U.S. Sens. Bill Cassidy (R-La.) and Maggie Hassan (D-N.H.) are demanding answers from UnitedHealth Group following another cyberattack on one of the company’s subsidiaries.
Here are six things to know:
- The senators sent a letter August 4 to UnitedHealth Group CEO Stephen Hemsley expressing “serious concerns” after a recent hack of Episource, a risk adjustment analytics firm acquired by UnitedHealth in 2023. The breach impacted 5.4 million individuals and ensnared health systems.
- The Episource data breach follows 2024’s cyberattack on Change Healthcare, also a UnitedHealth subsidiary, which disrupted care nationwide and exposed sensitive information for as many as 190 million Americans.
- In the letter, the lawmakers criticized UnitedHealth for what they described as a pattern of neglecting basic security protocols across newly acquired companies. The senators cited UnitedHealth’s failure to implement multi-factor authentication and to modernize legacy systems at Change Healthcare, which ultimately contributed to the February 2024 ransomware attack.
- The senators also took issue with the company’s financial response, noting that UnitedHealth has sought repayment from providers who received loans to mitigate revenue losses following the Change Healthcare disruption.
- Mr. Cassidy and Ms. Hassan are requesting detailed responses from UnitedHealth by Aug. 18, including timelines for when the company discovered the breach at Episource, which federal agencies were notified, and what efforts are underway to identify and communicate with impacted individuals. They also asked whether UnitedHealth has made changes to its acquisition due diligence processes to better account for cybersecurity risks.
- Episource wrote on its site that it began notifying affected individuals of the breach on April 23, and that it has “taken several steps to mitigate and help prevent events like this from happening in the future.”
