Go after UnitedHealth, not us, 100+ medical groups urge Uncle Sam
Why should we get its paperwork?
More than 100 medical industry groups have asked the Feds to make UnitedHealth Group, not them, go through the rigmarole of notifying everyone about the Change Healthcare ransomware infection.
In a letter to the US Department of Health and Human Services, 102 national and state medical associations – whose members relied on UnitedHealth's IT systems to process patient data – urged HHS Secretary Xavier Becerra to make it crystal clear that their doctors, surgeons, and other healthcare professionals should be off the hook for alerting individuals that their sensitive info was stolen in the February intrusion into UnitedHealth.
They also want assurances that Change Healthcare, and not medical offices themselves, are under the microscope when it comes to the government's investigation into the incident.
In short, UnitedHealth's Change Healthcare got compromised along with people's private medical-related data, there are rules and laws on notifying patients of this kind of privacy breach, and various medical groups whose customer info was affected by this ransomware attack want UnitedHealth to take care of it all.
"We are writing to request more clarity around reporting responsibilities and assure affected providers that reporting and notification obligations will be handled by Change Healthcare," the May 20 letter signed by the American Medical Association, the American Academy of Family Physicians, and others said [PDF].
HHS' Office for Civil Rights (OCR) "should publicly state that its breach investigation and immediate efforts at remediation will be focused on Change Healthcare, and not the providers affected by Change Healthcare's breach," it continued.
This is especially important given the scope of security breach. While it's still unclear how many individuals' personal and protected health information was stolen during the February ransomware attack, we do know it's a very, very large number of Americans.
"Based on the initial targeted data sampling to date, the company has found files containing protected health information and personally identifiable information, which could cover a substantial proportion of people in America," Change Healthcare's parent company UnitedHealth said in an April statement.
- UnitedHealth CEO: 'Decision to pay ransom was mine'
- UnitedHealth admits IT security breach could 'cover substantial proportion of people in America'
- UnitedHealth's 'egregious negligence' led to Change Healthcare ransomware infection
- Change Healthcare's ransomware attack costs edge toward $1B so far
The 1996 US Health Insurance Portability and Accountability Act (HIPAA), designed to protect Americans' medical records and other health-related info, requires entities to notify HHS' Office for Civil Rights, media outlets, and affected individuals about incidents in which more than 500 people's data has been compromised.
Change Healthcare is a HIPAA-covered entity, and the digital intrusion definitely affected more than 500 individuals. "Providers affected by this breach are so numerous that a specific number is not readily available," according to the letter.
It continues:
A simple affirmation from OCR, as requested herein, that UHG, as the covered entity which experienced the breach is responsible for fulfilling the attendant breach reporting and notification requirements, is badly needed to address the lack of clarity among the community of affected providers. Given UHG's statement that it is prepared to fulfill these reporting and notification requirements, it appears that it would be a quick and straightforward matter for OCR to confirm publicly that the HIPAA breach notification and reporting requirements are applicable to UHG and not to the affected providers. Given the well documented state of chaos in the provider community in the wake of this breach, OCR's silence on this point is disappointing.
When asked about the HHS letter and medical providers' concerns, a UnitedHealth spokesperson referred The Register to CEO Andrew Witty's congressional testimony on May 1.
"We will, of course, comply with legal requirements and provide notice to affected individuals, and have offered to our customers and clients to provide notice on their behalf where it is permitted," Witty told US lawmakers. "We are working closely with HHS's Office of Civil Rights to make sure our notice is effective, useful and complies with the law."
Also on May 1, Witty told US senators that the business paid $22 million to the extortionists, reportedly an affiliate of the BlackCat/ALPH ransomware crew.
"As chief executive officer, the decision to pay a ransom was mine," he said. "This was one of the hardest decisions I've ever had to make. And I wouldn't wish it on anyone."
Witty also confirmed to Congress that past and present US military personnel likely had their info stolen during the intrusion.
The total clean-up costs to date associated with the breach have hit $872 million, and are expected to climb even higher. That's in addition to advance funding and interest-free loans UnitedHealth doled out to providers struggling to care for patients amid the disruption. This sum is said to be north of $6 billion. ®