In letter, U.S. senators admonish UnitedHealth after second major cyberattack in a year

Another major computer breach involving UnitedHealth Group has prompted two U.S. senators this week to query the health care giant about the adequacy of its cyber defenses.

Episource, a UnitedHealth subsidiary, had its systems hacked last winter, exposing the data of 5.4 million people.

The cyberattack appears to be the second-largest U.S. health care hack this year and follows a record-breaking breach in February 2024 of another United subsidiary, Change Healthcare.

The Change cyberattack is regarded as the largest ever U.S. health care hack. It affected the data of 190 million people — about half the country’s population.

“The recently reported hack of Episource, a subsidiary of UnitedHealth Group (UHG), raises significant questions about UHG’s efforts to safeguard patient information,” Sen. Bill Cassidy, R-La., and Sen. Maggie Hassan, D-N.H., wrote Monday to UnitedHealth CEO Stephen Hemsley.

“We have seen the recent threat that hostile actors, including Iran may pose on health care entities and UHG’s repeated failures to protect against such attacks jeopardizes patient health.”

The senators asked UnitedHealth to respond by Aug. 18.

Eden Prairie-based UnitedHealth is one the nation’s largest companies and the biggest U.S. health insurer. Episource, like Change Healthcare, is part of the company’s Optum group, which runs clinics, manages pharmacy benefits and provides other services to health care companies.

California-based Episource specializes in health care technology and data services. Its customers include medical providers and health care plans.

Episource said in a statement that it found “unusual activity in its computer systems” on Feb. 6.

An investigation found that a “cybercriminal was able to see and take copies of some data” between Jan. 27 and Feb. 6. The breach didn’t affect all of Episource’s customers.

Data that may have been compromised included contact information — names, addresses, phone numbers — and health insurance information such as “Medicaid-Medicare government payor ID numbers.”

After completing its investigation, the company said it started notifying customers about the breach on April 23.

Episource reported the hack to the U.S. Department of Health and Human Service on June 6, saying it affected 5.4 million people, according to the department’s website.

At the time, Episource said it was unaware of any misuse of the exposed data.

In their letter to Hemsley, Hassan and Cassidy asked UnitedHealth for more information about the Episource hack and for updates on the company’s handling of the Change Healthcare breach.

Change Healthcare shut down its computer systems in February 2024 to contain the cyber debacle, throwing a wrench into the nation’s health care system.

UnitedHealth’s then-CEO Andrew Witty was compelled to testify before Congress in May 2024 about the breach.

The hack has produced a storm of litigation, too, as heath care companies seek compensation from UnitedHealth for millions of dollars of alleged losses.