(Reuters) – The U.S. Department of Health and Human Services has agreed to allow UnitedHealth Group Inc. to notify people whose data was exposed during a hack on its Change Healthcare unit in February, the Wall Street Journal reported on Wednesday.
The decision would spare U.S. hospitals and healthcare providers from time-consuming and expensive work, according to the report.
For months, hospitals and other care providers have urged the HHS to shift the notification burden to UnitedHealth and its unit, as the providers lack the money and information to do so.
HHS agreed on May 31, making an exception to the federal Health Insurance Portability and Accountability Act, which generally mandates the provider notify victims, the report said.
The company, HHS and the Senate Finance Committee did not immediately respond to Reuters requests for comment.
UnitedHealth said it was still conducting an investigation into what data was breached by hackers, the newspaper reported, citing the company’s responses to questions from the Senate Finance Committee.
The company also warned the breached data could contain sensitive information such as names, addresses, medical codes and insurance numbers, the report said.
Earlier in May, the healthcare conglomerate’s CEO Andrew Witty told a Congressional committee that hackers potentially stole a third of Americans’ data in the cyberattack that led to disruptions in processing medical claims that the company is still trying to fix.
Its Change Healthcare unit, which handles healthcare billing, data systems and many other services, is involved in about one in three patient records in the U.S., and the cyberattack disrupted the entire nation’s healthcare system, disrupting payments to doctors and healthcare facilities for a month.