U.S. Senators Bill Cassidy and Maggie Hassan sent a letter to UnitedHealth Group CEO Stephen Hemsley expressing concern over a cyberattack targeting UHG subsidiary Episource that compromised data for 5.4 million people.
Episource, an Optum subsidiary providing medical coding and risk adjustment services, shut down its computer systems in February after detecting unusual network activity. Investigators later determined that a cyberattacker accessed and stole data between January 27 and February 6. The breach compromised approximately 5.4 million people's information, including names, dates of birth, Social Security numbers, medications, and diagnoses. Senators Cassidy (R-La.) and Hassan (D-N.H.) sent a letter to UnitedHealth Group CEO Stephen Hemsley criticizing the company's cybersecurity failures. The lawmakers accused UHG of repeatedly failing to protect patient health information and failing to implement basic security standards.
In February 2024, UnitedHealth subsidiary Change Healthcare suffered a ransomware attack that compromised protected health information of 190 million people (initially reported as 100 million). The Change Healthcare attack resulted from the company's failure to implement basic security standards, including multifactor authentication, and lack of investment in legacy systems after UnitedHealth acquired the company. The attack led to care delays because electronic prescribing, claims submission, and payment submission systems were disrupted, creating a $14 million payment backlog.
The senators identified a "repeated pattern" of UnitedHealth failing to secure internal cyber systems after acquiring other companies. The Change Healthcare breach became the largest known breach at a HIPAA-regulated entity, surpassing the previous record set by Anthem in 2015 (78.8 million individuals). An April 2024 American Medical Association survey found that more than three-quarters of physician practices experienced severe disruptions: 36% experienced suspension in claim payments, 32% couldn't submit claims, and 39% couldn't obtain electronic remittance advice. The disruptions caused 80% of practices to lose revenue from unpaid claims and forced 85% to commit additional staff time to revenue cycle tasks.
"The recently reported hack of Episource, a subsidiary of UnitedHealth Group, raises significant questions about UHG's efforts to safeguard patient information," the senators wrote. "The risk of cyberattacks continues to threaten the healthcare sector. We have seen the recent threat that hostile actors, including Iran, may pose on healthcare entities, and UHG's repeated failures to protect against such attacks jeopardize patient health."
The lawmakers requested that Hemsley provide information on when UHG became aware of the attack, when it notified federal agencies, what steps it's taking to identify and protect information, and what remedial steps it has identified to improve security protocols.
5.4 million people affected by Episource breach
190 million people affected by Change Healthcare breach (February 2024)
$14 million payment backlog from Change Healthcare attack
36% of practices experienced suspension in claim payments
32% were unable to submit claims
39% were unable to obtain electronic remittance advice
80% of practices lost revenue from unpaid claims
85% committed additional staff time to revenue cycle tasks
This breach shows a vulnerability in healthcare's consolidated infrastructure, where UnitedHealth Group's footprint means that cybersecurity failures can go across the entire healthcare system. The senators' focus on UHG's "repeated pattern" of failing to secure systems after acquisitions exposes a risk in healthcare consolidation, which is when large entities acquire smaller companies without properly integrating cybersecurity protocols, they create vulnerabilities that can affect millions of patients and disrupt care delivery nationwide. The timing is concerning given ongoing geopolitical threats, with lawmakers specifically mentioning Iran as a potential hostile actor targeting healthcare entities.
UnitedHealth Group's repeated cybersecurity failures demonstrate that healthcare consolidation without proper security integration creates risks that extend beyond individual breaches. Healthcare organizations must prioritize cybersecurity due diligence during acquisitions and implement security protocols before integrating new subsidiaries into their networks.
Healthcare deals must account for HIPAA compliance, medical device security, and protected health information risk assessments.
They can target healthcare infrastructure as part of broader cyberwarfare strategies, potentially disrupting care at scale.
Yes, its large footprint and centralized systems make it a high-value target for attackers seeking massive data troves.
Cyber incidents can lead to higher operational costs and risk profiles, which may be reflected in insurance pricing.