Even before officials informed UnitedHealthcare Group (UHG) CEO Andrew Witty that Change Healthcare—a clearinghouse UHG subsidiary Optum had purchased in 2022—was in the throes of a ransomware attack, “our team had followed the right steps and disconnected Change from all other connections because it was critical to prevent the infection [from] affecting any other provider or network in the country,” according to Witty.[1]
Witty was in a board meeting on Feb. 21 when officials interrupted with the news. Eventually, they learned entrance was actually gained nine days earlier via a single, external “portal” that—contrary to UHG policy—was not protected by multi-factor authentication, Witty recently testified before the Senate Finance Committee. This disconnection “worked,” he said. “We contained the blast radius to just Change.”
But however “contained” Witty believed the blast to be, months later, the ripples continue as UHG itself now works to identify—and notify—affected patients, perhaps relieving universities’ medical schools, teaching affiliates and hospitals that use Change Healthcare to process claims, prescriptions or other transactions that involve protected health information from this obligation.
Witty described other steps UHG took after the biggest health care data breach in history, including building a new system “from scratch,” as well as addressing issues related to notification.
Under the HHS Office for Civil Rights (OCR) Breach Notification Rule, covered entities and business associates also must notify the agency within 60 days of learning of a breach. In March, OCR reminded organizations “of their regulatory obligations and responsibilities, including ensuring that business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs as required by the HIPAA Rules.”[2]
