Washington
CNN
—
A bipartisan pair of senators is accusing a significant well being care agency that suffered a crippling cyberattack in February of not complying with federal legislation that requires sufferers be notified when their knowledge is stolen.
In a letter despatched to UnitedHealth Group CEO Andrew Witty this week, New Hampshire Democratic Sen. Maggie Hassan and Tennessee Republican Sen. Marsha Blackburn demanded that the well being care big “assume full and rapid duty” for giving sufferers and well being suppliers data on the breach.
Federal legislation often called the Well being Data Portability and Accountability Act (HIPAA) usually requires well being care suppliers to inform folks inside 60 days of discovering a breach affecting their private well being knowledge.
The Division of Well being and Human Providers is already investigating whether or not UnitedHealth is compliant with HIPAA obligations to guard affected person knowledge. The division can’t focus on ongoing investigations, an HHS spokesperson informed CNN.
HHS can use HIPAA to advantageous firms for failing to guard affected person knowledge. The division introduced a $4.75 million settlement in February with a nonprofit hospital system in New York for “knowledge safety failures” that the division mentioned resulted in an worker stealing and promoting affected person knowledge.
However the cleanup from the ransomware assault on Change Healthcare, a UnitedHealth subsidiary, has been unusually messy and sophisticated in comparison with different ransomware assaults on the well being sector. The hack paralyzed computer systems that Change Healthcare makes use of to course of medical claims throughout the nation. Well being care suppliers had been minimize off from billions of {dollars} in funds, in response to one hospital affiliation, and a few well being clinics were on the brink of bankruptcy as a result of they couldn’t receives a commission.
Witty informed Congress final month {that a} third of People could have had their private knowledge stolen within the hack and that it could doubtless take “a number of months” earlier than the corporate is ready to determine and notify People who had been affected. One motive for the prolonged notification course of, he mentioned, was that information on sufferers had been compromised within the ransomware assault.
Within the aftermath of the hack, some well being care suppliers had been confused whether or not they or Change Healthcare had been answerable for notifying sufferers that their knowledge had been breached. On Could 31, the HHS Workplace for Civil Rights clarified that well being care suppliers can delegate that obligation to Change Healthcare.
“We recognize OCR’s latest clarification that suppliers and different HIPAA coated entities can delegate their discover obligations to Change, which reiterated our beforehand said desire to ease the reporting obligations of our clients,” UnitedHealth spokesperson Eric Hausman mentioned in an emailed assertion to CNN on Friday. “In consequence, we’re working with our clients to make sure the notification course of meets their wants and satisfies authorized obligations.”
The hack forged a highlight on UnitedHealth’s highly effective position within the well being care market. The corporate reported $371 billion in income final yr. Change Healthcare handles one in three American affected person information, according to the American Hospital Affiliation. Optum, one other UnitedHealth subsidiary, employs about 90,000 physicians.
The UnitedHealth subsidiary hack, and another ransomware assault on one of many nation’s largest hospital chains, has additionally elevated stress on Capitol Hill and within the White Home to supply new rules that require well being care firms meet minimal cybersecurity requirements.
The Hassan-Blackburn letter is just not the one inquiry that UnitedHealth faces within the Senate. Sen. Ron Wyden, the Oregon Democrat who chairs the finance committee, has referred to as on the Federal Commerce Fee and the Securities and Trade Fee to research UnitedHealth’s cybersecurity practices. The FTC declined to remark, whereas an SEC spokesperson informed CNN that the company would reply on to Wyden.