Press Releases

WASHINGTON, DC – Today, House Committee on Veterans’ Affairs Chairman Mike Bost (R-Ill.), released a letter he sent to UnitedHealth Group, Inc. CEO Andrew Witty regarding a massive cyberattack against UnitedHealth subsidiary Change Healthcare (CHC), which took place in February and has potentially huge negative consequences for veterans’ data privacy.

Cybercriminals claim to have stolen 6 terabytes of patient data from CHC, the largest clearinghouse for medical claims processing in the country; the Department of Veterans Affairs (VA) relies on CHC information technology (IT) systems to process payments to community care providers, as well as pharmacy prescriptions and other healthcare operations. As a result of the attack, CHC was forced to take down critical IT systems that VA utilizes to facilitate veteran care, some of which still have not been reconnected.  

“Not only are we concerned about the immediate impacts of this ransomware attack on veterans, but this catastrophe also brings a bigger concern of mine to light,” said Chairman Bost. “VA doesn’t have a firm grip on how the companies it lets handle veterans’ data protect that data. As the largest integrated healthcare system in the nation, this is simply unacceptable. When veterans’ data gets hacked, we need answers and solutions not obstacles and excuses. I am determined to get to the bottom of this incident to give veterans peace of mind.”

While CHC announced that “a substantial portion of the people in America” could have had some protected health information leaked and is providing credit monitoring and identify theft protection services, VA is still working to identify any potentially compromised veteran data. The extent of damage done to veterans remains unclear, due primarily to CHC’s lack of cooperation with VA. The company has still not informed the Department which veterans were impacted and has not given a timeline for when VA can expect to receive this information.

This letter to UnitedHealth Group, Inc. CEO follows a previous letter sent to Department of Veterans Affairs (VA) Secretary Denis McDonough from Chairman Bost, Health subcommittee Chairwoman Dr. Mariannette Miller-Meeks, and Oversight & Investigations subcommittee Chairwoman Rep. Jen Kiggans. To read the first letter, click here.

Full text of the most recent letter Chairman Bost sent on this issue can be found here and below:

Dear Mr. Witty:

Your company’s response to the February 21, 2024 cyberattack on your subsidiary Change Healthcare (CHC) and lack of cooperation with the Department of Veterans Affairs (VA) and other federal agencies is deeply concerning. It has been almost two months since cybercriminals claimed to have stolen six terabytes of patient data from CHC and in response, you took down at least 18 critical CHC systems that VA relies on to do everything from processing community care payments, to transmitting prescriptions for patients. After initial reports of a ransom being paid to prevent the data from being published, there are now other reports of a second, related ransomware group holding stolen data hostage and demanding additional ransom payments.1 This bad situation seems to be getting worse. While nearly every institution is the target of cyberattacks, your company’s reticence seems to be impeding VA from fully understanding and recovering from this incident.

CHC was the target of this ransomware attack. But make no mistake, the victims are healthcare providers, agencies like VA that operationally depend on CHC, and crucially, the veterans who are being kept in dark by CHC about the status of their patient data. VA Assistant Secretary for Information and Technology Kurt DelBene recently wrote to alert me that CHC has yet to inform VA whether any veteran patient data was compromised in the cyberattack. Specifically, that “On March 28, 2024, CHC informed VA that impact attestations were available but that CHC would provide those attestations to all customers at a later date. CHC did not provide VA a timeframe when we would receive impact attestations. This is indefensible.”

I find it impossible to understand why CHC believes it is acceptable to tell VA that they know who was impacted by the attack, but they won’t provide any details or even commit to a timeline. Until CHC does so, there is nothing VA can do to alert veterans or help them protect themselves from fraud, scam, or identify theft attempts. This undermines VA’s efforts, when the agency is still reeling from the impacts of critical systems and interfaces going offline.

As you know, the circumstances that led to this catastrophe are being investigated and soon we will learn why this happened and if CHC violated any minimum privacy and security requirements or breach notification requirements.3 Going forward, I will urge VA to reevaluate its vulnerabilities to service providers such as CHC that represent a single point of failure with respect to clinical and administrative operations. Any such concentration of risk is a liability. However, if VA cannot rely on CHC or any other company to be a good-faith partner in the event of a breach, the Department must immediately look elsewhere as patient privacy and safety must be the number one priority.

I ask that you provide VA with the relevant impact attestations immediately. If you are unwilling to do so, I ask that you provide me with a written explanation of why you believe it is in the best interest of veterans or otherwise defensible for CHC to withhold the attestations. The nation is watching.

Sincerely,

MIKE BOST

Chairman

Cc: The Honorable Mark Takano, Ranking Member

[end]