UnitedHealth Group has confirmed that the widespread breach of its subsidiary Change Healthcare in February resulted in the compromise of names, birthdates, addresses, phone numbers, and email addresses, according to The Record, a news site by cybersecurity firm Recorded Future.
While there has been no evidence suggesting the theft of complete medical histories and doctors' charts, attackers may have obtained patients' other personal data, health information, health insurance details, and billings, claims, and payment data, said UnitedHealth in an advisory, which comes two weeks after Change Healthcare was permitted by the federal government to issue breach notifications to individuals impacted by the incident. Such a disclosure was welcomed by Sens. Maggie Hassan, D-N.H., and Marsha Blackburn, R-Tenn., but the delay may constitute a violation of the Health Insurance Portability and Accountability Act. "While this is a step in the right direction, the company must find ways to move more quickly to directly notify patients that their personal information is at risk," said Hassan.