top of page
Search
Parv Jain

Can Patients Expect a Data Breach Notice from UnitedHealth?

Data Breach

U.S. healthcare providers can ask UnitedHealth Group to notify people whose data was exposed in a February hack on the company's Change Healthcare unit, according to an update from the health department's website.


This news is a relief for U.S. hospitals and healthcare providers, who had urged the Department of Health and Human Services (HHS) to allow UnitedHealth to take responsibility for notifying affected individuals.


The HHS' Office for Civil Rights (OCR) stated on May 31 that "affected covered entities that want Change Healthcare to provide breach notifications on their behalf should contact Change Healthcare." U.S. law requires data breaches to be reported to affected individuals within 60 days of discovery.


A UnitedHealth spokesperson welcomed the OCR's clarification, saying it aligns with the company's goal to ease the reporting burden on its customers.


In May, UnitedHealth CEO Andrew Witty informed a Congressional committee that hackers might have stolen data from one-third of Americans in the February 21 cyber attack, which disrupted medical claims processing. The company is still addressing these issues.


Witty also mentioned that the extent of the data breach is still under investigation and is likely significant.


UnitedHealth warned that the breached data might include sensitive information such as names, addresses, medical codes, and insurance numbers. The breach has caused widespread disruptions in healthcare billing and data systems, affecting patients and providers nationwide.


Key points

  • Notification Shift: UnitedHealth Group can now notify individuals affected by the data breach, lightening the notification responsibility for healthcare providers.

  • Regulatory Compliance: The Department of Health and Human Services (HHS) allows this shift, aligning with U.S. law requiring data breaches to be reported within 60 days of discovery.

  • Impact and Investigation: CEO Andrew Witty revealed the breach potentially affects a third of Americans, prompting ongoing investigations into the extent of compromised data and disruptions in healthcare services.


FAQs

Q1. Who can notify individuals affected by the data breach?

UnitedHealth Group can now notify individuals whose data was exposed in the breach, upon request from healthcare providers.


Q2.  How can healthcare providers request notifications for their patients?

Healthcare providers can ask Change Healthcare to provide breach notifications on their behalf, according to the guidance from the HHS Office for Civil Rights (OCR).


Q3.  What is the legal requirement for reporting data breaches?

U.S. law mandates that data breaches be reported to affected individuals within 60 days of discovery.


Q4. What information could be compromised in the breach?

The breached data may include sensitive information such as names, addresses, medical codes, and insurance numbers.


Reference

0 views0 comments

Comments


bottom of page