Veterans Health Information Feared to Be Stolen in Cyberattack that Shut Down Pharmacies

Rebecca Kheel

May 2, 2024 at 3:39 PM·4 min read

A top lawmaker is demanding answers on whether veterans' private health information was stolen in a cyberattack earlier this year after the company that was hacked acknowledged that a "substantial proportion of people in America" may have had sensitive information taken.

In a letter to UnitedHealth Group CEO Andrew Witty that was publicly released Thursday, House Veterans Affairs Committee Chairman Mike Bost, R-Ill., demanded the company be more cooperative with the Department of Veterans Affairs and immediately tell the VA whether any veterans' information was stolen in the attack on subsidiary Change Healthcare, or CHC.

"If you are unwilling to do so, I ask that you provide me with a written explanation of why you believe it is in the best interest of veterans or otherwise defensible for CHC to withhold the attestations," Bost added. "The nation is watching."

In February, Change Healthcare, one of the largest prescription and insurance claims processors in the U.S., was targeted by a ransomware attack that shut down its network. The hack disrupted vast swaths of the health care sector and left pharmacies nationwide scrambling to fill prescriptions manually, including at military health care providers and the VA.

It wasn't until April that military pharmacies said their operations had returned to normal.

The attack has been attributed to a transnational hacking group known as BlackCat/ALPHV, which itself has reportedly claimed to have stolen six terabytes of patient data in the hack.

Last week, UnitedHealth Group, which owns Change Healthcare, acknowledged that "a substantial proportion of people in America" may have had protected health information or personally identifiable information exposed in the hack, though the company stressed it has no evidence doctors' charts or full medical histories are among the stolen data.

"Given the ongoing nature and complexity of the data review, it is likely to take several months of continued analysis before enough information will be available to identify and notify impacted customers and individuals," the company said in a news release.

The hack and UnitedHealth's response have garnered considerable scrutiny in Congress. Witty was called to testify before two congressional panels on Wednesday, where he revealed initial estimates are that about one-third of Americans could have had data compromised in the attack and that hackers entered the system through one server that lacked multifactor authentication.

Multifactor authentication is a basic cybersecurity measure on most computer systems these days that requires users to verify their identity beyond just entering a password, often by entering a code that's emailed or texted.

At a news conference last week, VA Secretary Denis McDonough said that, while the department had "no confirmation" yet that veterans' data was stolen in the hack, it was proactively reaching out to 15 million veterans and family members to alert them about the issue and provide ways to protect themselves from identity theft and fraud. The department also set up a website with information on how veterans can protect themselves.

In a letter to Bost last month, the VA also expressed frustration at UnitedHealth's lack of cooperation with the department.

"On March 28, 2024, CHC informed VA that impact attestations were available, but that CHC would provide those attestations to all customers at a later date," Kurt DelBene, the VA's under secretary for information and technology, wrote in the April 8 letter, a copy of which was obtained by Military.com. "CHC did not provide VA a time frame when we would receive impact attestations. This is indefensible."

DelBene added that "VA remains concerned that we have not received information about what, if any, information was taken in the attack on CHC nor received a timeline when we can expect any such information."

In his letter to Witty, Bost said he finds Change Healthcare's response to the VA "impossible to understand."

"While nearly every institution is the target of cyberattacks, your company's reticence seems to be impeding VA from fully understanding and recovering from this incident," he wrote.

Bost's letter was sent April 18, but the committee did not publicly release it until after the panel had a conversation with UnitedHealth that "did not change our assessment of the situation," a committee spokesperson told Military.com.

A spokesperson for UnitedHealth did not immediately respond to Military.com's request for comment Thursday on the letter or the hack's effect on veterans.

UnitedHealth is offering two years of free credit monitoring services for anyone worried their personal information may be compromised. More information on signing up for the credit monitoring is available here.

