The CEO of UnitedHealth Group subsidiary recently testified before Congress about a ransomware attack that affected a third of Americans in February. It may take several months to identify and notify those impacted by the hack as the company continues to search through stolen data. The cyberattack is considered the most significant health care cyberattack in US history, prompting calls for cybersecurity regulations in the health care industry.
The ransomware attack paralyzed computers that Change Healthcare, the subsidiary, uses to process medical claims, leading to disruptions in payments for health providers across the country. The Department of Health and Human Services is investigating whether UnitedHealth complied with federal law in protecting patient data. Despite working to rebuild computer systems and restore insurance claims to near-normal levels, the process of identifying and notifying those affected by the hack has been challenging due to compromised data files.
Lawmakers questioned whether UnitedHealth and Change Healthcare, which processes billions of health care transactions annually, have an outsized influence on the US health sector, leaving it vulnerable to cyberattacks and other disruptions. The company has attributed the hack to a criminal group known as ALPHV or BlackCat, which has a history of ransomware attacks on victims worldwide. Despite the FBI’s recommendation against paying ransoms, UnitedHealth paid a $22 million ransom in an effort to protect patient data from disclosure.
Other major US firms have also made multimillion-dollar ransom payments to recover stolen data or restore systems following cyberattacks. Lawmakers expressed a desire to continue pressuring UnitedHealth to determine the extent of personal health information accessed during the ransomware attack, as many Americans remain unaware of the full impact on their sensitive information. The incident has raised concerns about the need for increased cybersecurity measures in the health care industry to prevent future attacks and protect patient data.
