UnitedHealth Takes Responsibility for Notifying Patients in Data Breach

In its update dated May 31, the HHS Office for Civil Rights (OCR) stated that covered entities affected by the breach could ask Change Healthcare to issue notifications on their behalf.

In a new development, US healthcare providers can now ask UnitedHealth Group to inform patients whose data has been exposed during the February data breach incident at its Change Healthcare.

The Department of Health and Human Services (HHS) website has published this update as per a report by Reuters.

This development brings relief to hospitals and healthcare providers who had been advocating for UnitedHealth to assume the responsibility of informing patients whose data was compromised in the hack.

In its update dated May 31, the HHS Office for Civil Rights (OCR) stated that covered entities affected by the breach could ask Change Healthcare to issue notifications on their behalf.

"Affected covered entities that want Change Healthcare to provide breach notifications on their behalf should contact Change Healthcare," the OCR announcement specified.

Data Breach Impact

Under the US law, any data breaches involving personal health information must be reported to the affected individuals within 60 days of discovery.

A spokesperson for UnitedHealth expressed gratitude for the OCR's clarification, noting that it aligns with the company's intent to alleviate the reporting responsibilities of its customers.

Earlier in May, UnitedHealth's CEO Andrew Witty informed a Congressional committee that a cyber attack on February 21 may have compromised the data of a third of Americans, leading to significant disruptions in the processing of medical claims.

Witty indicated that the company was still assessing the extent of the breach, which was expected to involve a substantial amount of sensitive information.

Continued Investigations

The breached data could include personal details such as names, addresses, medical codes, and insurance numbers, as reported by the Wall Street Journal.

The hack, targeting a unit responsible for healthcare billing and data systems, has had widespread repercussions, affecting both patients and healthcare providers across the nation.

UnitedHealth continues to address the processing delays caused by the cyberattack while also working to determine the full scope of the data involved. The company's priority remains on mitigating the impact of the breach and ensuring that affected individuals are promptly informed.

The clarification from the OCR is seen as a critical step in managing the fallout from the breach, as it helps streamline the notification process and eases the burden on healthcare providers already grappling with the incident's aftermath.

In another development, Optum, a subsidiary of UnitedHealth Group, is set to close its Toledo, Ohio plant and telehealth business, Optum Virtual Care.

The shutdown of the Ohio Plant was revealed through a Worker Adjustment and Retraining Notification Act (WARN) filing published last week. The filing revealed that 129 employees were laid off. Reportedly, the layoffs will occur in three phases from July 15 to September 6.