Linda Barbour thought she was more interested in the Change Healthcare cyberattack than most. Having worked as a medical director for several large health insurance companies and having suffered through the Change fiasco herself as a rehab doctor with a private practice in Kansas City, she figured that if her data had been exposed in that February breach, she would have been notified by now.
Barbour did finally get a letter from Change — in October. “Getting it at this point, this delayed, there’s really nothing that I could do because so much time had passed,” she said.
By law, companies have 60 days to notify individual customers if their personally identifiable health data was compromised. Missing that deadline could attract fines from the HHS, but it’s unclear if that deadline applied to Change because it did not contract with patients directly, and because of a lack of clarity in how the Department of Health and Human Services defines when the clock starts after a breach.
This article is exclusive to STAT+ subscribers
Unlock this article — and get additional analysis of the technologies disrupting health care — by subscribing to STAT+.
Already have an account? Log in