Change Healthcare hasn't given VA details on hack-impacted veterans, top lawmaker says

Rep. Mike Bost, R-Ill., the top Republican on the House Veterans Affairs Committee, is looking for answers about the impact of the Change Healthcare hack on veterans.

Rep. Mike Bost, R-Ill., the top Republican on the House Veterans Affairs Committee, is looking for answers about the impact of the Change Healthcare hack on veterans. Bill Clark/CQ-Roll Call, Inc via Getty Images

Rep. Mike Bost, R-Ill., said the company has “impact attestations” on those affected but won’t provide them to VA.

The top lawmaker on the House Veterans’ Affairs Committee called out UnitedHealth Group CEO Andrew Witty for not providing the Department of Veterans Affairs with information about veteran data that might have been stolen during the February ransomware attack on the company’s Change Healthcare unit, despite reportedly knowing further details about the breach. 

The cyberattack on Change Healthcare, the nation’s largest healthcare payment system, disrupted prescription services and provider payments at hospitals and medical facilities across the country. The company ultimately made a $22 million ransom payment, although the attackers claimed they stole six terabytes of patient data from the company. 

In an April 18 letter to Witty that was publicly released on Thursday, Rep. Mike Bost, R-Ill. — the chair of the House panel — said Kurt DelBene, VA’s chief information officer, had written him to say that Change Healthcare told the department in March that “impact attestations were available” on the stolen data but that the company said it would provide that information “to all customers at a later date.” DelBene said the company did not give VA a timeline for providing that data. 

“I find it impossible to understand why [Change Healthcare] believes it is acceptable to tell VA that they know who was impacted by the attack, but they won’t provide any details or even commit to a timeline,” Bost wrote. “Until [Change Healthcare] does so, there is nothing VA can do to alert veterans or help them protect themselves from fraud, scam or identify theft attempts. This undermines VA’s efforts, when the agency is still reeling from the impacts of critical systems and interfaces going offline.”

Witty told lawmakers during a Senate Finance Committee hearing on Wednesday that UnitedHealth would send breach notifications to all affected patients in the coming weeks.

During an April press conference, VA Secretary Denis McDonough said “there's no confirmation yet” that veteran data was stolen during the attack but that the department proactively sent an email to over 15 million veterans and their families to alert them about the cyber incident and provide them with information on tools and resources they can use to protect their personal information. 

A VA spokesman told Nextgov/FCW last month that the attack did not cause “any adverse impact on patient care or outcomes,” although it did knock several of the department’s IT systems and other platforms offline. VA is still working to restore all of its affected systems.

A spokesperson for Sen. Jon Tester, D-Mont. — chairman of the Senate Veterans’ Affairs Committee — said the senator has also been monitoring the attack’s impact on VA and is “working to ensure that Change Healthcare cooperates with VA to share information about any veteran or other VA data that was compromised as part of the attack.”