Rep. Jamie Raskin (D-Md.), ranking member of the House Committee on Oversight and Accountability, is asking the UnitedHealth Group (UHG) to explain what it is doing to address the ongoing fallout from the cyberattack on one of its subsidiaries last month.
In a letter addressed to UHG CEO Andrew Witty, Raskin wrote that the committee is “concerned that UnitedHealth Group is restricting the ability of federal agencies to provide applicable assistance to Change Healthcare.”
He cited a recent briefing from the Cybersecurity and Infrastructure Security Agency in which it said it was “handcuffed in this instance because of the lack of transparency and lack of information flowing into us [from UnitedHealth Group/Change Healthcare].”
“Your company’s efforts to disconnect Change Healthcare’s systems in response to the
February 2024 cyberattack appears to have disrupted patients’ timely access to affordable
medication and interrupted crucial elements of our health care system,” Raskin wrote.
Change Healthcare, a UHG subsidiary that manages payment systems for the majority of U.S. hospitals, was hit by a cyberattack on Feb. 21 that has impacted providers’ ability to file claims and receive payments.
Many patients have had to pay out-of-pocket for medicines and health services due to the effects of the attack. In a recent letter to Health and Human Services Secretary Xavier Becerra, a bipartisan group of House lawmakers reported how their offices have “received concerns from constituents who have paid out-of-pocket for their medical supplies with no known solution for how to make them whole. We are worried about our constituents’ ability to afford these expenses.”
Among the questions sent to UHG, Raskin requested to know when Change Healthcare first notified its clients of the cyberattack; which systems were disrupted or targeted; how much personally identifiable information and protected health information was compromised; and what efforts were being done to coordinate with federal agencies.
UHG was given until April 8 to provide a written response to the inquiry, as well as give a staff briefing on the incident.