cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

UnitedHealth to cop notification burden for affected healthcare orgs

The US health department has advised that healthcare providers affected by the Change Healthcare cyber attack earlier this year can request that UnitedHealth notify those affected.

user icon Daniel Croft
Fri, 14 Jun 2024
UnitedHealth to cop notification burden for affected healthcare orgs
expand image

UnitedHealth’s Change Healthcare suffered a major cyber attack in February, resulting in the company’s systems being taken offline and leaving healthcare providers across the US without claims infrastructure, resulting in many of their operations coming to a standstill.

In an effort to take the burden of the incident off of healthcare organisations affected by the cyber attack, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has said that affected institutions can request that UnitedHealth notify the affected individuals.

“Affected covered entities that want Change Healthcare to provide breach notifications on their behalf should contact Change Healthcare,” said OCR director Melanie Fontes Rainer in a statement


The update comes as the healthcare giant is still yet to notify those affected, which its CEO Andrew Witty revealed last month was “maybe a third” of all Americans.

UnitedHealth said it will still be several months before it would be able to identify all those affected and begin notifying them, despite the attack occurring on 21 February, over three months ago, and US law stating that individual patients must be notified of a data breach within 60 days of discovery.

The attack on Change Healthcare was originally believed to have been by a Chinese state-sponsored actor but was then claimed by the now-defunct ALPHV (BlackCat).

UnitedHealth paid ALPHV US$22 million in ransom payments. However, ALPHV pocketed the money and went dark, leaving the ransomware affiliate behind the breach stranded without pay but with the stolen UnitedHealth data.

As a result, UnitedHealth was still in trouble, particularly when a second ransomware gang, RansomHub, claimed to have the data and threatened to publish it if it did not receive a ransomware payment. Not long after, the group published some data claiming the entirety of it was now for sale to the highest bidder.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.