Two senators accused UnitedHealthcare of violating HIPAA because the company has not sent out breach notifications for the February cyberattack on Change Healthcare, one of its subsidiaries.
On June 7, Sen. Margaret Wood Hassan and Sen. Marsha Blackburn wrote a letter to Andrew Witty, CEO of UnitedHealth Group, urging him to send a breach notification letter for the Change incident to individuals and businesses affected by June 21.
Additionally, Ms. Hassan and Ms. Blackburn accused UnitedHealth Group of violating HIPAA by dragging out the notification process.
"The Health Information Portability and Accountability Act … requires covered entities to notify individuals of a known or suspected data breach within 60 days of discovering the breach," the senators wrote.
In April, Change Healthcare said data stolen by hackers during the attack likely covers a "substantial proportion of people in America." Further, HHS said Change would assume full responsibility for providing breach notifications on behalf of health systems and providers affected by the incident.
"We appreciate [the Office of Civil Rights'] recent clarification that providers and other HIPAA-covered entities can delegate their notice obligations to Change, which reiterated our previously stated preference to ease the reporting obligations of our customers," UnitedHealth Group told Becker's in an emailed statement. "As a result, we are working with our customers to ensure the notification process meets their needs and satisfies legal obligations."