UnitedHealth Group (“UHC”) announced on April 22, 2024, that it had paid a ransom to protect patient data potentially acquired in a late February cyberattack on its subsidiary Change Healthcare (“CHC”). In its announcement, UHC provided an update regarding the ongoing data review, which it estimates will take several months to complete. However, to date, UHC has not officially notified affected health plans and their participants that a breach had occurred. Based on its initial sampling, UHC reported that it has found files containing protected health information (“PHI”) or personally identifiable information (“PII”), which could cover a substantial portion of people in America. Thus far, UHC and industry experts have located 22 screenshots, some containing PHI and PII, which were publicly accessible on the dark web for approximately one week.

What to do next?

HIPAA requires that covered entities which include health plans, health care clearinghouses, and health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards designate a privacy officer[1] and a security[2] officer (collectively, “HIPAA Officer”) to develop HIPAA privacy and security programs.

Oftentimes, health plans which are subject to HIPAA are also subject to duties under the Employee Retirement Income Security Act (“ERISA”). An ERISA fiduciary includes anyone who exercises any discretionary authority or control over the management of an ERISA plan. No guidance specifically provides that a HIPAA Officer is a fiduciary under ERISA. However, when an individual has sufficient discretion over the policies, procedures, and implementation of ERISA-regulated plans, the individual will likely be considered an ERISA fiduciary. Therefore, HIPAA Officers are likely ERISA fiduciaries because they have discretion over the creation, implementation, training, and sanctions associated with HIPAA policies and procedures.[3]

ERISA requires those responsible for administering plans to do so prudently and for the exclusive benefit of plan participants and beneficiaries. Pursuant to the Department of Labor’s (“DOL”) best practices, ERISA fiduciaries must take appropriate precautions to mitigate risks of malfeasance to their plans, including against risks that arise from cyberthreats.[4] While HIPAA does not require covered entities to notify individuals about the possibility, or even the likelihood, of a breach before receiving confirmation that such individuals’ PHI was impermissibly used or disclosed, if the entity is governed by ERISA, under DOL best practices, the HIPAA Officer likely holds a responsibility to notify plan participants and mitigate any potential harm as soon as he or she is aware of a potentially harmful event.

To mitigate any harm resulting from the CHC breach, we recommend that ERISA-regulated plans which may be impacted by the breach inform their plan participants of the CHC event. Such plans should direct their participants to call the tollfree number (1-866-262-5342) listed on the consumer website to request two years of free credit monitoring.

Once UHC provides official notice of a breach, ERISA-regulated plans impacted by the breach may want to revisit and update its risk analysis. The entity should verify the underlying risks and threats that resulted from the breach are addressed in the risk analysis.