNN that the agency will reply directly to Wyden.
Read also:
UnitedHealth Group, as a business entity, is expected to take full responsibility for properly informing patients and healthcare providers about the data breach, adhering to the requirements laid out by the Health Information Portability and Accountability Act (HIPAA).
The ongoing investigation by the United States Department of Health and Human Services (HHS) into UnitedHealth's adherence to HIPAA obligations could result in financial penalties if it's determined that the company did not adequately protect patient data.
