U.S. Senators Bill Cassidy and Maggie Hassan sent a letter to UnitedHealth Group CEO Stephen Hemsley expressing concern over a cyberattack targeting UHG subsidiary Episource that compromised data for 5.4 million people.
What happened
Episource, an Optum subsidiary providing medical coding and risk adjustment services, shut down its computer systems in February after detecting unusual network activity. Investigators later determined that a cyberattacker accessed and stole data between January 27 and February 6. The breach compromised approximately 5.4 million people's information, including names, dates of birth, Social Security numbers, medications, and diagnoses. Senators Cassidy (R-La.) and Hassan (D-N.H.) sent a letter to UnitedHealth Group CEO Stephen Hemsley criticizing the company's cybersecurity failures. The lawmakers accused UHG of repeatedly failing to protect patient health information and failing to implement basic security standards.
The backstory
In February 2024, UnitedHealth subsidiary Change Healthcare suffered a ransomware attack that compromised protected health information of 190 million people (initially reported as 100 million). The Change Healthcare attack resulted from the company's failure to implement basic security standards, including multifactor authentication, and lack of investment in legacy systems after UnitedHealth acquired the company. The attack led to care delays because electronic prescribing, claims submission, and payment submission systems were disrupted, creating a $14 million payment backlog.
Going deeper
The senators identified a "repeated pattern" of UnitedHealth failing to secure internal cyber systems after acquiring other companies. The Change Healthcare breach became the largest known breach at a HIPAA-regulated entity, surpassing the previous record set by Anthem in 2015 (78.8 million individuals). An April 2024 American Medical Association survey found that more than three-quarters of physician practices experienced severe disruptions: 36% experienced suspension in claim payments, 32% couldn't submit claims, and 39% couldn't obtain electronic remittance advice. The disruptions caused 80% of practices to lose revenue from unpaid claims and forced 85% to commit additional staff time to revenue cycle tasks.
What was said
"The recently reported hack of Episource, a subsidiary of UnitedHealth Group, raises significant questions about UHG's efforts to safeguard patient information," the senators wrote. "The risk of cyberattacks continues to threaten the healthcare sector. We have seen the recent threat that hostile actors, including Iran, may pose on healthcare entities, and UHG's repeated failures to protect against such attacks jeopardize patient health."
The lawmakers requested that Hemsley provide information on when UHG became aware of the attack, when it notified federal agencies, what steps it's taking to identify and protect information, and what remedial steps it has identified to improve security protocols.
By the numbers
- 5.4 million people affected by Episource breach
- 190 million people affected by Change Healthcare breach (February 2024)
- $14 million payment backlog from Change Healthcare attack
- 36% of practices experienced suspension in claim payments
- 32% were unable to submit claims
- 39% were unable to obtain electronic remittance advice
- 80% of practices lost revenue from unpaid claims
- 85% committed additional staff time to revenue cycle tasks
Why it matters
This breach shows a vulnerability in healthcare's consolidated infrastructure, where UnitedHealth Group's footprint means that cybersecurity failures can go across the entire healthcare system. The senators' focus on UHG's "repeated pattern" of failing to secure systems after acquisitions exposes a risk in healthcare consolidation, which is when large entities acquire smaller companies without properly integrating cybersecurity protocols, they create vulnerabilities that can affect millions of patients and disrupt care delivery nationwide. The timing is concerning given ongoing geopolitical threats, with lawmakers specifically mentioning Iran as a potential hostile actor targeting healthcare entities.
The bottom line
UnitedHealth Group's repeated cybersecurity failures demonstrate that healthcare consolidation without proper security integration creates risks that extend beyond individual breaches. Healthcare organizations must prioritize cybersecurity due diligence during acquisitions and implement security protocols before integrating new subsidiaries into their networks.
FAQs
How does cybersecurity due diligence differ in healthcare mergers compared to other industries?
Healthcare deals must account for HIPAA compliance, medical device security, and protected health information risk assessments.
What additional risks do geopolitical threats like those from Iran pose to U.S. healthcare systems?
They can target healthcare infrastructure as part of broader cyberwarfare strategies, potentially disrupting care at scale.
Does UnitedHealth’s size make it a more attractive cyber-target?
Yes, its large footprint and centralized systems make it a high-value target for attackers seeking massive data troves.
Could insurers raise premiums because of cybersecurity breaches like this?
Cyber incidents can lead to higher operational costs and risk profiles, which may be reflected in insurance pricing.
