Congress rails against UnitedHealth Group after ransomware attack

House lawmakers on Tuesday sharply criticized the health care giant UnitedHealth Group for the company’s role in and response to a ransomware attack on its subsidiary Change Healthcare that crippled parts of the U.S. health care system.   

Since the Feb. 21 ransomware attack — arguably the most consequential cyberattack on critical infrastructure since the Colonial Pipeline attack three years ago — UnitedHealth Group has been under scrutiny for both its acquisition of Change Healthcare as well as what members consider to be its poor response to the incident. The Department of Health and Human Services announced an investigation into whether the payment processor and its parent company were in compliance with federal health data privacy laws.

Though common in a health care industry rife with vertical integration, the 2022 merger of UnitedHealth and Change Healthcare — which was opposed by the Department of Justice at the time — amounted to a national security risk, subcommittee ranking member Anna Eshoo said during a Tuesday hearing before the Energy and Commerce health subcommittee. The California Democrat cited Change Healthcare’s massive network, which processes around 15 billion medical claims — “that’s billion with a ‘b’” — while encompassing around “900,000 physicians, 118,000 dentists, 33,000 pharmacies, 5500 hospital hospitals and 600 labs.”

“The attack shows how UnitedHealth’s anti-competitive practices present a national security risk because its operations now extend through every point of our health care system,” Eshoo said. “The cyberattack laid bare the vulnerability of our nation’s health care infrastructure.”

UnitedHealth Group did not make anyone available for the hearing despite the subcommittee’s request, according to committee Chair Cathy McMorris Rodgers, R-Wash. Though Eshoo later said that CEO Andrew Witty had agreed to “come in,” his absence was notable on a day in which the company said during an earnings call that the ransomware attack caused $872 million in losses, with the expectation that it may surpass $1 billion. UnitedHealth’s stock jumped over 6% following the earnings release, though its shares had fallen 15% in 2024 as of Monday.

Rep. Buddy Carter, R-Ga., meanwhile, said during Tuesday’s hearing that the Federal Trade Commission “failed the American people by allowing this vertical integration to happen. It needs to be busted up.”

John Riggi, national adviser for cybersecurity and risk at the American Hospital Association, said hospitals may not have even realized that they were reliant on Change Healthcare.

Hospitals may have had a business relationship with a company, not knowing that that relationship exposed them to Change. Once the breach occurred, they discovered “that entity used Change as the clearinghouse for that consolidation of services, and our interconnectivity resulted in this widespread impact,” Riggi said. 

Greg Garcia, executive director for cybersecurity with the Healthcare Sector Coordinating Council, said that his organization does not hold a position on the Change Healthcare merger, but believes that “all future such mergers and acquisitions need to be considered … on whether that consolidation would result in higher cyber risk.”

Garcia also said that the council is mapping out the sector to understand the systemic risk in order to get a better understanding of the dependencies.

Sen. Mark Warner, D-Va., has proposed a bill that would allow health care providers who are victims of cyberattacks accelerated financial support from the federal government, as long as they meet minimum cybersecurity standards.

Health care groups have pushed against this idea. The American Hospital Association wrote a letter to Sen. Ron Wyden, D-Ore., who has advocated for such standards, saying that they “cannot support proposals for mandatory cybersecurity requirements.”

Dr. Adam Bruggeman, an orthopedic surgeon at the Texas Spine Center that was impacted by the breach, said that UnitedHealth has not provided any information relating to the scope of the data stolen and what health information is compromised. In fact, Bruggeman said that he was not aware that data stolen from Change Healthcare was for sale on the dark web until Monday, when he read it in the news.

CyberScoop reported on April 9 that operators of Ransomhub, a site on the dark web that auctions stolen data, claimed they were in possession of over 4 terabytes of data from the ransomware attack.

Bruggeman also noted that physicians have little recourse against software vendors because terms of service typically limit liability dramatically. His medical records vendor, for example, caps liability at $10,000 —   the equivalent of three months of software fees.

“That number for my practice has the potential to run into the hundreds of thousands of dollars to recover that I would be responsible for, even though it was not my breach,” he said.