Chair Cassidy, Hassan Raise Concerns over UnitedHealth Group’s Failure to Protect Americans’ Sensitive Health Data from Cyberattacks

WASHINGTON – Today, U.S. Senators Bill Cassidy, M.D. (R-LA), chair of the Senate Health, Education, Labor, and Pensions (HELP) Committee, and Maggie Hassan (D-NH) raised serious concerns over UnitedHealth Group’s (UHG) continued failure to defend against cyberattacks and protect patients’ sensitive health data.

“The recently reported hack of Episource, a subsidiary of UnitedHealth Group (UHG), raises significant questions about UHG’s efforts to safeguard patient information,” wrote the senators. “The risk of cyberattacks continue to threaten the health care sector. We have seen the recent threat that hostile actors, including Iran may pose on health care entities and UHG’s repeated failures to protect against such attacks jeopardizes patient health.”

Last year, UHG subsidiary Change Healthcare was the target of the largest health care cyberattack in history, compromising the sensitive health data of approximately 190 million Americans and threatening patients’ access to care nationwide. The attack resulted from UHG’s failure to implement basic security standards, including multi-factor authentication (MFA) and a lack of investment in legacy systems after UHG acquired Change Healthcare.

The recent hack of Episource, another UHG subsidiary, shows a repeated pattern of UHG’s failure to secure its internal cyber systems after acquiring other companies. The senators are seeking answers on the scale of the Episource cyberattack and how UHG is prioritizing cybersecurity to protect Americans’ health information.

Read the full letter here or below.

Dear Mr. Hemsley,

The recently reported hack of Episource, a subsidiary of UnitedHealth Group (UHG), raises significant questions about UHG’s efforts to safeguard patient information. Last year, UHG’s Change Healthcare subsidiary was the target of the largest health care cyberattack in history. This hack compromised the protected health information (PHI) of approximately 190 million Americans. Further, it led to significant delays in care through the disruption of electronic prescribing, claims submission, and payment transmission.^[1] The delay in claims processing resulted in a $14 billion payment backlog, putting undue strains on the financial resources of provider practices.^[2]

The hack at Change Healthcare was due to UHG’s failure to implement multi-factor authentication (MFA) and upgrade legacy systems after UHG acquired Change Healthcare.^[3] The hack on Episource, which UHG acquired in 2023, raises questions about the company’s commitment to securing PHI, given the repeated security failures at the company. The failure to properly secure internal systems is particularly troubling given the wide impact that the Change Healthcare attack had on the health care system. UHG has further strained impacted provider practices by taking aggressive steps to seek repayments for loans UHG issued to support those providers due to its own system failures.^[4] The risk of cyberattacks continue to threaten the health care sector. We have seen the recent threat that hostile actors, including Iran may pose on health care entities and UHG’s repeated failures to protect against such attacks jeopardizes patient health. To better understand what steps UHG is taking to not only respond to this current cybersecurity incident, but also to improve its security processes company-wide, we ask that you answer the following questions on a question-by-question basis by August 18, 2025:

1. When did UHG first become aware of a cyberattack on Episource’s systems?

2. When did UHG notify federal agencies of a cyberattack, and which agencies did UHG notify?

3. UHG has stated that “the data that may have been seen and taken… may have included… health insurance data, [and] health data.”^[5]
1. What steps is UHG taking to identify what information may have been compromised?
2. When does UHG expect to finalize steps to identify this information?
3. How is UHG proactively communicating with potentially impacted individuals and entities?

4. Last year, UHG suffered the largest health care cyberattack in history through its Change Healthcare subsidiary. This attack occurred due to deficiencies in UHG’s security protocols.
1. What remedial steps has UHG identified thus far to improve its security protocols?
2. Has UHG implemented those actions? If not, when does it intend to complete those steps?
3. Has UHG made any changes to how it conducts due diligence for companies it acquires to consider security risks?

###

For all news and updates from HELP Republicans, visit our website or Twitter at @GOPHELP.