Washington, D.C. — A bipartisan coalition of senators has raised serious concerns over a major health care firm’s handling of a crippling cyberattack that occurred in February, accusing the company of failing to adhere to federal regulations mandating patient notification when their personal data is compromised.
In a detailed letter addressed to UnitedHealth Group CEO Andrew Witty, Democratic Senator Maggie Hassan of New Hampshire and Republican Senator Marsha Blackburn of Tennessee demanded that the health care giant take immediate and comprehensive action to inform patients and health providers about the breach. The senators emphasized the company’s responsibility under federal law to notify affected individuals in a timely manner.
The Health Information Portability and Accountability Act (HIPAA) stipulates that health care providers must inform individuals within 60 days of discovering a breach involving their personal health information. Currently, the Department of Health and Human Services (HHS) is investigating whether UnitedHealth complied with these HIPAA obligations. An HHS spokesperson indicated that they could not comment on ongoing investigations.
Under HIPAA, HHS has the authority to levy fines against companies that fail to protect patient data. In a recent case, the department announced a $4.75 million settlement with a New York-based nonprofit hospital system due to data security failures that led to an employee stealing and selling patient information.
The ramifications of the ransomware attack on Change Healthcare, a UnitedHealth subsidiary, have been particularly severe. This attack disrupted computer systems crucial for processing medical claims nationwide, leaving health care providers cut off from billions of dollars in payments. As reported by a hospital association, some clinics were on the verge of bankruptcy due to the interruption in their revenue streams.
In testimony before Congress last month, CEO Witty revealed that personal data for approximately one-third of Americans might have been stolen in the attack. He noted that identifying and notifying all affected individuals could take several months due to the extensive nature of the data compromised.
The situation has been further complicated by confusion over who is responsible for notifying patients—Change Healthcare or the health care providers. On May 31, the HHS Office for Civil Rights clarified that health care providers could delegate this notification responsibility to Change Healthcare. In a subsequent statement, UnitedHealth spokesperson Eric Hausman expressed appreciation for this clarification and assured that the company is working with its customers to ensure the notification process complies with legal requirements and addresses customer needs.
The cyberattack has highlighted UnitedHealth’s dominant position in the health care market, underscored by its $371 billion in revenue last year. Change Healthcare alone manages records for one in three American patients, while another subsidiary, Optum, employs around 90,000 physicians.
The incident, along with a similar ransomware attack on a major hospital chain, has intensified demands on Capitol Hill and within the White House for stringent cybersecurity regulations in the health care sector. Lawmakers are calling for new rules to ensure health care companies meet essential cybersecurity standards.
In addition to the Hassan-Blackburn inquiry, UnitedHealth faces scrutiny from other Senate members. Senator Ron Wyden, the Democratic chair of the Senate Finance Committee, has urged the Federal Trade Commission (FTC) and the Securities and Exchange Commission (SEC) to investigate the company’s cybersecurity practices. While the FTC has not commented, an SEC spokesperson confirmed that the agency will respond directly to Senator Wyden’s concerns. As investigations continue and pressures mount, the situation underscores the critical need for robust cybersecurity measures and transparent communication to protect patient data and maintain public trust in the health care system.
