UnitedHealth, an American healthcare insurance and services provider, faced a massive data breach in February that affected the Change Healthcare unit. The hack may affect up to a third of American citizens. It’s already caused widespread problems with filing medical insurance claims across the country.
After several months of silence, healthcare providers can finally ask UnitedHealth to inform its customers of the breach.
Normally, if a third-party company faces a data breach, it’s still the responsibility of the main company to inform companies of the hack and disclose what happened within 60 days. However, The US Department of Health and Human Services (HHS) deemed that UnitedHealth bears that responsibility and that it’s up to them to inform customers. As of now, it’s past the 60-day marker.
“Affected covered entities that want Change Healthcare to provide breach notifications on their behalf should contact Change Healthcare,” states the HHS’ Office for Civil Rights.
UnitedHealth CEO Andrew Witty, had to testify to Congress last month about the breach. At the time they stated that it would likely take several months before they were ready to inform customers while touting that they had rebuilt their systems and insurance claims were flowing back to normal.
According to the company, an investigation is still underway and must wrap up before they’re ready to inform the public. The hack came from an unsecured computer on their network.
Congress was not satisfied with the company’s response.
“Your revenues are bigger than some countries’ GDP,” Sen. Marsha Blackburn (R) said. “And how in heaven’s name did you not have the necessary redundancies so that you did not experience this attack and find yourself so vulnerable?”
While there are no official notices as of yet, UnitedHealth has stated that the breach could contain sensitive data such as full names, addresses, insurance numbers, and medical codes