Bill Cassidy - Ranking Member of the Senate HELP Committee | Official U.S. Senate headshot
Bill Cassidy - Ranking Member of the Senate HELP Committee | Official U.S. Senate headshot
U.S. Senator Bill Cassidy, M.D. (R-LA), ranking member of the Senate Health, Education, Labor, and Pensions (HELP) Committee, has sought information from UnitedHealth Group (UHG) regarding its response to the February 21 cyberattack on its subsidiary Change Healthcare. The attack has caused significant disruption for patients and health care providers across the country.
Change Healthcare is one of the nation's largest medical claims processors, handling health data for approximately one-third of American patients. The full extent of the attack remains unknown, raising serious concerns about patient and provider data security.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint Cybersecurity Advisory last December warning that Change Healthcare's attacker, ALPHV Blackcat, was urging its affiliates to target health care providers. Despite these warnings and recommendations for implementing multifactor authentication (MFA), UHG admitted that hackers gained access through an outdated Change Healthcare system lacking MFA.
In light of this incident's severity, Senator Cassidy is requesting answers from UHG on why it did not implement MFA or other agency recommendations that could have prevented the attack. He also asked how UHG is collaborating with providers and other stakeholders to ensure all services are back online without further impacting patient care.
"Following the acquisition of Change, UHG should have taken aggressive steps to update Change legacy systems and implement stronger cybersecurity protocols including MFA," wrote Dr. Cassidy. "However, it didn’t, leading to questions about whether known data governance failures played a role in the ALPHV Blackcat cyberattack."
Dr. Cassidy also expressed concern over UHG's accountability in protecting sensitive patient data given this breach's historic nature.
Previously, Cassidy requested information from the Department of Health and Human Services (HHS) about its role in responding to the Change cyberattack steps to support affected providers. Throughout this attack, HHS has not provided substantive and regular updates to Congress on its response to support affected stakeholders.
Alerts Sign-up