U.S. Senators Bill Cassidy (R-LA), chair of the Senate Health, Education, Labor, and Pensions (HELP) Committee, and Maggie Hassan (D-NH) have expressed concerns about UnitedHealth Group’s (UHG) handling of cybersecurity following a series of high-profile data breaches affecting millions of Americans.
In a letter to UHG leadership, the senators highlighted recent incidents involving subsidiaries Change Healthcare and Episource. “The recently reported hack of Episource, a subsidiary of UnitedHealth Group (UHG), raises significant questions about UHG’s efforts to safeguard patient information,” wrote the senators. “The risk of cyberattacks continue to threaten the health care sector. We have seen the recent threat that hostile actors, including Iran may pose on health care entities and UHG’s repeated failures to protect against such attacks jeopardizes patient health.”
Last year’s cyberattack on Change Healthcare was described as the largest in healthcare history, compromising protected health information for approximately 190 million Americans. The breach disrupted electronic prescribing, claims submission, and payment transmission processes nationwide. The resulting delays created a $14 billion backlog in payments to providers.
The senators attributed these problems to UHG’s failure to implement basic security measures such as multi-factor authentication and its lack of investment in updating legacy systems after acquiring Change Healthcare. They also pointed out that similar vulnerabilities appear to have contributed to the more recent hack at Episource, which UHG acquired in 2023.
According to their letter: “The hack at Change Healthcare was due to UHG’s failure to implement multi-factor authentication (MFA) and upgrade legacy systems after UHG acquired Change Healthcare.[3] The hack on Episource, which UHG acquired in 2023, raises questions about the company’s commitment to securing PHI, given the repeated security failures at the company.” The senators further noted that provider practices were financially strained by both delayed payments and aggressive repayment demands from UHG for loans issued during system outages.
Cassidy and Hassan requested detailed responses from UHG by August 18 regarding when it became aware of the latest breach at Episource; what federal agencies were notified; what steps are being taken to identify compromised data; how affected individuals are being informed; remedial actions underway since previous breaches; and whether due diligence procedures for future acquisitions now include cybersecurity assessments.
They concluded: “To better understand what steps UHG is taking to not only respond to this current cybersecurity incident, but also to improve its security processes company-wide, we ask that you answer the following questions on a question-by-question basis by August 18, 2025:”
For ongoing updates from HELP Republicans visit their website or follow @GOPHELP on Twitter.
