Change Healthcare issued an update late Wednesday confirming that an analysis of the data accessed in the cyberattack on its systems is underway, and experts say the process of notifying people whose information was exposed could be messy.
Change's parent company UnitedHealth Group posted the latest status on that investigation on its running update page, where the healthcare giant confirmed the team is working "as quickly as possible" to complete the full analysis of the data.
Details of any findings so far were scant, however. The company acknowledged that it took some time to safely access the data to begin the study.
"This is taking time because Change Healthcare’s own systems were impacted by the event and difficult to access, so it was not safe to immediately pull data directly from the Change systems," according to the update. "We recently obtained a dataset that is safe for us to access and analyze."
"Because of the mounting and decompression procedures needed as a first step, we have only recently reached a position to begin analyzing the data," the company added.
UnitedHealth said that, so far, it has "not seen evidence of any data having been published on the web," according to the post.
While this analysis is ongoing, a major challenge will come when it's completed, experts said on a webinar Thursday. Given the sheer scale of the data Change has access to, and the reportedly six-terabyte size of what was extracted, notifying a patient that their information was compromised will prove difficult.
James Berry, chief claims officer at Corvus Insurance, said during the discussion that for an individual patient alone there could multiple providers that they visit who are connected to Change's systems, which means their data could have been compromised more than once.
He said that, frankly, the notification burden resulting from this cyberattack is "ginormous."
"We have hundreds of millions, potentially billions, of notifications floating around the ecosystem," he said.
And if a patient is notified by multiple healthcare organizations about their data being compromised, it's likely to be very confusing for them, said Sara Goldstein, partner at the law firm BakerHostetler. It would also likely prove a huge undertaking for providers, especially smaller ones, if they have to take on the notifications on their own.
She said this is why major groups have pushed regulators to ensure that Change and UnitedHealth Group take the lead on this process.
In its update, UnitedHealth indicated it was planning to play a role in notifying any affected patients, though it did not offer a plan as of yet.
"We also know customers are interested in hearing about what data is impacted to determine if they have notification obligations," the company said. "We will be offering to do the notification work for customers where permitted."