What’s Next in Change Healthcare Cyberattack?

May 31, 2024

A U.S. Senator is calling on the Federal Trade Commission and the U.S. Securities and Exchange Commission to investigate UnitedHealth Group following the Change Healthcare cyberattack.

In a letter yesterday to the federal agencies, Senator Ron Wyden (D-OR) expressed concerns about the company’s cybersecurity practices and the industry-wide fallout stemming from the February 21 cyberattack.

“Hackers gaining access to one remote access server should not result in a ransomware infection so serious that the company must rebuild its digital infrastructure from scratch,” Wyden’s letter said.

Federal lawmakers and agencies are still weighing next steps following the cyberattack that caused disruption across health care earlier this year. Here’s what you need to know:

• Status update:  More than three months after the cyberattack, UnitedHealth Group is still working to bring all its systems back online.
• Legislative action:  In addition, Congress is likely to pursue legislative initiatives related to health care cybersecurity. A proposal introduced this month would require the U.S. Department of Health and Human Services Inspector General to perform consistent evaluations of the department’s cybersecurity systems and report findings to Congress .
• Patient notification:  Earlier this month, the American Hospital Association called on the company to take full responsibility to notify patients for any breaches related to the attack.
• A new risk management cycle:  Federal cybersecurity officials last month released a new plan to protect against 21^st-century cybersecurity threats, noting the need to for a new risk management cycle to ensure critical infrastructure sectors are ready to respond to heightened risks.
• Quotable:  “As those responsible for the security and resilience of U.S. critical infrastructure, we must collectively address emergent risks and an uncertain future while remaining vigilant against longstanding threats like terrorism, natural disasters, and targeted violence,” said Jen Easterly, director, Cybersecurity and Infrastructure Security Agency, in a blog post.

HAP continues to monitor the latest cybersecurity developments and provide updates to members. HAP created a one-stop shop to offer the latest resources online, including exclusive member-only information (login required).

For more information, contact Jason Tomashunas, MS, CHEP, manager, emergency management.