Following Senator Hassan’s Advocacy, UnitedHealth Group Begins Notification Process for Potential Exposure of Personal Information

WASHINGTON – Following advocacy by U.S. Senator Maggie Hassan (D-NH), UnitedHealth Group has begun the process of notifying health care providers and patients about data that was exposed in the February ransomware attack on its subsidiary Change Healthcare. The company is today beginning the process of formally notifying doctors, hospitals, insurers, and pharmacies that their patients’ personal health information was compromised, and expects to begin mailing notifications to impacted members of the general public in late July. Earlier this month, Senator Hassan, along with Senator Marsha Blackburn (R-TN), pushed UnitedHealth Group’s CEO to acknowledge that his company continued to be in violation of the Health Insurance Portability and Accountability Act (HIPAA), which requires covered entities to notify individuals of a known or suspected data breach within 60 days of discovering the breach. The letter urged UnitedHealth Group to begin notifications by today, June 21.

“I am glad to see UnitedHealth is finally beginning the breach notification process after the February cyberattack on Change Healthcare, but it is unacceptable that Americans will be left in the dark for at least another month about a hack that occurred in February,” said Senator Hassan. “By UnitedHealth Group’s own admission, the personal information of tens of millions of Americans could be at risk and that information could include personal medical information as well as Social Security numbers and other sensitive data. While this is a step in the right direction, the company must find ways to move more quickly to directly notify patients that their personal information is at risk.”

UnitedHealth Group and its subsidiary Change Healthcare announced that it is still analyzing what data was compromised and which Americans were impacted, but confirmed that compromised data could include contact information (including name, address, phone number, and email), health insurance information, health information (including diagnoses, medication prescribed, images, and test results), as well as billing information and other personal information (including financial and banking information, social security numbers, and driver’s license numbers). The UnitedHealth Group’s CEO has previously testified that “maybe a third” of Americans could have their data at risk because of this hack.  

Senator Hassan has been leading efforts to mitigate the fallout from the February ransomware attack on Change Healthcare, a UnitedHealth Group company, and continues to work to ensure that the lessons from it are shared broadly to help strengthen cybersecurity across the health care sector. Earlier this month, Senators Hassan and Blackburn pushed UnitedHealth Group CEO Andrew Witty to begin the breach notification process by June 21, especially as the company was not in compliance with the legal requirement to conduct notifications within 60 days after discovering a breach. This letter followed an April push from Senator Hassan for UnitedHealth Group to immediately notify individuals that their personal information may have been exposed in the hack, and for the company to provide those consumers with comprehensive identity monitoring if they were potentially impacted. She also directly pushed UnitedHealth Group’s CEO on these issues at a hearing that week. 

Soon after the cyberattack first occurred, Senator Hassan raised the issue of the cyberattack and its fallout in conversations with President Joe Biden and Health and Human Services Secretary Xavier Becerra, and pressed UnitedHealth Group on the inadequacy of its initial financial assistance offer for doctors and hospitals, some of whom lost up to 98 percent of their cash flow. Senator Hassan then met with UnitedHealth Group CEO Andrew Witty, securing a commitment for improvements to the company's financial assistance program for hospitals and doctors. She then followed up with Witty to ensure the company followed through on its commitments, and New Hampshire hospitals have enrolled in the updated financial assistance program.