Ransomware, Governance, Risk and Compliance, Privacy

Change Healthcare receives HHS permission on breach notifications

United Health Group CEO Andrew Witty

UnitedHealth Group's Change Healthcare was permitted by the Department of Health and Human Services to issue breach notices for the healthcare providers impacted by the widespread ransomware attack following severe opposition to a previous pronouncement requiring all affected organizations to file their own notifications, reports The Record, a news site by cybersecurity firm Recorded Future.

Such a change "ensures that the potentially millions of Americans, including the elderly, the disabled, those with limited English proficiency, those with limited access to technology, and more, will understand the impact of this breach on their private medical records and their healthcare," said HHS Office for Civil Rights Director Melanie Fontes Rainer.

Numerous healthcare groups, including the American Hospital Association, expressed support for the HHS's decision.

"As we explained then, not only is there legal authority for UnitedHealth Group to make these notifications, but requiring hospitals to make their own notifications would confuse patients and impose unnecessary costs on providers, particularly when they have already suffered so greatly from this attack," said AHA Secretary and General Counsel Chad Golder.

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.

You can skip this ad in 5 seconds