The UnitedHealth Group holds the record for the largest healthcare data breach in history. The 2024 data breach at Change Healthcare, a UHG subsidiary, affected over 190 million individuals. UHG recently revised that number upward to 192.7 million, according to a letter Change Healthcare sent to New Hampshire’s attorney general.
UnitedHealth Group is facing scrutiny from Congress again because another cyberattack happened earlier this year at another subsidiary, Episource.
UnitedHealth Group Subsidiary Cyberattack in 2025
A major data breach happened at a UHG subsidiary in 2025. In June, medical billing company Episource reported a breach affecting 5.4 million individuals.
Episource discovered the breach on February 6, 2025. An internal investigation found that the cyber attackers were inside Episource’s network for about 10 days, between January 27 and February 6. While there, they accessed and copied files containing protected health information (PHI). The PHI stolen included names, dates of birth, Social Security numbers, health information, health insurance information, and Medicare/Medicaid numbers.
Episource is Second Largest Healthcare Breach in 2025
The Episource breach is the second-largest healthcare data breach so far in 2025, according to the U.S. Department of Health and Human Services HIPAA Breach Reporting Tool website. The largest reported breach so far happened at Yale New Haven Health System, affecting 5.55 million.
While both of these are large breaches, they are dwarfed by UHG’s Change Healthcare breach in 2024, which affected 57% of the U.S. population in 2024.
Two Senators Demand Answers from UnitedHealth Group
Last year, former UnitedHealth Group CEO Andrew Witty faced Senators’ questions about the Change Healthcare ransomware attack. He confirmed that the attackers accessed Change Healthcare’s systems using compromised credentials for a Citrix portal that lacked multifactor authentication (MFA). Witty’s admission sent shock waves through the healthcare cybersecurity community, since MFA is considered an essential relatively easy cybersecurity measure to defend against attacks.
Follow-up questioning has begun. Last week, two U.S. senators – Bill Cassidy (R-LA), and chair of the Senate Committee on Health, Education, Labor, and Pensions – and Maggie Wood Hassan (D-NH) – sent a letter to UHG CEO Stephen Hemsley asking questions about the Episource breach and the steps that UHG has taken to strengthen its cybersecurity since the Change Healthcare cyberattack last year.
The most recent letter to Stephen Hemsley asks about UnitedHealth Group’s commitment to securing patients’ protected health information since UHG has experienced two major cyberattacks in 12 months.
The senators wrote:
“The hack at Change Healthcare was due to UHG’s failure to implement multifactor authentication and upgrade legacy systems after UHG acquired Change Healthcare. The hack on Episource, which UHG acquired in 2023, raises questions about the company’s commitment to securing PHI, given the repeated security failures at the company.”
“The failure to properly secure internal systems is particularly troubling given the wide impact that the Change Healthcare attack had on the healthcare system. The risk of cyberattacks continue to threaten the healthcare sector. We have seen the recent threat that hostile actors including Iran may pose on healthcare entities, and UHG’s repeated failures to protect against such attacks jeopardizes patient health.”
The senators also criticized UnitedHealth Group for the aggressive approach being taken to recover the loans issued to healthcare providers who were unable to bill for their services due to the prolonged outage of Change Healthcare’s systems.
The letter asks UHG to provide answers to a list of about 10 questions, including whether UHG made any changes (and what types of changes) in how it conducts due diligence regarding security risks for companies it acquires.
The letter demands a response by August 18.
HIPAA Risk Analysis is Key
A healthcare company’s duty to safeguard patient information is fundamental to quality care and required by HIPAA. The Senators are asking questions that go to the heart of HIPAA’s Risk Analysis requirements.
One commentator points out that this latest data breach at UHG underscores the importance of conducting a risk analysis and “acting swiftly on those recommendations.”
Data breaches are expensive, but prevention is not.
