You have4 free articles left this month.
Register for a free account to access unlimited free content.
You have 4 free articles left this month.
Register for a free account to access unlimited free content.
Powered by MOMENTUM MEDIA
lawyers weekly logo

Powered by MOMENTUMMEDIA

Breaking news and updates daily. Subscribe to our Newsletter
Advertisement

UnitedHealth to cop notification burden for affected healthcare orgs

The US health department has advised that healthcare providers affected by the Change Healthcare cyber attack earlier this year can request that UnitedHealth notify those affected.

UnitedHealth to cop notification burden for affected healthcare orgs
expand image

UnitedHealth’s Change Healthcare suffered a major cyber attack in February, resulting in the company’s systems being taken offline and leaving healthcare providers across the US without claims infrastructure, resulting in many of their operations coming to a standstill.

In an effort to take the burden of the incident off of healthcare organisations affected by the cyber attack, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has said that affected institutions can request that UnitedHealth notify the affected individuals.

“Affected covered entities that want Change Healthcare to provide breach notifications on their behalf should contact Change Healthcare,” said OCR director Melanie Fontes Rainer in a statement

The update comes as the healthcare giant is still yet to notify those affected, which its CEO Andrew Witty revealed last month was “maybe a third” of all Americans.

UnitedHealth said it will still be several months before it would be able to identify all those affected and begin notifying them, despite the attack occurring on 21 February, over three months ago, and US law stating that individual patients must be notified of a data breach within 60 days of discovery.

The attack on Change Healthcare was originally believed to have been by a Chinese state-sponsored actor but was then claimed by the now-defunct ALPHV (BlackCat).

UnitedHealth paid ALPHV US$22 million in ransom payments. However, ALPHV pocketed the money and went dark, leaving the ransomware affiliate behind the breach stranded without pay but with the stolen UnitedHealth data.

As a result, UnitedHealth was still in trouble, particularly when a second ransomware gang, RansomHub, claimed to have the data and threatened to publish it if it did not receive a ransomware payment. Not long after, the group published some data claiming the entirety of it was now for sale to the highest bidder.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.
You need to be a member to post comments. Become a member for free today!

Comments (0)

Cyber Daily Comments
Attach images by dragging & dropping or by selecting them.
The maximum file size for uploads is MB. Only files are allowed.
 
The maximum number of 3 allowed files to upload has been reached. If you want to upload more files you have to delete one of the existing uploaded files first.
The maximum number of 3 allowed files to upload has been reached. If you want to upload more files you have to delete one of the existing uploaded files first.
Posting as

    newsletter
    cyber daily subscribe
    Be the first to hear the latest developments in the cyber industry.