Six hospital groups urge UnitedHealth to take responsibility for Change Healthcare hack notifications

Six national hospital groups posted a public letter on May 8, addressed to UnitedHealth Group CEO Andrew Witty, urging him to announce a timeline and process for notifying patients about stolen personal data from the breach of Change Healthcare’s systems in February. 

In the letter, the groups request that UnitedHealth claim formal responsibility for any notification of victims, on behalf of impacted providers and customers. The request is something Witty already agreed to do during a Senate hearing on May 1. 

However, UnitedHealth has yet to specify how and when it will proceed with notifying the tens of millions of people who likely had their data stolen during the breach. During the hearing, Witty stated that “maybe a third” of Americans had protected health information taken by hackers and put up for sale on the dark web

The six organizations who authored the letter are attempting to make sure the burden of notifying all of the impacted patients does not fall onto provider groups, adding that the number of individuals who will need to be notified is “staggering.” 

“[It] is important to emphasize that hospitals, health systems and other providers were not the direct targets of this cyberattack, nor were they responsible for the potential release of private patient information,” the letter reads. “UnitedHealth/Change Healthcare, as the targets of the attack and source of any potential breach, are in the best position to make any necessary breach notifications.”

While UnitedHealth has said it will take months to fully investigate the breach and assess what data was stolen, the authors of the letter remind the insurer that it will also take “many months for health systems and hospitals to address the fallout from this attack and return to standard operations.”

The letter was signed by America’s Essential Hospitals, American Hospital Association, Association of American Medical Colleges, Children’s Hospital Association, Federation of American Hospitals and the National Association for Behavioral Healthcare.

Breach is still causing chaos

According to a recent survey by the American Medical Association, independent providers and small hospitals are still suffering economic turmoil as a result of a slowdown in claims processing as a result of Change Healthcare’s systems being down. 

During the Senate hearing, Witty admitted the compromised server at Change Healthcare lacked basic security, namely multifactor authentication. The cybercriminals reportedly gained access to the organization’s systems for nine days before making their presence known with a ransomware attack.

Despite UnitedHealth paying a $22 million ransom, personal data from patients ended up for sale on the dark web anyway.

Chad Van Alstin Health Imaging Health Exec

Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.

Around the web

When regulating AI-equipped medical devices, the FDA might take a page from the Department of Transportation’s playbook for overseeing AI-equipped vehicles. These run the gamut from assisting human drivers to fully taking the wheel. 

Kit Crancer, RBMA board member, speaks with Radiology Business about key legislative developments on the Hill that will affect the specialty. 

California-based Acutus Medical has said its ongoing agreement to manufacture and distribute left-heart access devices for Medtronic is the company's only source of revenue.