UnitedHealth Group’s response to a major cyberattack in February that wreaked havoc with medical payments nationwide has been “inadequate” and must be improved immediately, a group of 22 state attorneys general (AGs) told the company.
Change Healthcare, a unit within UnitedHealth’s Optum division, handles 15 billion transactions each year for providers and pharmacies. The cyberattack brought much of the country’s payment processing to a standstill, as the systems themselves were not just infiltrated but damaged. The personal health data of “a substantial proportion of people in America” might have been among the compromised files, the company said, and it confirmed it paid at least one ransom related to the attack.
In a letter dated April 25 to UnitedHealth Chief Executive Andrew Witty, the AGs said providers and facilities have been unable to reach UnitedHealth for assistance in bringing their payment processes back online. Hospitals and others are contacting UnitedHealth and Change Healthcare for information about what data has been breached and which vulnerabilities in the processing systems have been patched.
Many providers have been unable to get through to the companies for help, and their offer of financial support “has been paltry,” as little as $10 per week, the AGs said.
UnitedHealth and Change Healthcare “have an obligation to take action to limit the harm to our states’ care providers and patents,” the AGs said. The companies must take “immediate steps” to protect the care infrastructure for as long as processing systems are impacted and the medical claims backlogs are dealt with, they said.
At the top of the list of demands by the AGs was for the companies to spend more on financial assistance to all providers and pharmacies affected and to eliminate any clauses that include “onerous” legal terms about liability and statute of limitations.
The companies should also identify steps they will take to eliminate the backlog of medical claims nationwide because of the cyberattack and create a designated complaint resolution system.
“We trust that, after receiving this letter, your companies will work with the attorneys general to assist our providers, pharmacies, and patients who have been adversely affected by the cyberattack,” the AGs wrote.
UnitedHealth didn’t respond to a request for comment regarding the letter.
Change Healthcare is under investigation by the Department of Health and Human Services’ Office for Civil Rights for possibly violating the breach notification requirements of the Health Insurance Portability and Accountability Act.
Witty has been summoned to testify Wednesday before the U.S. House Energy and Commerce Committee’s Subcommittee on Oversight and Investigations about the company’s response to the incident.
No comments yet