A “substantial proportion” of Americans may have been affected by the Change Healthcare breach, according to parent company UnitedHealth.
The hacked healthcare organization released a new update statement overnight, revealing some of the findings of its investigation, as well as where the organization was with regards to restoring its systems.
According to the statement, UnitedHealth has determined that files potentially accessed and exfiltrated by threat actors could contain personal and health data of a concerning number of Americans.
“Based on initial sampling of targeted data to date, the company has found files containing protected health information (PHI) or personally identifiable information (PII), which could cover a substantial proportion of people in the United States,” it said. UnitedHealth.
“To date, the company has not seen evidence of exfiltration of materials such as medical records or complete medical records among the data.”
The company added that due to the “ongoing nature and complexity of the data review,” it will not be able to identify or notify those affected for several months while the data analysis is performed.
“We know this attack has caused concern and been disruptive to consumers and providers, and we are committed to doing everything we can to help and support anyone who needs it,” said UnitedHealth Group CEO Andrew Witty.
Notifying its customers isn’t the only thing that’s taking UnitedHealth a long time, according to the Department of Health and Human Services (HHS), which revealed that neither it nor Change Healthcare had completed Health Insurance Portability and Accountability Act (HIPAA) breach reports.
In its FAQ, the HHS Office of Civil Rights released new guidance reiterating that affected entities must complete HIPAA reports within two months of discovery of the breach.
“Covered entities have up to 60 calendar days from the date of discovery of a breach of unsecured protected health information to submit breach reports to the OCR breach portal for breaches affecting 500 or more individuals,” it said. the HHS Office for Civil Rights.
However, even though the organization announced the Change Healthcare breach on February 21 and the latest HHS notice was published 61 days later on April 22, UnitedHealth has yet to file these reports.
HHS also added that entities affected by the Change Healthcare breach must notify affected individuals “without unreasonable delay.” One could argue that UnitedHealth’s warning that notifications may not occur for “several months” more than two months after the breach was discovered would qualify as an unreasonable delay.
UnitedHealth Group offered its clients to perform notification work for its clients “when permitted” as part of its support for those affected.
Additionally, it said it has made “great progress” in restoring its systems following the breach, citing a number of areas that are at near-normal levels.
“Pharmacy services are now back to near normal levels, and 99 percent of pre-incident pharmacies are able to process claims,” United Health said.
“Medical claims across the US healthcare system are now flowing at near-normal levels as systems come back online or providers shift to other submission methods,” he added, acknowledging that a small number of suppliers had been “negatively impacted” and that alternative solutions are being devised.
Additionally, Change Healthcare’s payment processing, which represents approximately 6 percent of all U.S. healthcare system payments, is at approximately 86 percent of pre-incident levels. Overall, the group is at approximately 80 percent functionality prior to the incident.