Hospitals Can Push Patient Hack Notifications to UnitedHealth

Hospitals and clinics can require that UnitedHealth Group Inc. notify patients if their data was compromised in a massive February cyberattack on the insurer’s payments unit, US health officials said.

Federal law requires health-care providers to alert individuals of such breaches. Companies whose data was exposed in the attack on UnitedHealth’s Change Healthcare unit may “delegate” the process to the insurer, the Department of Health and Human Services’ Office for Civil Rights said Friday in a statement.

As many as one third of Americans may have had data exposed in the hack, UnitedHealth Chief Executive Officer Andrew Witty told a ...