Washington, D.C. — A bipartisan duo of senators has criticized a major health care firm for allegedly failing to comply with federal regulations requiring patient notification after a massive cyberattack in February compromised personal data.
In a stern letter to UnitedHealth Group CEO Andrew Witty, Democratic Senator Maggie Hassan from New Hampshire and Republican Senator Marsha Blackburn from Tennessee urged the company to take immediate action to inform affected patients and health providers. They emphasized that the firm must “assume full and immediate responsibility” for the breach notification process.
Federal law, specifically the Health Information Portability and Accountability Act (HIPAA), mandates that health care providers notify individuals within 60 days of discovering a breach involving their personal health information. The Department of Health and Human Services (HHS) is currently investigating UnitedHealth’s compliance with these regulations. However, an HHS spokesperson declined to comment on the ongoing investigation.
HIPAA allows HHS to impose fines on companies that fail to protect patient data adequately. In a recent precedent, HHS reached a $4.75 million settlement with a nonprofit hospital system in New York over data security lapses that led to an employee illegally accessing and selling patient data.
The ransomware attack on Change Healthcare, a subsidiary of UnitedHealth, has been particularly disruptive. The attack incapacitated systems used to process medical claims nationwide, causing significant financial distress for health care providers. According to one hospital association, the payment delays have pushed some health clinics to the brink of bankruptcy.
During a recent congressional hearing, CEO Witty disclosed that the personal data of approximately one-third of Americans might have been stolen in the attack. He explained that the process of identifying and notifying all affected individuals would take several months due to the extensive nature of the compromised data.
Further complicating matters was uncertainty over who bore the responsibility for notifying patients—Change Healthcare or the individual health care providers. On May 31, the HHS Office for Civil Rights clarified that health care providers could delegate the notification duty to Change Healthcare. UnitedHealth spokesperson Eric Hausman welcomed this clarification, stating that the company is collaborating with its customers to ensure the notification process meets legal and customer requirements.
The breach has cast a spotlight on UnitedHealth’s significant influence in the health care sector. Last year, the company reported $371 billion in revenue. Change Healthcare processes records for one in three American patients, and another subsidiary, Optum, employs approximately 90,000 physicians.
The cyberattack, along with a similar incident affecting a major hospital chain, has increased calls from lawmakers and the White House for enhanced cybersecurity regulations in the health care industry. There is growing momentum for new legislation to mandate that health care companies adhere to stringent cybersecurity standards.
In addition to the Hassan-Blackburn letter, UnitedHealth is facing scrutiny from other Senate committees. Senator Ron Wyden, the Democratic chair of the Senate Finance Committee, has called on the Federal Trade Commission (FTC) and the Securities and Exchange Commission (SEC) to investigate UnitedHealth’s cybersecurity practices. While the FTC declined to comment, an SEC spokesperson indicated that the agency would respond directly to Senator Wyden. As investigations proceed and regulatory pressures build, this incident underscores the critical importance of robust cybersecurity measures and transparent communication practices to protect patient data and maintain public confidence in the health care system.
