Hospitals urge UnitedHealth Group to commit to notifying cyberattack victims

Hospitals are pressing UnitedHealth Group to commit to reaching out to the victims of the Change Healthcare cyberattack.

UnitedHealth Group, Change Healthcare’s parent company, has said it would notify all of the individuals affected by the cyberattack. Hospitals are adamant that UnitedHealth should take sole responsibility for notifications of those whose private health information was stolen or exposed, which is standard in data breaches.

In the joint letter, the American Hospital Association and several other organizations representing hospitals said that UnitedHealth should make all notifications. UnitedHealth has said the number affected “could cover a substantial portion of people in America.”

“It is important to emphasize that hospitals, health systems and other providers were not the direct targets of this cyberattack, nor were they responsible for the potential release of private patient information,” the hospital groups said. “UHG/Change Healthcare, as the targets of the attack and source of any potential breach, are in the best position to make any necessary breach notifications.”

• Read more: Cybersecurity and hospitals: Big risks come from third parties

Andrew Witty, UnitedHealth Group’s CEO, testified before the Senate Health Committee that the company will notify those affected, but said it will likely take some time.

“Given the ongoing nature and complexity of the data review, it is likely to take several months of continued analysis before enough information will be available to identify and notify impacted customers and individuals, partly because the files containing that data were compromised in the cyberattack,” Witty testified.

Health system leaders and cybersecurity analysts have said the cyberattack is the most damaging attack ever seen in the U.S. healthcare industry. Hospitals, medical groups and doctors have suffered financial damages due to the disruption caused by the attack. Change Healthcare handles a variety of functions for many healthcare providers, including processing claims, insurance eligibility checks and prescriptions.

• Read more: Healthcare mergers may face more questions about cybersecurity

Hospitals said they are seeking clarity on the notification issue in light of guidance put forward by the U.S. Health & Human Services Department. The Health Department’s Office of Civil Rights, which tracks health data breaches, outlined notification responsibilities in an online post about the cyberattack.

“While the covered entity is ultimately responsible for ensuring individuals are notified, the covered entity may delegate the responsibility of providing individual notices to the business associate,” the OCR post stated.

Referencing UnitedHealth’s previous pledge to notify all those affected, the hospital groups are imploring the company to advise the federal government, Congress, state regulators that it would handle the notification to all those whose data was exposed.

The hospitals also noted that they continue to grapple with the ramifications of the attack.

“Our members have been acutely affected by the unprecedented cyberattack. It will take many months for health systems and hospitals to address the fallout from this attack and return to standard operations,” the hospitals’ letter stated.

The following groups sent the letter: the American Hospital Association; America’s Essential Hospitals; the Association of American Medical Colleges; Children’s Hospital Association; Federation of American Hospitals; and the National Association for Behavioral Healthcare.

• Read more: Health leaders ask Congress for help with cybersecurity

Lawmakers have also said they aren’t happy that individuals who may have had their private health or financial data stolen still haven’t been notified.

At last week’s hearing, Sen. Maggie Hassan, D-New Hampshire, urged Witty to work harder to notify those affected by the Change Healthcare cyberattack, which took place on Feb. 21.

“Ten weeks is way too long for millions of Americans to not know that their records may be available to criminals,” Hassan said.

In the Senate committee hearing last week, Witty testified that the Change Healthcare system involved in the attack did not employ multi-factor authentication to gain access. Witty also told lawmakers that the company paid a ransom of $22 million.

Rick Pollack, president and CEO of the American Hospital Association, said in a conversation at the Hospital + Healthcare Association of Pennsylvania Leadership Summit in April that hospitals are expecting UnitedHealth to notify the victims.

“It's their responsibility to inform patients, not our responsibility,” Pollack said.