On June 7, 2024, Senators Marsha Blackburn (R-TN) and Maggie Hassan (D-NH) sent a letter to UnitedHealth Group CEO Andrew Witty telling him to issue the notifications involving the ransomware attack on Change Healthcare on February 21, 2024. Affected individuals need to know about the ransomware attack promptly.
The Office for Civil Rights (OCR) revised its website FAQ to clarify misunderstandings regarding breach notifications and stated that UHG/Change Healthcare is permitted legally to issue individual notifications on behalf of the impacted HIPAA-covered entities. OCR also stated that the burden to ensure that affected individuals receive their breach notifications still rests on the affected covered entity.
Before publishing the OCR FAQ, UHG made an offer to send the notifications and carry out the correlated administrative requirements on behalf of the breached covered entities; yet did not publicly announce that it is taking all the responsibility for sending the notification letters. UHG also has not yet officially informed the impacted covered entities concerning the breach.
To take away any outstanding misunderstandings, the senators have required UHG to officially state that it will be taking care of all of the necessary breach notifications, which include sending individual notification letters and informing the press, OCR, and state attorneys general.
At the House Committee hearing on May 1, 2024, Witty reported the exposure of protected health information (PHI), and although the enormity of the breach was unknown, it could impact 1 of 3 Americans. The ransomware group made a public confirmation that it stole patient information.
According to the senators, UHG/Change Healthcare is currently accountable for violating the HIPAA Breach Notification Rule since it has been over 3 months after the ransomware attack was discovered and it has not yet issued the breach notification letters. Under the HIPAA Breach Notification Rule, the breached entity must issue the notifications without undue delay and not beyond 60 days after discovering the breach.
The senators have mandated Witty to quickly give them UHG/Change Healthcare’s plan for sending the notifications and to make sure that the breach notifications are delivered on or before June 21, 2024. Without receiving the notification letters, the impacted persons remain unaware of the vulnerability of their personal information and health data.
