On August 15, 2022, United HealthCare Services, Inc. confirmed that the company experienced a data breach after filing official documents with the Attorney General of Texas. According to United Healthcare, the breach resulted in the names, addresses, health insurance information and medical information being compromised. While United Healthcare has not yet sent out data breach letters to all affected parties informing them of the incident, it is likely that the company will begin doing so in the near future.
If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the United Healthcare data breach, please see our recent piece on the topic here.
The United Healthcare breach was only very recently reported. Therefore, the details about the breach are very sparse. As of the writing of this article, United Healthcare has not posted notice of the breach on its website, nor has the company issued data breach letters. However, based on the company’s official filings, the data security incident involved the names, addresses, health insurance information and medical information of affected individuals. Given the type of data leaked, it would be fair to assume that the breach impacted patients (rather than employees); however, this has not been confirmed by United Healthcare.
Founded in 1974, United HealthCare Services, Inc. is an insurance company based in Minnetonka, Minnesota. The company offers a wide range of health insurance products, including dental insurance, supplemental health insurance, traditional health insurance, vision, short-term health insurance and employer health insurance plans. United HealthCare Services, Inc. is an umbrella company that operates many other local and regional companies, including Oxford Health Plans LLC. UnitedHealthcare West Region: Health plan coverage provided by UnitedHealthcare of Arizona, Inc., UHC of California DBA UnitedHealthcare of California, UnitedHealthcare Benefit Plan of California, UnitedHealthcare of Colorado, Inc., UnitedHealthcare of Oklahoma, Inc., UnitedHealthcare of Oregon, Inc., UnitedHealthcare of Texas, Inc., UnitedHealthcare Benefits of Texas, Inc., UnitedHealthcare of Utah, Inc. and UnitedHealthcare of Washington, Inc. United Healthcare employs more than 125,000 people and generates approximately $200 billion in annual revenue.
The United Healthcare data breach affected several types of patient data, including names, addresses, insurance information and medical information. While United Healthcare has not provided many details about the incident leading to the breach or what specific type of “insurance” and “medical” information was compromised, based on the available information, it appears that the breach may have leaked patients’ protected health information.
The term protected health information (“PHI”) refers to any data relating to a patient’s past or present health condition or how a patient pays for their healthcare. For example, the results of a patient’s medical imaging test, a patient’s medical history, or a patient’s current list of prescription medications may all be considered protected health information. However, healthcare-related data is only considered protected when it also contains an “identifier” that enables someone to match the data up with a specific patient. For example, common identifiers include patients’ names, email addresses, physical addresses, photographs or Social Security numbers.
Because the United Healthcare breach resulted in “insurance information” and “medical information,” as well as patients’ names and addresses, it is likely that any leaked healthcare data was indeed “protected healthcare information.”
But what is the significance of the fact that protected healthcare data may have been compromised? From a patient’s perspective, this means that, should anyone obtain this data, they have sufficient information about a patient to carry out healthcare identity fraud.
Healthcare identity theft is similar to the more commonly-known financial identity theft; however, healthcare identity theft is often much more difficult to resolve and comes at a far greater cost to patients. Not only that, but unlike financial identity theft, healthcare data breaches can put patients’ physical health at risk.
For example, in the wake of a successful healthcare breach, a hacker can sell the patient data they obtained to a third party who intends to use the information to obtain medical care in the victim’s name. In doing so, the third-party “patient” may give healthcare providers their own medical information, which often gets mixed up with the victim’s own information. For instance, a pretend patient may give a treating physician a list of their own medications, allergies, or medical history. This can result in the real patient’s medical record containing inaccurate information the next time they go to the doctor for treatment.
Those who have their protected health information leaked in a data breach should take all necessary precautions to reduce the chances of healthcare identity theft, including reviewing their medical records. Patients who have questions about how to hold a company accountable for the theft of their information should reach out to a data breach lawyer for assistance.