A bipartisan pair of senators is accusing a major health care firm that suffered a crippling cyberattack in February of not complying with federal law that requires patients be notified when their data is stolen.
In a letter sent to UnitedHealth Group CEO Andrew Witty this week, New Hampshire Democratic Sen. Maggie Hassan and Tennessee Republican Sen. Marsha Blackburn demanded that the health care giant “assume full and immediate responsibility” for giving patients and health providers information on the breach.
Federal law known as the Health Information Portability and Accountability Act (HIPAA) generally requires health care providers to notify people within 60 days of discovering a breach affecting their personal health data.
The Department of Health and Human Services is already investigating whether UnitedHealth is compliant with HIPAA obligations to protect patient data. The department can’t discuss ongoing investigations, an HHS spokesperson told CNN.
HHS can use HIPAA to fine companies for failing to protect patient data. The department announced a $4.75 million settlement in February with a nonprofit hospital system in New York for “data security failures” that the department said resulted in an employee stealing and selling patient data.
But the cleanup from the ransomware attack on Change Healthcare, a UnitedHealth subsidiary, has been unusually messy and complicated compared to other ransomware attacks on the health sector. The hack paralyzed computers that Change Healthcare uses to process medical claims across the country. Health care providers were cut off from billions of dollars in payments, according to one hospital association, and some health clinics were on the brink of bankruptcy because they couldn’t get paid.
Witty told Congress last month that a third of Americans may have had their personal data stolen in the hack and that it would likely take “several months” before the company is able to identify and notify Americans who were affected. One reason for the lengthy notification process, he said, was that files on patients were compromised in the ransomware attack.
In the aftermath of the hack, some health care providers were confused whether they or Change Healthcare were responsible for notifying patients that their data had been breached. On May 31, the HHS Office for Civil Rights clarified that health care providers can delegate that obligation to Change Healthcare.
“We appreciate OCR’s recent clarification that providers and other HIPAA covered entities can delegate their notice obligations to Change, which reiterated our previously stated preference to ease the reporting obligations of our customers,” UnitedHealth spokesperson Eric Hausman said in an emailed statement to CNN on Friday. “As a result, we are working with our customers to ensure the notification process meets their needs and satisfies legal obligations.”
The hack cast a spotlight on UnitedHealth’s powerful role in the health care market. The company reported $371 billion in revenue last year. Change Healthcare handles one in three American patient records, according to the American Hospital Association. Optum, another UnitedHealth subsidiary, employs about 90,000 physicians.
The UnitedHealth subsidiary hack, and another ransomware attack on one of the country’s biggest hospital chains, has also increased pressure on Capitol Hill and in the White House to produce new regulations that require health care companies meet minimum cybersecurity standards.
The Hassan-Blackburn letter is not the only inquiry that UnitedHealth faces in the Senate. Sen. Ron Wyden, the Oregon Democrat who chairs the finance committee, has called on the Federal Trade Commission and the Securities and Exchange Commission to investigate UnitedHealth’s cybersecurity practices. The FTC declined to comment, while an SEC spokesperson told CNN that the agency would respond directly to Wyden.