Cyber breach reality check for healthcare: UnitedHealth responds to Senate follow up

The Bottom Line

The fact that such a large and well-resourced organization experienced a significant cybersecurity breach raises concerns about the vulnerability of smaller healthcare organizations with fewer resources.

What Happened

UnitedHealth Group (UHG) responded to questions for the record (QFRs) from the May 1st Senate Finance Committee hearing on the Change Healthcare cyberattack. The QFRs covered various topics, including the nature of the attack, the impact on patients and providers, and UHG’s response and remediation efforts. In its responses, UHG repeatedly emphasized its significant investment in cybersecurity, stating it has a “robust information security program with over 1,300 people and approximately $300 million in annual investment.”

Congressional members typically submit QFRs in the two weeks following a committee hearing, commonly to follow-up on testimony or to cover points not permitted during the hearing due to time constraints. Each committee has its own rules, but those receiving any QFR are expected to respond by a deadline stated in the QFR letter. Failure to do so may reflect negatively on the testifier’s cooperation with Congress.

Overall, UHG’s responses expressed a strong commitment to financially supporting affected providers and patients and cooperating fully and transparently with stakeholders, including the government. It outlined the many steps it has taken to strengthen its cybersecurity defenses in cooperation with experts and stakeholders and expressed confidence in being able to fully recover and continue providing high-quality service to its members.

Key Takeaways

1. Cyberattacks are a serious threat, even for the most well-resourced organizations. UHG’s repeated emphasis on its significant investment in cybersecurity, yet still falling victim to a major attack, underscores the need for all healthcare organizations to prioritize cybersecurity and invest in robust defenses.
2. The impact of a cyberattack can be far-reaching and long-lasting. The Change Healthcare attack disrupted patient care, delayed payments to providers, and compromised sensitive patient data. This highlights the importance of having incident response plans in place and being prepared for the potential financial and operational impacts of a cyberattack.
3. Collaboration between the public and private sectors is essential for addressing cybersecurity threats. UHG is working with government agencies and industry partners to share information and best practices to strengthen the healthcare industry’s cybersecurity posture. This suggests that healthcare organizations should actively participate in information sharing initiatives and collaborate with others to improve their defenses.

Additional Resources

• UHG QFR responses (Full)
• Key takeaways from the Change Healthcare hearing
• Congress interrogates UnitedHealth CEO over Change Healthcare cyberattack
• CHIME statement to the Senate Finance Committee
• CHIME Board Chair Scott MacLean’s testimony to Senate Finance