1. While the Covered Entity was listed as Optum360, the breach certainly could have been for their particular customers, yet as they are under a BAA (business associate agreement) they are the covered entity ultimately responsible.
2. I'll update the app in future versions to reflect that the States represent the HQ for the covered entity. Affected individuals could be anywhere in the US (though they are often located near their healthcare providers).