TechCrunch
UnitedHealthcare CEO says 'maybe a third' of US citizens were affected by recent hack
Two months after hackers broke into Change Healthcare systems stealing and then encrypting company data, it’s still unclear how many Americans were impacted by the cyberattack. Last month, Andrew Witty, the CEO of Change Healthcare’s parent company UnitedHealth Group, said that the stolen files include the personal health information of “a substantial proportion of people in America.” On Wednesday, during a House hearing, when pushed to give a more definitive answer, Witty testified that the breach impacted “I think, maybe a third [of Americans] or somewhere of that level.”
TechCrunch
UnitedHealth data breach should be a wake-up call for the UK and NHS
The ransomware attack that has engulfed U.S. health insurance giant UnitedHealth Group and its tech subsidiary Change Healthcare is a data privacy nightmare for millions of U.S. patients, with CEO Andrew Witty confirming this week that it may impact as much as one-third of the country. As one of the largest healthcare companies in the U.S., UnitedHealth is well known domestically, intersecting with every facet of the healthcare industry from insurance and billing and winding all the way through the physician and pharmacy networks -- it's a $500 billion juggernaut, and the 11th largest company globally by revenue.
TechCrunch
UnitedHealth CEO tells Senate all systems now have multi-factor authentication after hack
UnitedHealth Group Chief Executive Officer Andrew Witty told senators on Wednesday that the company has now enabled multi-factor authentication on all the company’s systems exposed to the internet in response to the recent cyberattack against its subsidiary Change Healthcare. The lack of multi-factor authentication was at the center of the ransomware attack that hit Change Healthcare earlier this year, which impacted pharmacies, hospitals and doctors' offices across the United States. Multi-factor authentication, or MFA, is a basic cybersecurity mechanism that prevents hackers from breaking into accounts or systems with a stolen password by requiring a second code to log in.
TechCrunch
UnitedHealth says Change hackers stole health data on 'substantial proportion of people in America'
Health insurance giant UnitedHealth Group has confirmed that a ransomware attack on its health tech subsidiary Change Healthcare earlier this year resulted in a huge theft of Americans' private healthcare data. UnitedHealth said in a statement on Monday that a ransomware gang took files containing personal data and protected health information that it says may "cover a substantial proportion of people in America." The health insurance giant did not say how many Americans are affected but said the data review was "likely to take several months" before the company would begin notifying individuals that their information was stolen in the cyberattack.
Yahoo Personal Finance
What is a VA Certificate of Eligibility, and how do you get one?
You need a VA Certificate of Eligibility to get a VA home loan. Learn what a VA COE is and how to get one.
Yahoo Personal Finance
How to spot credit card skimmers
Learn what credit card skimmers are, how to spot them, and the steps you can take to protect your debit and credit card information.
Yahoo Personal Finance
What is a student credit card and how do you pick one?
Learn how to choose a student card by evaluating the available rates, terms, rewards, and bonus offers.
Yahoo Music
K-pop group NewJeans is at the center of messy feud: What to know
Breaking down the ongoing K-pop drama between ADOR CEO Min and Hybe.
Yahoo Personal Finance
Online banking vs. traditional banking: Which one is right for you?
Choosing where to bank is a key financial decision, but you may be wondering what’s better: online banking vs. traditional banking. Here’s what to know.
TechCrunch
Adobe comes after indie game emulator Delta for copying its logo
After Apple loosened its App Store guidelines to permit game emulators, the retro game emulator Delta -- an app 10 years in the making -- hit the top of the App Store's charts. Delta's game emulator was built by developer Riley Testut, who had begun his experiments in this space by figuring out how to load games onto graphing calculators, before turning to iOS.
Yahoo Life Shopping
The 27 best Walmart deals to shop this weekend — save up to 75% on early Memorial Day sales, summer essentials and more
Ready for your pre-summer perusal: A massive patio umbrella for over half off, a 65-inch Hisense smart TV for under $500 and a Keurig hot/iced coffeemaker for nearly $70 off.
Yahoo Sports
FSU petitioning NCAA to rescind penalties related to NIL recruiting violations
The penalties are the result of a rule-breaking incident that transpired in 2022, when a booster and representative of the school’s NIL collective made an offer to a prospect.
TechCrunch
Meta's latest experiment borrows from BeReal's and Snapchat's core ideas
Meta is once again taking on its competitors by developing a feature that borrows concepts from others -- in this case, BeReal and Snapchat. The company is developing a feature for Instagram called “Peek” that would allow users to post authentic pictures that can only be viewed once. While Snapchat popularized the idea of ephemeral content on social media, BeReal led the trend of posting authentic, unedited content.
Yahoo News
Courtroom sketch artists capture history at Trump's hush money trial. Here are some of the best.
Since it’s not being televised, — the only images of testimony from inside the courtroom are portraits being done by sketch artists like Jane Rosenberg, whose sketches depict Trump and other key figures in various states and moods.
Yahoo News
New Yahoo News/YouGov poll shows why Biden-Trump rematch is still neck and neck
Right now, neither candidate is strong enough to capitalize on his opponent's flaws.
Engadget
Apple is said to be working on a 'significantly thinner' iPhone
The iPhone could be going the way of the iPad Pro by becoming much thinner next year. However, you'll may have to pay quite a lot for this rumored slender model, which may replace the Plus in the annual iPhone lineup.
Yahoo Life Shopping
I'm an interior designer, and these are my top picks from Amazon's outdoor rug Memorial Day sale — save up to 80%
Treat your toes to these elusive deals on Safavieh, Loloi, Amber Lewis, Nourison, NuLoom and more.
Yahoo Sports
Scottie Scheffler warmed up in jail cell ahead of 5-under round at PGA Championship
Even after early morning arrest, Scottie Scheffler has himself near the top of the leaderboard after two rounds of the 106th PGA Championship.
Yahoo Sports
Yankees looking to extend Juan Soto, Elly De La Cruz is unreal & listener emails
Jake Mintz & Jordan Shusterman discuss the Yankees looking to extend Juan Soto during the season, Elly De La Cruz being dangerous on the base paths, answer some listener emails and give their weekly rendition of the Good, the Bad & the Uggla.
Yahoo Sports
Don’t forget the tragedy at the heart of this year’s PGA Championship
Over and above all the concern about Scottie Scheffler’s arrest, there’s this: someone died at a golf tournament Friday.

