Ranking Member Takano Demands Accountability from UnitedHealth Group Regarding Data Breach Impacting Veterans

WASHINGTON – Ranking Member Mark Takano is demanding answers from UnitedHealth Group (UHG) after its admission that a data breach impacted 190 million people, including at least 1.2 million veterans. Ranking Member Takano criticized the company’s delayed and incomplete reporting, urging stronger oversight to protect veterans from private sector cybersecurity failures.

Despite the breach impacting the personal data of at least 1.2 million veterans, the Committee has not received updated data about the number of affected veterans since August 2024. Since UHG’s latest overall estimate of the number of impacted individuals is almost double what was originally estimated, we are concerned that the number of affected veterans could also be significantly higher than previously estimated. UnitedHealth has attested that Department of Veterans Affairs’ (VA) systems were not responsible for this leak, but rather community-based or private healthcare systems hat may not have the same data security requirements as VA. 

Ranking Member Takano said, “Last year’s Change Healthcare data breach represents a profound violation of trust for our nation's veterans and all Americans who depend on our healthcare system. This breach not only exposes critical gaps in the healthcare industry's cybersecurity practices, but it also alerts the public to the challenges that consolidation in the private, for-profit healthcare sector create for American patients, including veterans. No American – veteran or otherwise – should have to wait nearly a year to get clarity as to whether their personal information was breached or not.

Although this data breach was not due to any failure on the part of VA’s systems, it is clear that there are additional measures that the Department must undertake to further protect veterans' personally identifiable information (PII) and protected health information (PHI) from being accessed when veterans are receiving care in the community. VA must ensure additional oversight on its contractors, like UnitedHealth Group, and other third-party entities accessing veterans’ data.

Veterans deserve better protection of their personal and medical information.”

Background: In February 2024, Congress was notified of a cybersecurity breach of the Change Healthcare system, which impacted healthcare access nationwide and the attackers extracted 6.4TB of data from CHC networks. Though the Committee received several updates from VA and UnitedHealth Group following the breach, it was still unclear what impact the breach had on veteran patients.

In July 2024, Committee Ranking Member Mark Takano and Subcommittee on Technology Modernization Ranking Member Sheila Cherfilus-McCormick sent letters to UnitedHealth Groupand VA requesting information about the breach. It specifically requested documentation on the lack of timely assessment and reporting of the potentially compromised data. UnitedHealth was not able to provide its initial estimate of impacted veterans until nearly 6 months after the breach, and still has yet to confirm final impact estimates for the veteran population.

### 

• Print
• Email
• Tweet