Dive Brief:
- Change Healthcare has started sending out data breach notifications after a cyberattack against the payments processor earlier this year compromised information like Social Security numbers and medical diagnoses for a potentially massive swath of Americans.
- On Thursday, the UnitedHealth subsidiary began notifying its customers if their members’ or patients’ data was exposed, according to a data breach notification. Change plans to start sending letters to the affected individuals themselves in late July, though the company noted it may not have addresses for everyone.
- Exposed data could include contact information, health insurance details, medical information like diagnoses and test results, billing and payment information and personal details like Social Security numbers or ID numbers, according to Change’s notice.
Dive Insight:
Change, a major medical claims processor, was hit by a ransomware attack in late February, disrupting key healthcare operations like payments to providers, eligibility checks, prior authorization requests and prescription fulfillment for weeks. Some services still haven’t been fully restored.
The attack may have exposed data from a “substantial proportion of people in America,” UnitedHealth said in April. Though the company didn’t say how many individuals were affected on Thursday, UnitedHealth CEO Andrew Witty estimated in May that the breach may have compromised the data of one-third of Americans.
The review of personal information involved in the attack is now in its late stages, Change said. So far, the company hasn’t yet seen patients’ full medical histories be breached, though information from guarantors — whoever paid the bill for healthcare services — could be exposed.
Change has faced criticism from some lawmakers over the delay in sending data breach notifications. In a letter sent early this month, Sens. Maggie Hassan, D-N.H., and Marsha Blackburn, R-Tenn., argued UnitedHealth had taken too long to send letters to affected individuals — in violation of the HIPAA privacy law — and pushed the healthcare giant to mail notifications by June 21.
Providers had raised concerns about who was responsible for sending breach notifications in the wake of the attack, arguing that burden should be placed on Change to avoid duplicative notifications to patients.
Federal regulators confirmed early this month they could tap UnitedHealth. The healthcare giant had previously said it could take on notification tasks for providers and other customers.
The notifications come as the impact from the cyberattack continues. Last week, the Biden administration said it would give providers impacted by the attack extra time to request out-of-network billing arbitration under the No Surprises Act.
However, the CMS also this week said it would wind down a Medicare funding program that offered financial support for providers who had struggled to receive payment during the Change outage.