Home Health & Hospice Week

Mergers & Acquisitions:

UnitedHealth Plans Breach Notifications, Amedisys Divestitures

Congress calls CEO on the carpet.

It’s a busy time for UnitedHealth Care Group Inc.

After getting hit with one of the largest and most disruptive healthcare cyberattacks seen to date, a representative for the health behemoth finally showed up to take a shellacking from Congress.

After failing to show at an April 16 congressional hearing on its massive cyberattack via subsidiary Change Healthcare, UnitedHealth CEO Andrew Witty appeared as the sole witness in a May 1 Senate Finance Committee hearing called “Hacking America’s Health Care: Assessing the Change Healthcare Cyber Attack and What’s Next.”

Witty’s admissions in the session included that the hack is believed to be caused by a stolen password and lack of multifactor authentication, and that it was his sole decision for the company to pay the $22 million ransom.

Home health and hospice providers may be most interested in lawmakers’ messages about cybersecurity.

“Federal agencies need to fast track new cybersecurity rules for Americans’ private medical records and Congress needs to watchdog this every day to make sure everything possible is done to protect patient data,” stressed Finance Committee Chair Ron Wyden (D-Ore.) in a prepared hearing statement.

“Meeting a baseline of essential cybersecurity standards is a must, but is meaningless without equally strong enforcement,” Sen. Wyden said. “HHS has not conducted a proactive cybersecurity audit in seven years. As it stands, if a company does not comply with existing cybersecurity regulations, the fines amount to nothing more than a slap on the wrist,” he criticized.

Meanwhile, affected providers may want to start thinking about the burden of HIPAA breach notices. In a May 8 letter to Witty, the American Hospital Association and five other hospital groups urged UnitedHealth to “officially inform the [HHS] Office for Civil Rights (OCR) and state regulators that UHG will be solely responsible for all breach notifications required under law and provide them with a timeline for when those notifications will occur.”

Without a unified system, “multiple notifications of this same breach” would “cause public confusion, misunderstandings and added stress” for patients and “impose unnecessary costs” on providers, the AHA-led letter warns.

Impact On Amedisys

Wyden also took aim at UnitedHealth’s massive footprint in health care. “The Change hack is a dire warning about the consequences of ‘too big to fail’ mega-corporations gobbling up larger and larger shares of the health care system,” he blasted, noting that the company reported $324 billion in revenues last year. “It is long past time to do a comprehensive scrub of UHG’s anti-competitive practices, which likely prolonged the fallout from this hack,” he urged.

That antitrust emphasis may affect UnitedHealth’s pending acquisition of national home health and hospice chain Amedisys Inc. Last summer, the Baton Rouge, La.-based chain accepted a $3.3 billion offer from UnitedHealth via its Optum division (see HHHW by AAPC, Vol. XXXII, No. 23). UnitedHealth bought home health giant LHC Group Inc. earlier in the year for $5.4 billion.

Unconfirmed reports say Amedisys may shed 100 locations to satisfy regulators and advance the acquisition. But even that may not seal the deal in this environment, observers suspect.

Other Articles in this issue of

Home Health & Hospice Week

View All