U.S. Senators Bill Cassidy, R-La., and Maggie Hassan, D-N.H., have sent a letter to UnitedHealth Group CEO Stephen Hemsley expressing concern over a recent cyberattack targeting UHG subsidiary Episource.
Episource is an Optum subsidiary that provides medical coding and risk adjustment services to health systems and payers. The firm shut down its computer systems in February after noticing unusual activity on its network, later determining that a cyberattacker had accessed and stolen data between Jan. 27 and Feb. 6.
About 5.4 million people may have been impacted, with compromised data including names, dates of birth, Social Security numbers, medications and diagnoses.
In February 2024, a ransomware attack targeted UnitedHealth subsidiary Change Healthcare and compromised the protected health information of at least 100 million people, according to the HIPAA Journal; that number that was later amended to 190 million people.
That attack, the senators said, resulted from the company's failure to implement basic security standards, including multifactor authentication and a lack of investment in legacy systems after UnitedHealth acquired Change Healthcare.
In the letter over the Episource breach, Cassidy and Hassan criticized the company's "continued failure" to defend against cyberattacks.
"The recently reported hack of Episource, a subsidiary of UnitedHealth Group, raises significant questions about UHG's efforts to safeguard patient information," wrote the senators. "The risk of cyberattacks continues to threaten the healthcare sector. We have seen the recent threat that hostile actors, including Iran, may pose on healthcare entities, and UHG's repeated failures to protect against such attacks jeopardizes patient health."
WHAT'S THE IMPACT
The Episource hack, the senators said, shows a "repeated pattern" of UnitedHealth failing to secure its internal cyber systems after acquiring other companies.
The Change hack that occurred last year led to significant care delays because electronic prescribing, claims submission and payment submission were all disrupted, the lawmakers wrote. They estimated that the delay in claims processing resulted in a $14 million payment backlog.
The latest Episource breach, they said, raises questions about the company's commitment to securing personal health information. The senators added that UHG has further strained impacted provider practices by taking aggressive steps to seek repayments for loans it issued to support those providers.
Lawmakers are asking Hemsley to provide information on the cyberattack, including when it became aware of the attack, when it notified federal agencies, what steps it's taking to identify and protect the information and what remedial steps it has identified to improve its security protocols.
THE LARGER TREND
The Feb. 21, 2024, cyberattack disconnected Change from claims payments for hospitals and physician practices, disrupting provider revenue and financial stability to the point of potential bankruptcy for some practices, the American Medical Association said last year.
The figure of 190 million people was amended from past estimates that had put the total number of impacted people at about 100 million. Either way, the data breach – confirmed to be ransomware – is the largest known breach at a HIPAA-regulated entity.
The previous record was set by Anthem in 2015 and affected 78.8 million individuals, according to the HIPAA Journal.
The breach had widespread effects. An April 2024 survey from the American Medical Association found more than three-quarters of physician practices experienced severe disruptions due to the cyberattack: 36% experienced suspension in claim payments, 32% were unable to submit claims, and 39% were unable to obtain electronic remittance advice.
Because of the claims issues, 80% of practices lost revenue from unpaid claims and 85% committed additional staff and time to complete revenue cycle tasks.
Email: jlagasse@himss.org
Healthcare Finance News is a HIMSS Media publication.