Senator Hassan Pushes UnitedHealth Group to Address Identity Theft Risks for Patients After Cyberattack

WASHINGTON - Following a recent statement by UnitedHealth Group that cybercriminals obtained the sensitive health data of patients in a ransomware attack on the company, U.S. Senator Maggie Hassan (D-NH) is pushing UnitedHealth Group to take immediate steps to provide protection for patients whose data may have been stolen. Senator Hassan identified four specific steps that UnitedHealth Group needs to take to fulfill its legal obligations and help patients who may have been impacted by this cyberattack.

"These risks are especially concerning given your company's admission in an April 22 press release that, through the ransomware attack, cybercriminals obtained the sensitive health data of 'a substantial proportion of people in America.' I specifically urge you to notify affected patients as rapidly as possible, improve the identify theft protections you are offering affected patients, and better coordinate with federal authorities around the data breach," Senator Hassan wrote in a letter to UnitedHealth Group. "I urge UHG to continue to make sure that its response meets this watershed moment in health care cybersecurity and our national security."

The letter comes ahead of a May 1 Senate Finance Committee hearing during which UnitedHealth Group's CEO, Andrew Witty, will be testifying and Senator Hassan will be pressing the company for answers. UnitedHealth Group's statement on April 22 indicated that the company found personal information in the compromised files, which "could cover a substantial proportion of people in America." In her letter, Senator Hassan urges UnitedHealth Group to take more action and notify people of the potential disclosure of their information as well as other required breach notifications, and for consumers to get access to resources if they were potentially impacted.

Senator Hassan has been engaged in helping get hospitals and doctors relief from the February 21 cyberattack on Change Healthcare, a UnitedHealth Group company, and continues to work to mitigate the fall-out of this incident as well as ensuring that the lessons from it are shared broadly to help prevent something similar from happening again. Soon after the cyberattack first occurred, Senator Hassan raised the issue of the cyberattack and its fallout in conversations with President Joe Biden and Health and Human Services Secretary Xavier Becerra, and pressed UnitedHealth on the inadequacy of its initial assistance program for doctors and hospitals, some of whom lost up to 98 percent of their cash flow. Senator Hassan then met with UnitedHealth CEO Andrew Witty and secured a commitment for improvements to the financial assistance program for hospitals and doctors. She has since talked to Witty multiple times to ensure the company was following through on its commitments, and several New Hampshire hospitals have enrolled in the updated financial assistance program.

Click to see the full letter sent to UnitedHealth Group or see text below:

Dear Mr. Witty:

I write to urge UnitedHealth Group to swiftly address identify theft risks for patients whose data was stolen in the ransomware attack on Change Healthcare. These risks are especially concerning given your company's admission in an April 22 press release that, through the ransomware attack, cybercriminals obtained the sensitive health data of "a substantial proportion of people in America." I specifically urge you to notify affected patients as rapidly as possible, improve the identify theft protections you are offering affected patients, and better coordinate with federal authorities around the data breach.

While the investigation into the ransomware attack continues, UnitedHealth Group (UHG) should take the following steps as soon as possible to fulfil its obligations under the Health Insurance Portability and Accountability Act (HIPAA) and provide protection to patients whose data may have been stolen:

1. Notify individuals of the potential disclosure of their PII and PHI. HIPAA requires covered entities to notify individuals of a breach of their protected health information (PHI) within 60 days following the discovery of the security incident. Given that Change Healthcare's systems have been estimated to include records for up to half of the American public, I am concerned that delaying notifications until every detail is known will put patients' privacy at risk.2 Lengthy delays prevent individuals from taking protective actions such as staying alert, securing and monitoring accounts, changing passwords, and checking credit reports. UHG should take initial, immediate steps to notify individuals of potential exposure and then send follow-up notifications to patients regarding the exact nature of their data exposure.

2. Provide comprehensive consumer protections for potentially impacted individuals. UHG must offer comprehensive services, including free identity monitoring, to all patients with data that was potentially exposed in the hack. UHG recently announced that it will provide two years of credit monitoring to individuals impacted by the breach. However, credit monitoring alone may not address the very real reputational risks with the loss of millions of patient records and transaction data. The company should also offer free identity protection for at least 7 years, and I encourage you to implement this program for consumers in the interim while UHG continues to assess individual-level data exposures. In addition, any free credit or identity monitoring offered by UHG should be part of a transparent agreement that prioritizes consumers and does not include financial benefits for UHG or its subsidiaries. For example, the program should be free of trial periods, fees, cancellation requirements, automatic renewals, and other restrictions so that patients do not face unexpected fees, charges, or other limitations.

3. Comply with HIPAA and notify the Department of Health and Human Services and patients of the data security breach. UHG is obligated to submit to HHS a formal breach notification regarding the exposure of individual PHI. Under HIPAA (as modified by P.L. 111-5), covered entities must notify HHS of a breach of protected health information "without unreasonable delay and in no case later than 60 days following the discovery of the breach." After discovering the breach on February 21, as of April 29UHG has not completed this mandatory notification, despite its substantial financial and organizational resources.3

4. Honor UHG's commitment to make breach notifications. On April 22, UHG issued a press release committing to make breach notifications on behalf of health care providers and other HIPAA covered entities impacted by the ransomware attack on ChangeHealthcare.4 UHG must honor this public commitment and provide clear processes on how providers should formally request UHG's assistance and how UHG will notify patients about the data breach on behalf of providers and other covered entities. Healthcare providers should not carry the burden of a costly breach notification process for an attack that is not their fault.

I urge UHG to continue to make sure that its response meets this watershed moment in health care cybersecurity and our national security.

###

• Print
• Email
• Share
• Tweet