Linda Barbour thought she was more interested in the Change Healthcare cyberattack than most. Having worked as a medical director for several large health insurance companies and having suffered through the Change fiasco herself as a rehab doctor with a private practice in Kansas City, she figured that if her data had been exposed in that February breach, she would have been notified by now.
Barbour did finally get a letter from Change — in October. “Getting it at this point, this delayed, there’s really nothing that I could do because so much time had passed,” she said.
By law, companies have 60 days to notify individual customers if their personally identifiable health data was compromised. Missing that deadline could attract fines from the HHS, but it’s unclear if that deadline applied to Change because it did not contract with patients directly, and because of a lack of clarity in how the Department of Health and Human Services defines when the clock starts after a breach.
© 2024 Benzinga.com. Benzinga does not provide investment advice. All rights reserved.
Trade confidently with insights and alerts from analyst ratings, free reports and breaking news that affects the stocks you care about.
