WASHINGTON – Today, U.S. Senators Maggie Hassan (D-NH) and Marsha Blackburn (R-TN) urged UnitedHealth Group CEO Andrew Witty to quickly assume responsibility for informing patients, providers, and federal and state regulators about the patient data that was exposed in the February ransomware attack on Change Healthcare. As the Senators make clear, UnitedHealth Group continues to be in violation of the Health Information Portability and Accountability Act (HIPAA), which requires covered entities to notify individuals of a known or suspected data breach within 60 days of discovering the breach.
“Patients and providers continue to deal with the aftermath of the ransomware attack on Change Healthcare in February 2024,” wrote the Senators. “On May 1, you acknowledged during a House Committee hearing that the Change Health Care hack exposed the Protected Health Information and Personally Identifiable Information of "maybe a third" of Americans. Yet, more than three months after UHG discovered the attack, millions of Americans are still in the dark about the vulnerability of their personal data and health information.”
“Without urgent action from UHG, patients and providers will continue to be left without any information about the scope of the data breach,” continued the Senators. “To mitigate any confusion among the affected parties, we urge UHG to assume sole responsibility for all breach notifications by formally notifying OCR, state regulators, Congress, the media, and health care providers that it intends to complete all breach notifications on behalf of all HIPAA-covered entities. We ask that you immediately commit to doing so and send us your plan to notify individuals and business partners, with those data breach notifications going out no later than June 21, 2024.”
Senator Hassan has been leading efforts to mitigate the fallout from the February ransomware attack on Change Healthcare, a UnitedHealth Group company, and continues to work to ensure that the lessons from it are shared broadly to help strengthen cybersecurity across the health care sector. In April, Senator Hassan urged UnitedHealth Group to immediately notify individuals that their personal information may have been exposed in the hack, and for the company to provide those consumers with comprehensive identity monitoring if they were potentially impacted. She also directly pushed UnitedHealth Group’s CEO on these issues at a hearing that week. Soon after the cyberattack first occurred, Senator Hassan raised the issue of the cyberattack and its fallout in conversations with President Joe Biden and Health and Human Services Secretary Xavier Becerra, and pressed UnitedHealth Group on the inadequacy of its initial financial assistance offer for doctors and hospitals, some of whom lost up to 98 percent of their cash flow. Senator Hassan then met with UnitedHealth Group CEO Andrew Witty, securing a commitment for improvements to the company's financial assistance program for hospitals and doctors. She has since talked to Witty multiple times to ensure the company followed through on its commitments, and New Hampshire hospitals have enrolled in the updated financial assistance program.
Click to see the full letter sent to UnitedHealth Group CEO Andrew Witty or see text below:
Dear Mr. Witty:
We write to urge UnitedHealth Group (UHG) and its subsidiaries, including Change Healthcare, to assume full and immediate responsibility for notifying all affected patients and providers, as well as federal and state regulators, about the impact of the ransomware attack on Change Healthcare.
As you are aware, patients and providers continue to deal with the aftermath of the ransomware attack on Change Healthcare in February 2024, which plunged many health care providers into a financial crisis and compromised personal information for “a substantial proportion of people in America.” On May 1, you acknowledged during a House Committee hearing that the Change Health Care hack exposed the Protected Health Information and Personally Identifiable Information of "maybe a third" of Americans. Yet, more than three months after UHG discovered the attack, millions of Americans are still in the dark about the vulnerability of their personal data and health information.
UHG claims to have been undertaking a comprehensive analysis to identify and notify impacted individuals and has committed that the company will “make notifications and undertake related administrative requirements on behalf of any provider or customer.” However, as of June 6 UHG continues to be in violation of the Health Information Portability and Accountability Act (HIPAA), which requires covered entities to notify individuals of a known or suspected data breach within 60 days of discovering the breach. UHG must also formally notify impacted business partners, including health care providers, in accordance with HIPAA and state law.
Without urgent action from UHG, patients and providers will continue to be left without any information about the scope of the data breach. To mitigate any confusion among the affected parties, we urge UHG to assume sole responsibility for all breach notifications by formally notifying OCR, state regulators, Congress, the media, and health care providers that it intends to complete all breach notifications on behalf of all HIPAA-covered entities.
We ask that you immediately commit to doing so and send us your plan to notify individuals and business partners, with those data breach notifications going out no later than June 21, 2024. Thank you for your attention to this urgent matter.
###