House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack

Members of the bipartisan U.S. House Energy and Commerce Committee are pressing UnitedHealth Group for answers regarding the Change Healthcare cyberattack. The committee seeks details about the cyberattack on Change Healthcare, which led to extended system downtime and disrupted the entire American healthcare system.

In a Monday letter to Andrew Witty, UnitedHealth Group CEO, House Energy and Commerce Committee Chair Cathy McMorris Rodgers, a Republican from Washington and Ranking Member Frank Pallone Jr., a Democrat from New Jersey, Subcommittee on Health Chair Brett Guthrie, a Republican from Kentucky and Ranking Member Anna G. Eshoo, a Democrat from California and Subcommittee on Oversight and Investigations Chair Morgan Griffith, a Republican from Virginia and Ranking Member Kathy Castor, a Democrat from Florida sought information about the cyberattack on Change Healthcare. The Committee leaders requested answers to a series of detailed questions by April 29. 

On Feb. 21, UnitedHealth Group reported it had experienced a cyberattack on its platforms, and it had taken all Change Healthcare systems offline to contain the incident. As a result of the outage, critical services affecting patient care, including billing services, claims transmittals, and eligibility verifications, became inoperable. Though UnitedHealth first notified users that it expected the disruption to ‘last at least through the day,’ several of the company’s products have now been inoperable for more than a month.

Change Healthcare’s platforms touch an estimated one in three U.S. patient records. Its systems process roughly 15 billion transactions annually and are linked to approximately 900,000 physicians, 118,000 dentists, 33,000 pharmacies, and 5,500 hospitals nationwide. The breadth of Change Healthcare’s infrastructure all but ensures that the scope of the current disruption, and any disruption in Change Healthcare services, will be extensive.

“Over the past several weeks, UnitedHealth has provided updates on its response and the ongoing investigation, including a briefing for Committee members on April 8,” the Committee members wrote in the letter. “However, many details of the cyberattack remain unclear or undisclosed, including whether personal protected information has been compromised.” 

They also pointed out that recent reports of a second ransom demand in exchange for four terabytes of data that allegedly contain personally identifiable information, such as medical records and payment information, have created fresh concerns about further damage from this cyberattack. “There have been reports of providers struggling to make payroll due to Change Healthcare’s inability to process payments. Simultaneously, with pharmacies unable to verify coverage, many patients have been forced to pay out of pocket for crucial medication, including cancer therapy drugs and insulin.”

“The health care system is rapidly consolidating at virtually every level, creating fewer redundancies and more vulnerability to the entire system if an entity with significant market share at any level of the system is compromised,” wrote the Committee leaders. “In order to understand better the steps UnitedHealth has taken to address this situation, we request information about the impact of the cyberattack, the actions the company is taking to secure its systems, and the outreach to the healthcare community in the aftermath.”

The Committee members asked for details of the Change Healthcare systems that have been restored and, for each system, whether the system has been restored to pre-attack functionality or, if not, what functionality issues remain. They sought details of how many transactions have been affected or interrupted by the disruption since Feb. 21, with a breakdown of the number of failed, interrupted, or delayed transactions by function or service. 

They also sought information on the total value of the payments impacted by failed, interrupted, or delayed transactions since Feb. 21, and the total value of payments that have been resolved. Furthermore, they have asked for a breakdown of the number of patients, physicians, advanced practice providers, dentists, pharmacies, hospitals, laboratories, and any other healthcare provider that had a transaction affected by the outage. Within each category, please identify the number of affected parties that are owned or operated by UnitedHealth.

The members asked for a timeline of the cyberattack and UnitedHealth’s immediate response, including how and when the breach was detected; for each Change Healthcare platform, how long was the platform compromised before the company shut it down; whether UnitedHealth attempted to isolate the breach before taking the entire Change Healthcare system offline; and what steps UnitedHealth took to protect against further intrusion of its systems or to prevent further loss of data. 

They also asked for a description of UnitedHealth’s modified cybersecurity incident response, prevention, and detection processes, including staffing, budget, and/or operating structure, after it acquired Change Healthcare in October 2022. 

On Mar. 10, 2024, the U.S. Department of Health & Human Services (HHS) urged UnitedHealth to provide Medicaid agencies with a list of providers impacted in their states. The committee members asked whether UnitedHealth has made these lists available to state Medicaid agencies. They further asked for details of any support that UnitedHealth is specifically providing to patients inside and outside its network who have been impacted by the Change Healthcare outage, including, but not limited to, any reimbursement support for covered services or prescription drugs paid for out-of-pocket during the outage. 

The members also asked UnitedHealth to provide a timeline for the remaining system recovery work and any other relevant benchmarks. They also asked for details of the effects, if any, will the most recent ransom demand have on system recovery. They also asked for assurances, including third-party attestation, that UnitedHealth will provide users with the security of Change Healthcare as it is restored.

They also requested a commitment to publicly release an after-action report on the cyberattack on Change Healthcare, outlining the steps UnitedHealth has implemented to enhance the security of Change Healthcare’s systems and prevent extended system downtime.

Furthermore, the committee members emphasized the importance of comprehending risk mitigation within a consolidated healthcare system due to reduced redundancies. In this context, they inquired about the existence of an insurance policy held by Change Healthcare or UnitedHealth to mitigate the risk of cyberattacks and requested details regarding such a policy if applicable.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.