Federal Scrutiny Growing Over Change Healthcare Breach

In addition to the investigation by the Department of Health and Human Services, CISA reportedly expressed concerns about UnitedHealth Group’s transparency and a top lawmaker is seeking answers about the issues raised by the cybersecurity agency.


The U.S. Cybersecurity and Infrastructure Security Agency recently expressed concerns about UnitedHealth Group’s transparency over the widely felt Change Healthcare ransomware attack and a top U.S. lawmaker is seeking answers about the issues raised by the cybersecurity agency, according to a letter from U.S. Rep. Jamie Raskin.

In the letter addressed to UnitedHealth CEO Andrew Witty, posted online Monday, Raskin wrote that CISA criticized the insurance giant’s transparency during a briefing to the House Committee on Oversight and Accountability earlier this month.

[Related: Change Healthcare Breach: UnitedHealth Provides Up To $2B In Provider Aid, Medical Claims Software Coming]

“CISA stated to Committee staff in a March 13, 2024, briefing that the agency is ‘handcuffed in this instance because of the lack of transparency and lack of information flowing into us [from UnitedHealth Group/Change Healthcare],’” wrote Raskin, who is the ranking Democrat on the committee, in the letter.

CRN has reached out to CISA for comment.

In a press release about the letter, the House Committee on Oversight and Accountability said it is now “requesting a briefing and information on the Change Healthcare cyberattack and subsequent system outages starting in February 2024.”

In a statement, UnitedHealth said it is “committed to working with Congress and industry leaders to address cybersecurity to ensure the protection and resiliency of our health care system.”

“We are prioritizing ensuring patient access to care and medications, restoration of our systems, protection of data, and engaging with providers through multiple channels to help raise awareness of our provider relief programs,” the company said in the statement provided to CRN Tuesday evening.

The probe follows the launch of an investigation into the breach earlier this month by the Department of Health and Human Services. Through its Office for Civil Rights, the department said it is investigating the incident to determine if health data protected under federal law was stolen.

Raskin, meanwhile, wrote in the letter this week that the House Committee on Oversight and Accountability is “concerned that UnitedHealth Group is restricting the ability of federal agencies to provide applicable assistance to Change Healthcare.”

UnitedHealth disclosed the attack against prescription processor Change Healthcare on Feb. 22, and disruptions from the incident were widely felt for weeks around the U.S. health-care system. The attack has reportedly prevented many U.S.-based pharmacies and hospitals, as well as other health-care facilities and offices, from processing claims and receiving payments.

“It appears that Change Healthcare’s pharmacy, payments and claims systems were disconnected or diverted for nearly one month,” Raskin wrote in the letter.

“Your company’s efforts to disconnect Change Healthcare’s systems in response to the February 2024 cyberattack appears to have disrupted patients’ timely access to affordable medication and interrupted crucial elements of our health care system,” the letter stated. “Patients who rely on lifesaving medications may have to choose between paying high out-of-pocket prescription medication costs, devote significant time and resources to finding affordable alternatives, or delay obtaining their medication altogether if their pharmacy’s billing and coverage services were disrupted as a result of the cyberattack.”

UnitedHealth Group disclosed March 18 that it has advanced more than $2 billion “through multiple initiatives” to care providers with finances disrupted by the attack and has software coming for medical claims preparation. A spokesperson said Tuesday that the assistance program is now nearing the $3 billion mark.