June 12 (Reuters) - The U.S. Department of Health and

Human Services (HHS) has agreed to allow UnitedHealth Group ( UNH )

to notify people whose data was exposed during a hack on

its Change Healthcare unit in February, the Wall Street Journal

reported on Wednesday.

The decision would spare U.S. hospitals and healthcare

providers from time-consuming and expensive work, according to

the report.

For months, hospitals and other care providers have urged

the HHS to shift the notification burden to UnitedHealth ( UNH ) and its

unit, as the providers lack the money and information to do so.

HHS agreed on May 31, making an exception to the federal

Health Insurance Portability and Accountability Act, which

generally mandates the provider notify victims, the report said.

The company, HHS and the Senate Finance Committee did not

immediately respond to Reuters requests for comment.

UnitedHealth ( UNH ) said it was still conducting an investigation

into what data was breached by hackers, WSJ reported, citing the

company's responses to questions from the Senate Finance

Committee.

The company also warned the breached data could contain

sensitive information such as names, addresses, medical codes

and insurance numbers, the report said.

Earlier in May, the healthcare conglomerate's CEO Andrew

Witty told a Congressional committee that hackers potentially

stole a third of Americans' data in the cyber attack that led to

disruptions in processing medical claims that the company is

still trying to fix.

Its Change Healthcare unit, which handles healthcare

billing, data systems and many other services, is involved in

about one in three patient records in the U.S., and the cyber

attack disrupted the entire nation's healthcare system,

disrupting payments to doctors and healthcare facilities for a

month.

(Reporting by Sriparna Roy in Bengaluru; Editing by Devika

Syamnath)