WASHINGTON, D.C. – U.S. Senators Marsha Blackburn (R-Tenn.) and Maggie Hassan (D-N.H.) urged UnitedHealth Group CEO Andrew Witty to quickly assume responsibility for informing patients, providers, and federal and state regulators about the patient data that was exposed in the February ransomware attack on Change Healthcare.

As the Senators make clear, UnitedHealth Group continues to be in violation of the Health Information Portability and Accountability Act (HIPAA), which requires covered entities to notify individuals of a known or suspected data breach within 60 days of discovering the breach.

“Patients and providers continue to deal with the aftermath of the ransomware attack on Change Healthcare in February 2024,” wrote the Senators. “On May 1, you acknowledged during a House Committee hearing that the Change Health Care hack exposed the Protected Health Information and Personally Identifiable Information of "maybe a third" of Americans. Yet, more than three months after UHG discovered the attack, millions of Americans are still in the dark about the vulnerability of their personal data and health information.”

“Without urgent action from UHG, patients and providers will continue to be left without any information about the scope of the data breach,” continued the Senators. “To mitigate any confusion among the affected parties, we urge UHG to assume sole responsibility for all breach notifications by formally notifying OCR, state regulators, Congress, the media, and health care providers that it intends to complete all breach notifications on behalf of all HIPAA-covered entities. We ask that you immediately commit to doing so and send us your plan to notify individuals and business partners, with those data breach notifications going out no later than June 21, 2024.”

The full text of the letter is here.