Senators Maggie Hassan and Marsha Blackburn have accused UnitedHealth Group of not complying with federal law that requires patients be notified when their data is stolen. The Health Information Portability and Accountability Act (HIPAA) generally requires health care providers to notify people within 60 days of a breach affecting their personal health data. The Department of Health and Human Services is investigating whether UnitedHealth is compliant with HIPAA obligations to protect patient data and can fine companies for failing to do so.
The ransomware attack on Change Healthcare, a UnitedHealth subsidiary, paralyzed computers that the company uses to process medical claims, leading to health care providers being cut off from payments and some health clinics facing bankruptcy. CEO Andrew Witty estimated that a third of Americans may have had their personal data stolen in the attack and that it would take several months to identify and notify those affected. The HHS Office for Civil Rights clarified that health care providers can delegate their obligation to notify patients of a data breach to Change Healthcare.
UnitedHealth’s powerful role in the health care market came under scrutiny after the cyberattack on its subsidiary. The company reported $371 billion in revenue last year, and Change Healthcare handles one in three American patient records. Pressure has increased on Capitol Hill and the White House to produce new regulations that require health care companies to meet minimum cybersecurity standards. Senator Ron Wyden has called on the FTC and SEC to investigate UnitedHealth’s cybersecurity practices.
The bipartisan inquiry by Senators Hassan and Blackburn is not the only one that UnitedHealth faces in the Senate. Senator Wyden has also called on the FTC and SEC to investigate the company’s cybersecurity practices. The FTC declined to comment, while an SEC spokesperson stated that the agency would respond directly to Wyden’s request for an investigation. Overall, UnitedHealth’s handling of the ransomware attack on its subsidiary has highlighted the need for improved cybersecurity measures in the health care industry and prompted further scrutiny from regulatory agencies and lawmakers.
