Bipartisan Senate duo wants answers from UnitedHealth over Episource data breach

Two U.S. senators are demanding answers from UnitedHealth Group (UHG) about a data breach in January affecting a tech subsidiary of the healthcare giant.

Bill Cassidy (R-LA) and Maggie Hassan (D-NH) asked in a letter on Tuesday about the incident at Episource, a company founded in 2006 that provides medical coding and risk adjustment services to doctors, health plans and health companies. The company was acquired in 2023 by Optum — a healthcare conglomerate owned by UHG.

Episource warned regulators in June that hackers breached its systems between January 27 and February 6, stealing the Social Security numbers, Medicaid-Medicare ID numbers and medical records of 5.4 million people.

The senators said the hack “raises significant questions about UHG’s efforts to safeguard patient information.” Cassidy is a physician and the chairman of the Senate’s health committee, and Hassan is a member of the panel.

“We have seen the recent threat that hostile actors, including Iran, may pose on health care entities and UHG’s repeated failures to protect against such attacks jeopardizes patient health,” the senators said. 

UHG has until August 18 to respond to four questions about the Episource hack, including when they first became aware of the breach; when they notified federal regulators; what date they will have a better understanding of what the hackers stole; and more general information about how the company is improving its cybersecurity protections. 

A spokesperson for UHG confirmed receipt of the letter and said the company will provide the requested information. They added that the incident “was isolated to the Episource environment.”

In letters to victims, Episource said law enforcement was involved in the investigation into the cyberattack and that the company had to shut off its computer systems to stop the attack. No hacking group has taken credit for the incident as of August.

Victims of the data breach either received services from one of the doctors or were members of a health plan that uses Episource’s tools. Episource previously dealt with a data breach in 2023 that leaked much of the same information for an unknown number of people.

Continuing fallout from Change Healthcare hack

The letter references last year’s ransomware attack on another UHG subsidiary, Change Healthcare, and said both incidents show “a repeated pattern of UHG’s failure to secure its internal cyber systems after acquiring other companies.”

In new breach notification letters filed in New Hampshire last week, Change Healthcare said that as of July 31, it estimates approximately 192.7 million people had data stolen during the ransomware attack. 

UnitedHealth’s CEO previously told Congress that about one-third of all Americans had information processed in some way by the company because it handles about 1 in 3 medical records and processes about half of all medical claims in the U.S.

Cassidy and Hassan slammed UHG for its conduct in the fallout of the Change Healthcare attack — which left significant parts of the U.S. healthcare industry paralyzed for months due to the subsidiary’s crucial role in processing insurance payments for drugs and treatment. 

The senators said UnitedHealth Group has “further strained impacted provider practices by taking aggressive steps to seek repayments for loans UHG issued to support those providers due to its own system failures.”

Change Healthcare recently informed victims that the toll-free call center it set up for victims will cease operations on August 26. That is also the last day victims of the breach can enroll online in complimentary credit monitoring and identity theft protection services.