NEW YORK, June 20 (Reuters) - UnitedHealth Group ( UNH )

issued a public notice about the February ransomware hack on

its Change Healthcare unit on Thursday as part of its

requirements to notify the estimated one-third of the country

whose private data may have been exposed in the attack.

UnitedHealth ( UNH ) said it expects to begin mailing letters to

potentially affected individuals in late July but that it may

not have addresses for all of them. The company said individuals

can enroll in free credit monitoring for two years.

WHY IT MATTERS

Patient information is protected under the Health Insurance

Portability and Accountability Act, or HIPAA. HIPAA regulation

requires companies to notify patients of data exposures.

Information made vulnerable in the UnitedHealth ( UNH ) attack is

believed to include health insurance member IDs, patient

diagnoses, treatment information and social security numbers, as

well as billing codes used by providers.

In a May announcement, the U.S. Department of Health and

Human Services said healthcare providers can ask UnitedHealth ( UNH ) to

notify people impacted by the hack on their behalf. Following

the hack, some providers urged HHS to make UnitedHealth ( UNH ) solely

responsible for issuing breach notifications.

KEY QUOTE

After reviewing 90% of files breached, the insurer said it

"found no evidence that materials such as doctors' charts or

full medical histories were exfiltrated from its systems."

CONTEXT

Change Healthcare processes about half of all U.S. medical

claims.

The Feb. 21 hack on the technology unit of the largest U.S.

health insurer was carried out by Russian ransomware gang

BlackCat, UnitedHealth ( UNH ) CEO Andrew Witty said in May testimony to

the Senate Committee on Finance. In exchange for patient data,

UnitedHealth ( UNH ) paid the group $22 million in Bitcoin, Witty said.