Senators Demand Answers from UnitedHealth After Second Massive Data Breach in a Year
Two U.S. senators have written to UnitedHealth Group (UHG) CEO Stephen J. Hemsley demanding answers about cybersecurity and the response to the massive data breach at its subsidiary, Episource, which exposed the personal and protected health information of 5.4 million individuals earlier this year.
Episource, which was acquired by UHG-owned Optum in 2023, provides medical coding and risk adjustment services to physicians, health plans, and other healthcare companies. In June 2025, the company announced a hacking incident that involved unauthorized access to its network between January 27, 2025, and February 6, 2025. The hackers stole sensitive information such as names, dates of birth, Social Security numbers, health information, health insurance information, and Medicare/Medicaid numbers.
The hacking incident at Episource occurred within a year of a ransomware attack on another UHG subsidiary, Change Healthcare, which resulted in the largest healthcare data breach in U.S. history. Change Healthcare has recently confirmed that 192.7 million individuals were affected and had their data stolen in the attack. The attack resulted in a prolonged outage that caused major disruption to electronic prescribing, claims submission, and payment transmission, resulting in a $14 billion payment backlog, which put healthcare providers across the country under significant financial strain. Former UHG CEO Andrew Witty was grilled by Senators about the Change Healthcare ransomware attack and confirmed that the attackers accessed Change Healthcare’s systems using compromised credentials for a Citrix portal that lacked multifactor authentication.
In the letter, Senator Bill Cassidy (R-LA), Chairman of the Senate Committee on Health, Education, Labor, and Pensions (HELP), and Senator Maggie Wood Hassan (D-NH) questioned UHG’s commitment to securing patients’ protected health information given the fact that two major cyberattacks have been experienced in just 12 months and the Change Healthcare cyberattack was the result of a lack of basic cybersecurity measures and a failure to upgrade legacy systems in the two years since UHG acquired Change Healthcare. The senators also criticized UHG for the aggressive approach being taken to recover the loans issued to healthcare providers who were unable to bill for their services due to the prolonged outage of Change Healthcare’s systems.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
“We have seen the recent threat that hostile actors, including Iran, may pose on healthcare entities and UHG’s repeated failures to protect against such attacks jeopardizes patient health,” wrote the senators, who have demanded answers from UHG about its response to the Episource cyberattack and how it is improving its security processes company-wide following the Change HEalthcare cyberattack.
Regarding the Episource cyberattack, the senators want to know when the attack was first detected, when federal agencies were notified about the attack, the steps being taken to identify the information compromised in the incident, when UHG anticipates finalizing that process, and how UHG is proactively communicating with potentially impacted individuals and entities.
Given the hugely disruptive attack on Change Healthcare in February 2024, which was made possible due to security deficiencies, the senators want to know what remedial steps have been taken to improve security protocols, if those action have been completed and, if not, when they will be completed, and if UHG has made any changes to how it conducts due diligence on companies it plans to acquire to assess potential security risks. The senators require answers to their questions by August 18, 2025.
