US health dept says UnitedHealth can notify patients of data breach

(Reuters) -U.S. healthcare providers can ask UnitedHealth Group to notify people whose data was exposed during a hack on the company's Change Healthcare unit in February, according to an update on the health department's website.

The news comes as a relief for U.S. hospitals and healthcare providers that had urged the Department of Health and Human Services (HHS) to shift the notification responsibility to UnitedHealth and its unit.

"Affected covered entities that want Change Healthcare to provide breach notifications on their behalf should contact Change Healthcare," the HHS' Office for Civil Rights (OCR) said in an update dated May 31.

U.S. law states data breaches must be reported to individual patients within 60 days of discovery.

A UnitedHealth spokesperson said the company appreciates the clarification from OCR, which "reiterates our stated preference to ease the reporting obligations of our customers".

Earlier in May, the healthcare conglomerate's CEO Andrew Witty told a Congressional committee that hackers potentially stole a third of Americans' data in the Feb. 21 cyber attack that led to disruptions in processing medical claims. The company is still trying to fix the processing snags.

Witty had also said the company continued to investigate the amount of data involved and thought it was "going to be substantial".

UnitedHealth warned the breached data could contain sensitive information such as names, addresses, medical codes and insurance numbers, the Wall Street Journal reported earlier in the day, citing the company's responses to questions from the Senate Finance Committee.

The breach at the unit, which handles healthcare billing, data systems and many other services, has caused widespread disruptions in claims processing, impacting patients and providers across the country.

(Reporting by Sriparna Roy and Mariam Sunny in Bengaluru; Editing by Devika Syamnath)