A leading senator is pushing UnitedHealth Group for more answers on the Change Healthcare cyberattack that caused significant disruption across the industry.
Sen. Bill Cassidy, R-Louisiana, who is the ranking member of the Senate Health, Education, Labor and Pensions Committee, said in a letter to the company that it is "imperative" that UnitedHealth provide greater detail about the scale of the breach, the financial impacts on providers and just how much personal or protected information was accessed.
Cassidy's letter includes a list of 20 questions that he's asking UHG to respond to by May 28, including further details on cybersecurity protocols at the company, whether it conducted an audit of Change's systems during the integration process and a more comprehensive description of what happened on Feb. 21 when the cyberattack was revealed.
UnitedHealth Group CEO Andrew Witty testified at two congressional hearings earlier this month, where he said that the hackers breached Change using stolen credentials on a server where multifactor authentication was not enabled. The hackers then spent nine days within the system stealing data before deploying ransomware Feb. 21.
Witty said Change Healthcare came into the fold at UHG in October 2022 with aging technology that required substantial upgrades as part of the integration process. It's unclear why the server that was breached did not have multifactor authentication enabled, he told lawmakers during the congressional hearings.
Cassidy's letter also seeks additional clarity around the process of those upgrades and whether UnitedHealth made staff reductions on Change's IT teams as it integrated the company into Optum.
"While UHG is now reporting that its pharmacy services and medical claims are back to 'near-normal levels' … UHG must be held accountable for the actions it took or failed to take to protect highly sensitive patient data given the historic nature of this breach," Cassidy wrote.