Congressional leaders continue to seek answers from UnitedHealth Group over the Change Healthcare cyberattack.
U.S. Sen. Bill Cassidy, MD, R-La., ranking member of the Senate Health, Education, Labor and Pensions Committee, sent a letter May 14 to UnitedHealth Group CEO Andrew Witty demanding answers on the scope of the data breach and why the company didn't implement cybersecurity measures that could have prevented the hack. The senator asked for responses to 20 specific questions by May 28.
"While UHG is now reporting that its pharmacy services and medical claims are back to 'near-normal levels,' as one of the largest healthcare providers in the United States, UHG must be held accountable for the actions it took or failed to take to protect highly-sensitive patient data given the historic nature of this breach," Dr. Cassidy wrote.
The FBI, HHS and Cybersecurity and Infrastructure Security Agency published a joint advisory in December warning about the Blackcat, or ALPHV, ransomware gang and recommending that healthcare organizations turn on multifactor authentication, the senator noted. Two months later, the group hacked Change Healthcare through a Citrix remote access platform that did not have multifactor authentication enabled.
"Following the acquisition of Change, UHG should have taken aggressive steps to update Change legacy systems and implement stronger cybersecurity protocols including MFA," Dr. Cassidy wrote. "However, it didn't, leading to questions about whether known data governance failures played a role in the ALPHV Blackcat cyberattack."
A UnitedHealth Group spokesperson told Becker's "the company is aware of the inquiry and remains committed to working with policymakers and industry leaders to share information, address cybersecurity, and to ensuring the protection and resiliency of our healthcare system."