Senator demands answers from HHS about $7.5 million cyber theft in 2023

A U.S. senator is raising questions about a report that $7.5 million was stolen by cyber thieves from the the Department of Health and Human Services (HHS) last year.

Citing a Bloomberg report from January, Sen. Bill Cassidy sent HHS Secretary Xavier Becerra 11 questions about a breach of a platform for grant payments between March and November 2023. 

The unidentified hackers took over the email accounts of about five grantees and tricked HHS into sending the funds to bank accounts they controlled, the report said. Cassidy (R-LA), ranking member on the Senate’s health committee, said he wants answers by April 5. 

The affected program, the Health Resources and Services Administration, serves “at-risk populations, including children, pregnant women, and patients in rural populations,” Cassidy said. “The disruption in grant awards caused by this breach has the potential to delay patient care and create financial strain on health care facilities.”

HHS has not issued a public statement about the incident, and its Office of the Inspector General declined to confirm or deny an investigation was underway when pressed about it in January. 

The senator’s letter claims HHS has not notified Congress of the specifics of the incident, in violation of federal laws around breach notifications. 

“HHS’ lack of transparency and communication regarding this breach, including communication to Congress as required by law, undermines the public trust and suggests that the Federal government is not prepared to protect patients against cybersecurity attacks,” Cassidy said.

A spokesperson for HHS told Recorded Future News that the department has been in regular contact with Congress and has offered to provide more updates if necessary. HHS said it is working to ensure that all grantees who were impacted have access to the full amount they were awarded. 

“The event in December was a targeted fraud campaign against the Payment Management System, not a cyberattack,” the spokesperson said. “HHS promptly reported the incident to the HHS Office of Inspector General. As federal stewards of the taxpayer dollar, we take this issue with the utmost importance.”

HHS did not respond to further questions about why the incident has not been addressed publicly.

Cassidy’s questions range from specifics about the incident — when HHS discovered the breach, how many grantees were affected and when federal law enforcement was notified — to more general inquiries into what the department  has done to recover the funds or stop the attacks from happening again. 

Letters and legislation

The letter comes as more lawmakers have focused on cybersecurity practices in the healthcare system following the crisis surrounding UnitedHealth Group — which was hit with a ransomware attack last month causing countrywide issues for the industry. 

U.S. Sen. Gary Peters (D-MI) sent his own letter on Saturday to Becerra and Cybersecurity and Infrastructure Security Agency Director Jen Easterly calling for both to “prioritize cybersecurity improvements and protect Americans from cyberattacks in the health care sector.”

“The recent cyberattack on a UnitedHealth Group subsidiary, Change Healthcare, has disrupted their ability to process medical claims, impacting millions of Americans trying to fill their prescriptions and access health care services,” Peters said.

“Not only is this cyberattack impacting Americans domestically, but it has also disrupted access to health care on American military bases worldwide.”

The UnitedHealth incident’s catastrophic effects have  drawn scrutiny from Congress, the White House and HHS. Sen. Mark R. Warner (D-VA) introduced legislation on Friday that would allow for advance and accelerated payments to healthcare providers in the event of a cyber incident as long as they and their vendors meet minimum cybersecurity standards. 

Warner said it was “only a matter of time before we saw a major attack that disrupted the ability to care for patients nationwide.”