TLDR:
House lawmakers criticized UnitedHealth Group for its role in and response to a ransomware attack on its subsidiary Change Healthcare. The attack exposed vulnerabilities in the health care system due to consolidation. UnitedHealth did not make anyone available for a hearing, and the attack caused significant financial losses. The Department of Health and Human Services is investigating the incident. Congress is considering legislation to establish cybersecurity standards in the health care sector.
Article Summary:
House lawmakers heavily criticized UnitedHealth Group for its involvement in and reaction to a ransomware attack on Change Healthcare, a subsidiary of the company. The attack, which occurred on February 21st, exposed weaknesses in the U.S. health care system and raised concerns about the consolidation in the industry. The Department of Health and Human Services launched an investigation into the incident to assess compliance with federal data privacy laws.
During a hearing before the Energy and Commerce health subcommittee, members of Congress raised issues with UnitedHealth’s acquisition of Change Healthcare in 2022, which they believe posed a national security risk. The attack highlighted the vulnerability of the nation’s health care infrastructure and the potential dangers of anti-competitive practices in the industry.
UnitedHealth Group did not provide representatives for the hearing, despite the committee’s request, which drew criticism from lawmakers. The company reported significant financial losses due to the attack, with projections of surpassing $1 billion in damages. Congress is considering legislation, proposed by Sen. Mark Warner, to establish minimum cybersecurity standards for health care providers to prevent future cyberattacks.
Health care groups have pushed back against mandatory cybersecurity requirements, citing concerns about operational challenges and liabilities. Physicians impacted by the breach expressed frustration over the lack of information provided by UnitedHealth about the extent of the data stolen and compromised health information. Software vendor liability caps were also highlighted as a significant concern for affected practices.