UnitedHealth Group has yet to inform the Department of Veterans Affairs (VA) which veterans were impacted by the February ransomware attack on the company’s Change Healthcare unit, according to the top lawmaker on the House Veterans’ Affairs Committee.
Rep. Mike Bost, R-Ill., chair of the House committee, made public an April 18 letter on Thursday that he sent to UnitedHealth Group CEO Andrew Witty demanding answers as to whether any veteran patient data was compromised in the cyberattack.
According to the letter, VA Chief Information Officer (CIO) Kurt DelBene said that Change Healthcare (CHC) let the VA know in March that “impact attestations were available” but it would provide those attestations to customers “at a later date.” The CIO said that the company did not provide a timeline for when VA can expect to receive this information.
As of May 2, the VA has still not received this information from Change Healthcare.
“I find it impossible to understand why CHC believes it is acceptable to tell VA that they know who was impacted by the attack, but they won’t provide any details or even commit to a timeline,” Rep. Bost wrote.
“Until CHC does so, there is nothing VA can do to alert veterans or help them protect themselves from fraud, scam or identity theft attempts. This undermines VA’s efforts, when the agency is still reeling from the impacts of critical systems and interfaces going offline,” he added.
The congressman called on Change Healthcare to provide the VA with the relevant impact attestations “immediately.” He also noted that if the VA cannot rely on the company as a “good-faith partner in the event of a breach” then it should look elsewhere for a provider.
“Not only are we concerned about the immediate impacts of this ransomware attack on veterans, but this catastrophe also brings a bigger concern of mine to light,” Rep. Bost said in a May 2 press release. “VA doesn’t have a firm grip on how the companies it lets handle veterans’ data protect that data. As the largest integrated healthcare system in the nation, this is simply unacceptable. When veterans’ data gets hacked, we need answers and solutions not obstacles and excuses. I am determined to get to the bottom of this incident to give veterans peace of mind.”
This letter follows a similar letter from Rep. Bost, Health Subcommittee Chairwoman Mariannette Miller-Meeks, R-Iowa, and Oversight and Investigations Subcommittee Chairwoman Jen Kiggans, R-Va., to VA Secretary Denis McDonough.
Secretary McDonough told a House VA subcommittee on April 16 that the Change Healthcare ransomware attack also raised new challenges during the VA’s most recent rollout of its Electronic Health Records Modernization (EHRM) program.
McDonough touted the recent EHRM rollout at its North Chicago site as “very positive” thus far, but said it occurred “at the same time as we were experiencing challenges associated with Change Healthcare.”
“There are still challenges with the UnitedHealth Group. We had a very serious meeting with them just last night about that,” McDonough said during the April hearing.
“So, it’s hard to discern some of our concerns about, for example, the pharmacy function in our record, and how much of that is a reflection of Change Healthcare and the interoperability of that system with ours now, and how much of that is the new system,” he said. “But, we’ll stay on top of this.”
