Special to the American Press

U.S. Senator Bill Cassidy, R-La., ranking member of the Senate Health, Education, Labor, and Pensions (HELP) Committee, requested information from UnitedHealth Group (UHG) on its response to the Feb. 21 cyberattack on UHG subsidiary Change Healthcare that has wreaked havoc on patients and health care providers nationwide.

As one of the nation’s largest medical claims processors handling health data for one-third of American patients, the fact that the full extent of the attack is unknown poses serious concerns. On top of the disruption to patients and providers, it is still unknown how many patients and providers have been notified if and how much of their data has been compromised in the breach.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory (CSA) last December alerting cybersecurity professionals that Change Healthcare’s attacker, ALPHV Blackcat, was encouraging its affiliates to target health care providers. The CSA also detailed ALPHV Blackcat’s methods, and mitigation strategies to prevent breaches, including implementing multifactor authentication (MFA) to login systems. UHG has publicly stated that the hackers were able to gain access to its systems through an outdated Change Healthcare system that lacked MFA, despite previous warnings by federal agencies and numerous recommendations that stakeholders should implement MFA as a cybersecurity best practice.

Given the serious nature of this incident, Cassidy is seeking answers from UHG on why it did not implement MFA or other agency recommendations that could have prevented the attack. Cassidy also requested information on how UHG is working with providers and other stakeholders to ensure all of its services are back online and patient care is not further impacted.

“Following the acquisition of Change, UHG should have taken aggressive steps to update Change legacy systems and implement stronger cybersecurity protocols including MFA,” Cassidy wrote. “However, it didn’t, leading to questions about whether known data governance failures played a role in the ALPHV Blackcat cyberattack.”

“While UHG is now reporting that its pharmacy services and medical claims are back to ‘near-normal levels’… UHG must be held accountable for the actions it took or failed to take to protect highly-sensitive patient data given the historic nature of this breach,” Cassidy continued.

Previously, Cassidy requested information from the Department of Health and Human Services (HHS) about its own role in responding to the Change cyberattack steps to support affected providers. Throughout this attack, HHS has failed to provide substantive and regular updates to Congress on how it has responded to support affected stakeholders.