Ranking Member Cassidy Seeks Answers on HHS Cyberattack, Failure to Notify Congress of $7.5M Theft

WASHINGTON – U.S. Senator Bill Cassidy, M.D. (R-LA), ranking member of the Senate Health, Education, Labor, and Pensions (HELP) Committee, is seeking answers from the Department of Health and Human Services (HHS) on its failure to notify Congress of a cyberattack against the agency, resulting in the theft of $7.5 million in taxpayer dollars and potential delays in providing lifesaving health care to Americans.  

Earlier this year, media outlets reported that hackers breached HHS’ internal system for awarding grants, resulting in the theft of approximately $7.5 million. This includes funding to programs administered by the Health Resources and Services Administration (HRSA), which serve at-risk populations, including children, pregnant women, and patients in rural populations.  

HHS did not inform Congress that this incident occurred or even make any public acknowledgment of the incident. Under federal law, agencies are required to disclose major cyber breaches to Congress. At a time when cybersecurity incidents in the health care sector are only increasing, this attack raises serious questions about HHS’ ability to safeguard its own systems and protect taxpayer funds and sensitive data.  

Disruptions in grant funding can create significant financial strain on health care facilities and delay lifesaving care for at-risk patients. Cassidy is demanding answers as to how hackers were able to steal the affected grant awards, why HHS failed to publicly disclose this breach, and what steps HHS has taken to identify and address any vulnerabilities within their own systems. 

There is a concerning pattern from HHS on its lack of transparency in responding to cybersecurity incidents. Last week, Cassidy urged HHS to provide information on its response to the recent cyberattack on Change Healthcare, which has had a widespread negative impact across our health care system and threatened access to health care for many Americans. Despite the serious nature of this attack, HHS has failed to provide substantive and regular updates to Congress on how it is responding and assisting affected stakeholders.  

“HHS’ lack of transparency and communication regarding this breach, including communication to Congress as required by law, undermines the public trust and suggests that the Federal government is not prepared to protect patients against cybersecurity attacks,” wrote Dr. Cassidy. “Americans entrust HHS to safeguard taxpayer dollars from cyberattacks. An unauthorized breach of this nature requires transparency from HHS about the facts at issue, and leadership from HHS to take the necessary steps to ensure that it does not happen again.” 

Read the full letter here or below. 

Dear Secretary Becerra:

Cybersecurity attacks pose a grave risk to patients. As the Sector Risk Management Agency (SRMA) for the Health and Public Health (HPH) sector, the Department of Health and Human Services (HHS) is the primary coordinating body for cybersecurity incidents. However, recent cyberattacks affecting HHS’ internal systems raise questions about its own cybersecurity readiness.

Recent reports indicate that hackers gained access to HHS’ own systems and stole approximately $7.5 million in grant awards to be designated to individual awardees, including those administered by the Health Resources and Services Administration (HRSA).^[1] This is extremely concerning. HRSA programs serve at-risk populations, including children, pregnant women, and patients in rural populations. The disruption in grant awards caused by this breach has the potential to delay patient care and create financial strain on health care facilities. HHS’ lack of transparency and communication regarding this breach, including communication to Congress as required by law, undermines the public trust and suggests that the Federal government is not prepared to protect patients against cybersecurity attacks.  

Americans entrust HHS to safeguard taxpayer dollars from cyberattacks. An unauthorized breach of this nature requires transparency from HHS about the facts at issue, and leadership from HHS to take the necessary steps to ensure that it does not happen again. As such, in an effort to better understand the facts surrounding this incident and HHS’ remedial efforts, I ask that you answer the following questions, on a question-by-question basis, by April 5, 2024:

1. When did HHS become aware of the unauthorized access to the Payment Management Services (PMS) system that processes grant awards? 

2. On what date were unauthorized entities able to access the PMS system?

3. How many grantees were affected by the breach? Please quantify the amount of grant funds stolen from the PMS system.

4. When did HHS notify other federal agencies of the breach, including the Federal Bureau of Investigation (FBI), the Department of Homeland Security (DHS), the Executive Office of the President, and the 15 other cabinet and non-cabinet agencies who also use the PMS system?

5. What safeguards did HHS have in place prior to the breach to monitor suspicious activity regarding the PMS system?

6. Has the breach of the PMS system delayed payment of any grant awards? If so, how has HHS communicated these delays to awardees?

7. What steps has HHS taken to recover any and all funds stolen as a result of the breach?

8. What remedial actions has HHS taken to date to improve any vulnerabilities exploited through this breach?

9. The Federal Information Security Modernization Act (FISMA) requires federal agencies to disclose breaches of internal systems to Congress within seven days of determining “it has a reasonable basis to conclude that a major incident, including a breach constituting a major incident, has occurred.”^[2] HHS, however, has yet to provide the required FISMA notice to Congress.

1. What is HHS’ justification for failing to provide this notice?
2. If HHS intends to provide a notice for Congress, when will it do so?

10. Please provide the name and title for the employee at HHS responsible for:

1. Monitoring the PMS system?
2. Reporting any breaches to the Department?
3. Coordinating the cyber response within the Department?
4. Coordinating the cyber response with other federal entities?
5. Providing the required FISMA notification to Congress?

11. Does HHS currently have an internal incident response plan in place when responding to cyber incidents? If so, when was it last updated? If not, please provide a justification for the lack of plan.

###

For all news and updates from HELP Republicans, visit our website or Twitter at @GOPHELP.