Washington, D.C. — A major health care firm is under fire from a bipartisan pair of senators for its handling of a severe cyberattack in February, which compromised patient data. The senators allege that the company failed to comply with federal laws requiring timely notification of affected individuals.
Senators Maggie Hassan (D-NH) and Marsha Blackburn (R-TN) have penned a forceful letter to UnitedHealth Group CEO Andrew Witty, insisting that the company “assume full and immediate responsibility” for notifying patients and health care providers about the breach. They stressed the importance of transparency and prompt communication in such incidents.
The Health Information Portability and Accountability Act (HIPAA) mandates that health care providers must inform individuals within 60 days of discovering a breach involving their personal health information. The Department of Health and Human Services (HHS) is currently investigating UnitedHealth’s compliance with these requirements. An HHS spokesperson confirmed the investigation but refrained from providing further details.
HIPAA also grants HHS the authority to impose fines on companies that fail to safeguard patient data. For instance, HHS recently secured a $4.75 million settlement with a nonprofit hospital system in New York over data security failures that led to an employee stealing and selling patient data.
The ransomware attack targeted Change Healthcare, a UnitedHealth subsidiary, and caused unprecedented disruption. The attack crippled systems used to process medical claims across the country, leading to significant financial strain for health care providers. Some clinics faced potential bankruptcy due to the delay in payments, as reported by a hospital association.
In a congressional testimony, CEO Witty revealed that the personal data of approximately one-third of Americans might have been compromised. He noted that it would take several months to identify and notify all affected individuals, attributing the delay to the extensive nature of the breached data.
Confusion initially arose over whether Change Healthcare or the individual health care providers were responsible for notifying patients. On May 31, the HHS Office for Civil Rights clarified that health care providers could delegate this responsibility to Change Healthcare. UnitedHealth spokesperson Eric Hausman expressed gratitude for this clarification and assured that the company is working diligently with its customers to meet legal notification requirements.
This breach has highlighted UnitedHealth’s significant role in the health care industry. The company reported $371 billion in revenue last year, with Change Healthcare managing records for one in three American patients. Another subsidiary, Optum, employs around 90,000 physicians.
The incident, alongside another major ransomware attack on a large hospital chain, has amplified calls from lawmakers and the White House for stricter cybersecurity regulations in the health care sector. There is a growing push for new legislation to enforce minimum cybersecurity standards for health care companies.
In addition to the scrutiny from Senators Hassan and Blackburn, UnitedHealth is facing inquiries from other Senate members. Senator Ron Wyden (D-OR), chair of the Senate Finance Committee, has urged the Federal Trade Commission (FTC) and the Securities and Exchange Commission (SEC) to investigate UnitedHealth’s cybersecurity practices. The FTC declined to comment, while an SEC spokesperson confirmed that the agency would respond directly to Senator Wyden.
As investigations continue and regulatory pressures mount, the importance of robust cybersecurity measures and clear communication protocols in protecting patient data and maintaining public trust in the health care system becomes ever more apparent.
