UnitedHealth Group, a major health care firm, suffered a cyberattack in February and is being accused by senators Maggie Hassan and Marsha Blackburn of not complying with federal law that requires patients to be notified when their data is stolen. The Health Information Portability and Accountability Act (HIPAA) generally requires health care providers to notify people within 60 days of discovering a breach affecting their personal health data. The Department of Health and Human Services is investigating whether UnitedHealth is compliant with HIPAA obligations to protect patient data, and can fine companies for failing to do so.
The ransomware attack on Change Healthcare, a UnitedHealth subsidiary, caused widespread complications and financial strain for health care providers. The hack paralyzed computers used to process medical claims, resulting in providers being cut off from payments and some clinics facing bankruptcy. UnitedHealth CEO Andrew Witty stated that a third of Americans may have had their personal data stolen in the cyberattack, and it may take several months to identify and notify those affected due to compromised patient files. The confusion over responsibility for notifying patients of the breach led to a clarification from the HHS Office for Civil Rights that health care providers can delegate that obligation to Change Healthcare.
UnitedHealth’s powerful role in the health care market and the widespread impact of the cyberattack have spurred calls for new regulations that require health care companies to meet minimum cybersecurity standards. The company’s revenue of $371 billion last year, along with its subsidiaries managing a significant portion of American patient records and employing tens of thousands of physicians, underscores the urgency for improved cybersecurity measures. In addition to the inquiry by Senators Hassan and Blackburn, Senator Ron Wyden has called for investigations by the Federal Trade Commission and the Securities and Exchange Commission into UnitedHealth’s cybersecurity practices.
The cyberattack on UnitedHealth’s subsidiary and other recent incidents in the health care sector have highlighted vulnerabilities in the industry and raised concerns about data protection. The aftermath of the attack and the complex nature of the breach have escalated the need for stronger cybersecurity measures and swift action from regulatory agencies. UnitedHealth is working with customers to ensure the notification process meets legal obligations and alleviates reporting burdens for health care providers. The ongoing investigation by the Department of Health and Human Services and potential fines under HIPAA regulations demonstrate the seriousness of the breach and the need for accountability in safeguarding patient data.