2024-05-22
Who is Responsible for Change Healthcare Ransomware Notification?
More than 100 medical associations have asked the US Department of Health and Human Services (HHS) to clarify who is responsible for notifying affected individuals about the Change healthcare ransomware4 attack. The letter asks that HHS require UnitedHealth Group to notify people whose information was compromised in the ransomware attack. The letter also asks that the HHS investigation focus on Change Healthcare, not the offices that were affected by the incident.
Editor's Note
Because what is really important after a breach is to find a way to abscond your responsibility to customers. If you lost the data, you need to notify. The entity suffering the breach should also have the best information identifying what data was exactly lost.
Johannes Ullrich
On the face of it, the 100+ medical associations have the relationship with the affected individuals, not the out-sourced billing provider. That said, Change Healthcare should make those medical associations whole for all costs associated with this security incident. That includes the costs associated with victim notification and any credit monitoring services offered.
Curtis Dukes
In our interconnected world, this question is likely to arise again and again. We must await more experience to arrive at a general rule. That said, Change Healthcare continues to have other priorities for the moment. One hopes that this question does not distract them.
William Hugh Murray
Read more in
Reg Media: Letter (PDF)
The Register: Go after UnitedHealth, not us, 100+ medical groups urge Uncle Sam