Thursday, June 13, 2024

Senators Marsha Blackburn & Margaret Wood Hassan Tell UnitedHealth Group They are in Violation of HIPAA


The mess from the hack of Change Healthcare (owned by UnitedHealth Group) just keeps getting worse.

A few months ago (February 2024) Change was subjected to a massive security breach.  The hack shut down multiple systems that affected both patients and doctors.  Patients could not get life needed medications due to pharmacies being affected, while doctors could not be reimbursed for submitted procedures. It was a *huge* cluster and I've actually been told by a few doctors that they are STILL trying to get reimbursed for some procedures billed months ago.   The event was such a big news item that we even discussed it as part of my appearance on Dentists In the Know "Hump Day Happy Hour" back in March.

As problems piled up from the hack, Change Healthcare finally ended up paying a $22 million ransom to get their systems back online.  The event was a massive story due to the impacts that spread out like a tidal wave generated by an asteroid landing in the ocean.  Change eventually stated that a "substantial proportion of people in America" had data stolen during the hack.  Of course, Change is now back online, but that data which was copied and whisked away into the ether still exists on some hidden servers somewhere and is now in the hands of the type of people who perpetrated the attack in the first place.

I've discussed the paying of the ransom a bit here in the past and I think Change probably didn't have much of a choice in doing so.  Never mind the doctor side of things, the patients affected needed medications and other things and getting the systems back online to provide those things was most likely the best way to rectify the problem quickly.  

The breach was a huge HIPAA violation and Change went on the record as saying that they would handle the patient notifications and other things HIPAA requires for all the entities involved.  Providers were scrambling trying to understand if they would need to bear the costs of notifying patients of the breach, among other things.  Change stepped in and said they would handle those things for every healthcare provider affected.  I thought that was absolutely the right thing to do.

However, if UnitedHealth Group didn't want any more bad PR, the company should have done everything necessary to keep this moving forward.  Now comes word that the company still hasn't sent out the notifications to patients that are required by law under HIPAA.  US Senators Marsha Blackburn & Margaret Wood Hassan announced they sent a letter to UnitedHealth Group's CEO on June 7th to point out that HIPAA requires notifications be sent to patients within 60 days and yet 3 months later, those have not been sent.  The letter also gives UHG a bit of an ultimatum stating "We ask that you immediately commit to doing so and send us your plan to notify individuals and business partners, with those data breach notifications no later than June 21, 2024."

I'll admit that trying to get all this together, especially when you are covering every entity affected, is daunting and I'm sure a task fraught with complications.  I cannot begin to imagine the scope of trying to get all of this figured out.  There are probably legal commitments and things to sign between UHG and the parties covered by HIPAA that they are representing.  However, the law is the law.  If UHG is having a problem meeting a deadline, that should have been made publicly clear.  I've followed this situation pretty closely and I haven't heard anything about this delay.  To be fair though, I am not reviewing every covered moment of this.  Perhaps UHG has made this slip up known to the proper agencies and I have simply missed it.  However I think if they *had* made it known, these senators would not have felt the need to write a letter pointing out the missed deadline.

The letter can be found here, in a pdf format that can be downloaded if you'd like to have it.  However I'm also providing the content here:

June 7, 2024 

Mr. Andrew Witty 

Chief Executive Officer 

UnitedHealth Group 

P.O. Box 1459 

Minneapolis, MN 55440 

Dear Mr. Witty: 

We write to urge UnitedHealth Group (UHG) and its subsidiaries, including Change Healthcare, to assume full and immediate responsibility for notifying all affected patients and providers, as well as federal and state regulators, about the impact of the ransomware attack on Change Healthcare. 

As you are aware, patients and providers continue to deal with the aftermath of the ransomware attack on Change Healthcare in February 2024, which plunged many health care providers into a financial crisis and compromised personal information for “a substantial proportion of people in America.”(1) On May 1, you acknowledged during a House Committee hearing that the Change Health Care hack exposed the Protected Health Information and Personally Identifiable Information of "maybe a third" of Americans. (2) Yet, more than three months after UHG discovered the attack, millions of Americans are still in the dark about the vulnerability of their personal data and health information.(3) 

UHG claims to have been undertaking a comprehensive analysis to identify and notify impacted individuals and has committed that the company will “make notifications and undertake related administrative requirements on behalf of any provider or customer.” (4) However, as of June 6 UHG continues to be in violation of the Health Information Portability and Accountability Act (HIPAA), which requires covered entities to notify individuals of a known or suspected data breach within 60 days of discovering the breach. UHG must also formally notify impacted business partners, including health care providers, in accordance with HIPAA and state law. 

Without urgent action from UHG, patients and providers will continue to be left without any information about the scope of the data breach. To mitigate any confusion among the affected parties, we urge UHG to assume sole responsibility for all breach notifications by formally notifying OCR, state regulators, Congress, the media, and health care providers that it intends to complete all breach notifications on behalf of all HIPAA-covered entities. 

We ask that you immediately commit to doing so and send us your plan to notify individuals and business partners, with those data breach notifications going out no later than June 21, 2024. Thank you for your attention to this urgent matter.

1 UnitedHealth Group Updates on Change Healthcare Cyberattack, April 22, 2024. 22-uhg-updates-on-change-healthcare-cyberattack.html 

2 UnitedHealth CEO Testifies Before House Subcommittee on Cyber Attack Against Change Healthcare, May 1, 2024. 

3 UnitedHealth Group was made aware of the breach on February 21, 2024; 

4 UnitedHealth Group Updates on Change Healthcare Cyberattack, April 22, 2024. 22-uhg-updates-on-change-healthcare-cyberattack.html

1 comment:

  1. As long as ransomware is profitable it will continue.

    As soon as everyone takes the stereotypical US stance "we don't negotiate with terrorists" it will start going away.

    Of course having a backup system that is airgapped or nearly airgapped works wonders.

    Our backup network is almost entirely isolated. It's connected to a router (not Cisco, not Sonicall, not Fortigate, not Windows, etc...) that only serves NTP and DNS to the backup network. It does so through an ethernet bridging box that doesn't have network connectivity or an IP. The bridging box ensures only NTP and DNS come in, and only SSH goes out. The backup network is otherwise completely isolated and the backup machines only have SSH running and exposed...and they are running their own firewall too. Each backup box has a set of customer IPs they can connect out to. Each customer runs our storage appliance and the backup happens by SSH pull. SSH uses keys (not password auth) everywhere. Customer data is fully encrypted on their disks and that encrypted data is pulled to a machine on the backup network. Hourly backups are stored for a few days. Daily backups are stored for a month. Monthly backups are stored for a year. Yearly backups are stored indefinitely as space allows. Each backup box has ~50 TB of storage. Last week we had to purge all the 4 year old backups to free up space.

    Pretty much the only way you're going to compromise the backups is by physically getting to them...and that would be challenging, or by compromising the hardware before it gets assembled into a server.

    It won't stop PHI from being leaked at customer sites by your average cheap MSP, but at least you won't have to pay a ransom to get your data back. Just a few hundred bucks for hard drives, and the cost of overnight priority shipping.