House lawmakers want to know how many veterans had personal medical data compromised in a massive cybersecurity attack earlier this year against the private firm Change Healthcare, calling it a potential “catastrophe” for families across the country.
So far, both Veterans Affairs officials and executives at UnitedHealth Group — which owns Change Healthcare — have said they do not know if any such private information was stolen in the attack.
But corporate leaders have acknowledged that “a substantial proportion of people in America” could have been affected by the breach, and understanding the scope of its impact could take months.
The Feb. 21 attack disrupted VA and military pharmacy operations along with thousands of civilian medical offices. VA payments to outside medical offices were also temporarily halted.
During testimony before Congress this week, UnitedHealth Group CEO Andrew Witty said the company’s systems were hacked by outside criminals who stole data and deployed ransomware, crippling operations.
UnitedHealth officials were forced to pay $22 million in bitcoin to regain control of the system, but are still unsure of the lingering effects of the attack.
In a letter to Witty on Thursday, House Veterans Affairs Committee Chairman Mike Bost, R-Ill., said the company’s lack of transparency and poor security is unacceptable, particularly given the amount of veteran and service member data they work with.
“There are now other reports of a second, related ransomware group holding stolen data hostage and demanding additional ransom payments,” he wrote. “This bad situation seems to be getting worse. ... While nearly every institution is the target of cyberattacks, your company’s reticence seems to be impeding VA from fully understanding and recovering from this incident.”
Last week, VA Secretary Denis McDonough said that most department operations have resumed as normal following the attack, and that officials “are not aware of any adverse impacts on vets care or health outcomes because of the breach.”
But he said he is pressing UnitedHealth officials for more information on lost veterans data and any potential future problems related to the breach.
“If we do learn that veterans’ personal information has been compromised, we’ll move quickly to mitigate the impact and provide full support to veterans affected,” he said.
Change Healthcare has announced plans to offer free credit monitoring to any individuals whose data was compromised. VA officials have also outlined tools to protect veterans against fraud on their department website.
But Bost noted in his letter that lawmakers and veterans need to know the full scope of the attack before they can address any lingering problems. He demanded a clear timeline on when that information will be made public, with assurances that work is moving ahead as quickly as possible.
“If VA cannot rely on Change Healthcare or any other company to be a good-faith partner in the event of a breach, the department must immediately look elsewhere as patient privacy and safety must be the number one priority,” he wrote.
Leo covers Congress, Veterans Affairs and the White House for Military Times. He has covered Washington, D.C. since 2004, focusing on military personnel and veterans policies. His work has earned numerous honors, including a 2009 Polk award, a 2010 National Headliner Award, the IAVA Leadership in Journalism award and the VFW News Media award.