UnitedHealth to cop notification burden for affected healthcare orgs

The US health department has advised that healthcare providers affected by the Change Healthcare cyber attack earlier this year can request that UnitedHealth notify those affected.

UnitedHealth’s Change Healthcare suffered a major cyber attack in February, resulting in the company’s systems being taken offline and leaving healthcare providers across the US without claims infrastructure, resulting in many of their operations coming to a standstill.

In an effort to take the burden of the incident off of healthcare organisations affected by the cyber attack, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has said that affected institutions can request that UnitedHealth notify the affected individuals.

You’re out of free articles for this month

Username or Email

Password Forgot password?

Keep me signed in on this device.

First Name

Last Name

Mobile

Organisation Type

By becoming a member, I agree to receive information and promotional messages from Cyber Daily. I can opt out of these communications at any time. For more information, please visit our Privacy Statement.

Need help signing up? Visit the Help Centre.

“Affected covered entities that want Change Healthcare to provide breach notifications on their behalf should contact Change Healthcare,” said OCR director Melanie Fontes Rainer in a statement

The update comes as the healthcare giant is still yet to notify those affected, which its CEO Andrew Witty revealed last month was “maybe a third” of all Americans.

UnitedHealth said it will still be several months before it would be able to identify all those affected and begin notifying them, despite the attack occurring on 21 February, over three months ago, and US law stating that individual patients must be notified of a data breach within 60 days of discovery.

The attack on Change Healthcare was originally believed to have been by a Chinese state-sponsored actor but was then claimed by the now-defunct ALPHV (BlackCat).

VIEW ALL

UnitedHealth paid ALPHV US$22 million in ransom payments. However, ALPHV pocketed the money and went dark, leaving the ransomware affiliate behind the breach stranded without pay but with the stolen UnitedHealth data.

As a result, UnitedHealth was still in trouble, particularly when a second ransomware gang, RansomHub, claimed to have the data and threatened to publish it if it did not receive a ransomware payment. Not long after, the group published some data claiming the entirety of it was now for sale to the highest bidder.

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

You need to be a member to post comments. Become a member for free today!

newsletter

Be the first to hear the latest developments in the cyber industry.

UnitedHealth to cop notification burden for affected healthcare orgs

Daniel Croft

OUR PLATFORMS AND BRANDS

EVENTS AND SUMMITS

PODCASTS

LEARNING AND EDUCATION

MOMENTUM MARKETS NETWORK

LINKS

STAY CONNECTED