News

Life

Entertainment

Finance

Sports

New on Yahoo

Veterans Health Information Feared to Be Stolen in Cyberattack that Shut Down Pharmacies

Recommended Stories

UnitedHealthcare CEO says 'maybe a third' of US citizens were affected by recent hack

UnitedHealth data breach should be a wake-up call for the UK and NHS

UnitedHealth CEO tells Senate all systems now have multi-factor authentication after hack

UnitedHealth says Change hackers stole health data on 'substantial proportion of people in America'

What is a VA Certificate of Eligibility, and how do you get one?

How to spot credit card skimmers

What is a student credit card and how do you pick one?

K-pop group NewJeans is at the center of messy feud: What to know

Online banking vs. traditional banking: Which one is right for you?

Adobe comes after indie game emulator Delta for copying its logo

The 27 best Walmart deals to shop this weekend — save up to 75% on early Memorial Day sales, summer essentials and more

FSU petitioning NCAA to rescind penalties related to NIL recruiting violations

Meta's latest experiment borrows from BeReal's and Snapchat's core ideas

Courtroom sketch artists capture history at Trump's hush money trial. Here are some of the best.

New Yahoo News/YouGov poll shows why Biden-Trump rematch is still neck and neck

Apple is said to be working on a 'significantly thinner' iPhone

I'm an interior designer, and these are my top picks from Amazon's outdoor rug Memorial Day sale — save up to 80%

Scottie Scheffler warmed up in jail cell ahead of 5-under round at PGA Championship

Yankees looking to extend Juan Soto, Elly De La Cruz is unreal & listener emails

Don’t forget the tragedy at the heart of this year’s PGA Championship