Share this article on:
A “substantial proportion” of Americans may have been impacted by the Change Healthcare breach, according to parent company UnitedHealth.
The hacked healthcare organisation released a new update statement overnight, revealing some of its investigative findings as well as where the organisation was regarding the restoration of its systems.
According to the release, UnitedHealth has determined that the files potentially accessed and exfiltrated by threat actors could contain the health and personal data of a concerning number of Americans.
“Based on initial targeted data sampling to date, the company has found files containing protected health information (PHI) or personally identifiable information (PII), which could cover a substantial proportion of people in America,” said UnitedHealth.
“To date, the company has not seen evidence of exfiltration of materials such as doctors’ charts or full medical histories among the data.”
The company added that due to the “ongoing nature and complexity of the data review”, it will not be able to identify and notify those affected for several months as data analysis is conducted.
“We know this attack has caused concern and been disruptive for consumers and providers, and we are committed to doing everything possible to help and provide support to anyone who may need it,” said UnitedHealth Group chief executive Andrew Witty.
Notifying its customers isn’t the only thing that is taking UnitedHealth a long time, according to the Department of Health and Human Services (HHS), which revealed that neither it nor Change Healthcare had completed Health Insurance Portability and Accountability Act (HIPAA) breach reports.
In its frequently asked questions, the HHS’ Office for Civil Rights released a new guidance in which it reiterated that affected entities are required to complete HIPAA reports within two months of the breach being discovered.
“Covered entities have up to 60 calendar days from the date of discovery of a breach of unsecured protected health information to file breach reports to OCR’s breach portal for breaches affecting 500 or more individuals,” said the HHS Office for Civil Rights.
However, despite the Change Healthcare breach being announced by the organisation on 21 February and the latest HHS notice being posted 61 days after on 22 April, UnitedHealth is yet to submit these reports.
The HHS also added that entities affected by the Change Healthcare breach are required to notify affected individuals “without unreasonable delay”. It could be argued that UnitedHealth’s warning that notifications may not occur for “several months” over two months after the breach was discovered would qualify as unreasonable delay.
UnitedHealth Group offered its clients to do notification work for its customers “where permitted” as part of its support for those affected.
Additionally, it said that it has made “strong progress” in restoring its systems following the breach, citing a number of areas that are near-normal levels.
“Pharmacy services are now back to near-normal levels, with 99 per cent of pre-incident pharmacies able to process claims,” said United Health.
“Medical claims across the US health system are now flowing at near-normal levels as systems come back online or providers switch to other methods of submission,” it added, recognising that a small number of providers had been “adversely impacted” and that alternative solutions are being devised.
Additionally, Change Healthcare’s payment processing, which is roughly 6 per cent of all US healthcare system payments, is at roughly 86 per cent of pre-incident levels. Overall, the group is at roughly 80 per cent pre-incident functionality.