On June 20, Change Healthcare announced that it began notifying healthcare providers and other customers whose patient data was stolen during a cyberattack in February. The company stated that they plan to start mailing letters to the affected individuals in late July after a data review has been completed.
The Department of Health and Human Services made an announcement on May 31 that hospitals and health systems could require UnitedHealth Group (UHG), the owner of Change Healthcare, to notify patients if their data was part of the stolen information during the cyberattack. The American Hospital Association and other hospital groups had previously urged UHG to issue breach notifications on behalf of providers or customers if protected health information or personally identifiable information was compromised.
In a testimony on May 1 during a House Energy and Commerce Subcommittee on Oversight And Investigations hearing, UHG CEO Andrew Witty stated that a “significant portion of the population” is expected to be affected by the breach. This incident highlights the risks associated with having critical health care services and data centralized within UHG.
