top of page

What Did the Health Dept Decide About UnitedHealth's Data Breach?

Health care data breach

U.S. healthcare providers can request that UnitedHealth Group (UNH.N) notify individuals whose data was compromised in a hack on the company's Change Healthcare unit in February. This update was announced on the health department's website.


This news is welcomed by U.S. hospitals and healthcare providers who had asked the Department of Health and Human Services (HHS) to allow UnitedHealth and its unit to notify affected individuals.


According to a May 31 update from the HHS' Office for Civil Rights (OCR), "Affected covered entities that want Change Healthcare to provide breach notifications on their behalf should contact Change Healthcare." U.S. law mandates that data breaches be reported to the affected individuals within 60 days of discovery.


A spokesperson for UnitedHealth expressed appreciation for the OCR's clarification, which "reiterates our stated preference to ease the reporting obligations of our customers."


Earlier in May, UnitedHealth CEO Andrew Witty informed a Congressional committee that hackers potentially stole data affecting a third of Americans during the February 21 cyber attack, disrupting medical claims processing. The company is still working to resolve these issues.


Witty also mentioned that the company is continuing to investigate the extent of the data breach, which is believed to be significant.


UnitedHealth warned that the compromised data could include sensitive information such as names, addresses, medical codes, and insurance numbers, as reported by the Wall Street Journal. The breach has caused widespread disruptions in healthcare billing and data systems, impacting patients and providers nationwide.


Speed Net Order now

Key Points

  • Notification Responsibility Shift: The U.S. Department of Health and Human Services (HHS) has allowed healthcare providers to ask UnitedHealth Group to notify individuals whose data was exposed in a February hack on the Change Healthcare unit.

  • Legal Reporting Requirement: U.S. law requires that data breaches be reported to affected individuals within 60 days. The HHS' Office for Civil Rights (OCR) advised that entities wanting Change Healthcare to handle notifications should contact them directly.

  • Impact and Investigation: The hack potentially affected a third of Americans and disrupted medical claims processing. UnitedHealth continues to investigate the breach, which may include sensitive information like names, addresses, and insurance numbers.



FAQs

Q1.  What happened in the UnitedHealth Group data breach?

In February, hackers attacked UnitedHealth Group's Change Healthcare unit, potentially compromising the data of a third of Americans and causing widespread disruptions in medical claims processing.


Q2. Who is responsible for notifying individuals affected by the data breach?

The U.S. Department of Health and Human Services (HHS) has permitted healthcare providers to request that UnitedHealth Group handle the notification of individuals whose data was exposed.


Q3. What type of information was potentially compromised in the breach?

The breached data may include sensitive information such as names, addresses, medical codes, and insurance numbers.


Q4.  How did UnitedHealth Group respond to the HHS clarification?

UnitedHealth Group appreciated the clarification from the HHS' Office for Civil Rights, as it aligns with their preference to ease the reporting obligations for their customers.


Reference


Comments


bottom of page