UnitedHealth under investigation by US Congress for transparency concerns

Citing transparency concerns regarding the Change Healthcare attack, the US Congress committee on oversight and accountability wrote a letter to UnitedHealth chief executive officer Andrew Witty, requesting information be shared.

“We write to request information about a cyber security incident and the subsequent extended system outages at UnitedHealth Group-owned (UHG) Change Healthcare, a ‘software and data analytics’ firm providing prescription, administrative, and payment processing services across the US health care system,” wrote committee ranking member Jamie Raskin.

The letter says that the US Cybersecurity and Infrastructure Security Agency advised the committee that it was unable to act in any way due to the lack of information provided by UnitedHealth.

Combined with the massive consequences of the attack on Change Healthcare, leaving millions of Americans without the ability to get potentially life-changing medications, the committee has requested that Witty share information on the attack.

“Given your company’s dominant position in the nation’s healthcare and health insurance industry, Change Healthcare’s prolonged outage as a result of the cyber attack has already had ‘significant and far-reaching’ consequences for patients, physicians, and thousands of hospitals, pharmacies and medical practices, and is disrupting patients’ timely access to affordable medication and treatments,” added Raskin, who suggested that some people may need to choose on paying high upfront costs for necessary medication, find alternatives or go without.

Raskin also added that the committee is “concerned that UnitedHealth Group is restricting the ability of federal agencies to provide applicable assistance to Change Healthcare”.

As a result, Raskin has requested that UnitedHealth provide the committee with the information it has requested “and a staff briefing on the incident” by 8 April 2024 to help it understand the extent of the breach and the outages that have left so many healthcare facilities and organisations without the ability to provide for their customers.

The Congress investigation is the second government probe into UnitedHealth since its breach last month, with the US Department of Health and Human Services (HHS) announcing an investigation on 13 March.

VIEW ALL

The HHS, through its Office for Civil Rights, says it is investigating whether any health data was stolen in the breach.

“The Office for Civil Rights (OCR) is aware that Change Healthcare, a unit of UnitedHealth Group, was impacted by a cyber security incident in late February that is disrupting health care and billing information systems nationwide,” it wrote.

“The incident poses a direct threat to critically needed patient care and essential operations of the health care industry.

“Given the unprecedented magnitude of this cyber attack, and in the best interest of patients and healthcare providers, OCR is initiating an investigation into this incident.

“OCR’s investigation of Change Healthcare and UHG will focus on whether a breach of protected health information occurred and Change Healthcare’s and UHG’s compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Rules.”

The Change Healthcare breach was discovered on 21 February 2024, when the company said it had discovered a “suspected nation-state associated cyber security threat actor” had accessed its systems.

The attack was quickly claimed by the ALPHV (BlackCat) ransomware group, who told UnitedHealth to correct their message and attribute them.

However, when UnitedHealth eventually paid out US$22 million in ransom payments, ALPHV went dark, pocketing the money and claiming it was once again dismantled by law enforcement, a claim that was quickly proven wrong.

It turns out that the ALPHV affiliate behind the attack, utilising the ransomware gang’s infrastructure, didn’t receive a cent of the cut it was promised for the attack, meaning UnitedHealth’s systems were not restored. The affiliate, who goes by the name “Notchy”, had been scammed.

However, based on “evidence” discovered by Menlo Security, Notchy could indeed be a nation-state associated cyber security threat actor after all, with connections to China.

“The research team has dug deeper into both BlackCat and its affiliate known as Notchy, who was responsible for the attack, and compiled a detailed timeline of recent activity on the dark web,” said a PR spokesperson in contact with Cyber Daily.

“Additionally, the team has uncovered evidence that points to Notchy possibly being tied to China and this being a state-sponsored attack, and that Notchy possibly used SmartScreen Killer and/or the latest version of Cobalt Strike in their attack against Change Healthcare.”

Menlo failed to disclose what that evidence was but said that the initial findings by UnitedHealth alongside “credible intelligence from a HUMINT source” close to the situation led the company to suggest it was “highly likely” Notchy was affiliated with a Chinese state-sponsored actor.

“Due to the sensitive nature of this information and possible LAE investigations, we are currently unable to disclose further details at this time.”

Good news for UnitedHealth however, is that the group has begun rebuilding, having enabled some systems once again and begun preparing to pay at least US$14 billion in unprocessed medical claims it has built up.

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.