Protecting Americans’ Sensitive Health Information: Energy and Commerce Republicans Take Action

Energy and Commerce Republicans have been actively working since the February 21st cyberattack on Change Healthcare to understand how it happened, how it can be prevented in the future, and how to help Americans continue to access care. Change Healthcare, one of the largest health payment processing companies in the world, was knocked offline by the cyberattack, leading to a backlog of unpaid claims and threatening patients’ access to care.

It has been revealed that millions of Americans may have had their sensitive health information leaked onto the dark web as a result of the attack, despite UnitedHealth paying a ransom to the cyber attackers. Energy and Commerce Republicans have been working with the administration and Change Healthcare to help providers navigate the reimbursement process and ensure they can continue caring for patients.

Following briefings with the Administration for Strategic Preparedness and Response, the Centers for Medicare and Medicaid Services, and Change Healthcare, bipartisan Energy and Commerce leaders wrote to UnitedHealth seeking answers about the attack. The Subcommittee on Health also held a hearing to explore cybersecurity vulnerabilities in the healthcare sector and discuss solutions.

This week, the Oversight and Investigations Subcommittee called UnitedHealth CEO Sir Andrew Witty to explain what happened during the attack, how the company is responding, and how it plans to prevent future attacks. It was revealed that the attack occurred because UnitedHealth wasn’t using multifactor authentication to secure critical systems, leading to a leak of sensitive health information for potentially a third of Americans.

Despite paying a $22 million ransom in Bitcoin, UnitedHealth cannot guarantee that more sensitive information won’t be leaked. The company has resources available to help individuals and providers affected by the attack, including a website and hotline for support. The handling of the situation by UnitedHealth has been criticized by lawmakers, with calls for better cybersecurity safeguards and accountability in the healthcare sector.