UnitedHealth Faces Renewed Scrutiny After Second Major Cyberattack
A fresh wave of concern is building around UnitedHealth Group as U.S. Senators demand answers following a new data breach impacting 5.4 million individuals. This incident, affecting subsidiary Episource, comes just months after a crippling cyberattack on another UnitedHealth-owned company, Change Healthcare, raising questions about the healthcare giant’s cybersecurity practices.
Senators Bill Cassidy (R-La.) adn Maggie Hassan (D-N.H.) sent a letter on August 4 to UnitedHealth Group CEO Stephen Hemsley, expressing “serious concerns” about a pattern of security vulnerabilities within the institution.The latest breach at Episource, a risk adjustment analytics firm acquired by unitedhealth in 2023, has also impacted numerous health systems.
The attack on episource follows the important disruption caused by the February 2024 cyberattack on Change Healthcare. That incident exposed the sensitive information of as many as 190 million Americans and caused widespread chaos in the healthcare system. According to reports, the Change Healthcare attack stemmed from vulnerabilities related to the lack of multi-factor authentication and outdated legacy systems.
The senators’ letter sharply criticizes UnitedHealth for what they describe as a consistent failure to prioritize basic security measures when integrating newly acquired companies.”The senators cited UnitedHealth’s failure to implement multi-factor authentication and to modernize legacy systems at Change Healthcare,which ultimately contributed to the February 2024 ransomware attack,” a legislative aide confirmed.
Beyond the technical failures, the lawmakers also raised concerns about the company’s financial response to the Change Healthcare disruption. They noted that UnitedHealth has reportedly sought repayment from healthcare providers who received loans intended to offset revenue losses incurred during the crisis. This move has drawn criticism from industry stakeholders who argue it places an undue burden on already strained healthcare facilities.
Cassidy and Hassan have requested a comprehensive response from UnitedHealth by August 18.This includes a detailed timeline of the Episource breach discovery, a list of federal agencies notified, and a plan outlining efforts to identify and communicate with affected individuals. The senators also pressed UnitedHealth on whether it has revised its acquisition due diligence processes to better assess and mitigate cybersecurity risks.
Episource stated on its website that it began notifying individuals affected by the breach on April 23, and that it has “taken several steps to mitigate and help prevent events like this from happening in the future.” However, the repeated nature of these attacks raises serious questions about the effectiveness of those measures and the overall security posture of UnitedHealth Group.
The ongoing scrutiny underscores the growing threat of cyberattacks targeting the healthcare industry and the critical need for robust security protocols to protect sensitive patient data. The situation demands a thorough investigation and a commitment from UnitedHealth to address the systemic vulnerabilities that have exposed millions to potential harm.
Why did this happen? UnitedHealth Group has experienced repeated cyberattacks, the latest targeting its subsidiary Episource, due to apparent failures in prioritizing basic cybersecurity measures, particularly when integrating acquired companies like Change Healthcare and Episource. Specifically, vulnerabilities included a lack of multi-factor authentication and reliance on outdated legacy systems.Who was affected? The attacks have impacted millions of individuals. The Episource breach alone affected 5.4 million people, while the Change Healthcare attack possibly exposed the data of up to 19
