Veterans Health Information Feared to Be Stolen in Cyberattack that Shut Down Pharmacies

Andrew Witty, CEO of UnitedHealth Group, testifies at a Senate Finance Committee hearing examining cyberattacks on health care, and the Change Healthcare cyberattack, in Washington.
Andrew Witty, CEO of UnitedHealth Group, testifies at a Senate Finance Committee hearing examining cyberattacks on health care, and the Change Healthcare cyberattack, Wednesday, May 1, 2024, on Capitol Hill in Washington. (Jacquelyn Martin/AP Photo)

A top lawmaker is demanding answers on whether veterans' private health information was stolen in a cyberattack earlier this year after the company that was hacked acknowledged that a "substantial proportion of people in America" may have had sensitive information taken.

In a letter to UnitedHealth Group CEO Andrew Witty that was publicly released Thursday, House Veterans Affairs Committee Chairman Mike Bost, R-Ill., demanded the company be more cooperative with the Department of Veterans Affairs and immediately tell the VA whether any veterans' information was stolen in the attack on subsidiary Change Healthcare, or CHC.

"If you are unwilling to do so, I ask that you provide me with a written explanation of why you believe it is in the best interest of veterans or otherwise defensible for CHC to withhold the attestations," Bost added. "The nation is watching."

Read Next: Temporary Promotions for Army Noncommissioned Officers to End in June

In February, Change Healthcare, one of the largest prescription and insurance claims processors in the U.S., was targeted by a ransomware attack that shut down its network. The hack disrupted vast swaths of the health care sector and left pharmacies nationwide scrambling to fill prescriptions manually, including at military health care providers and the VA.

It wasn't until April that military pharmacies said their operations had returned to normal.

The attack has been attributed to a transnational hacking group known as BlackCat/ALPHV, which itself has reportedly claimed to have stolen six terabytes of patient data in the hack.

Last week, UnitedHealth Group, which owns Change Healthcare, acknowledged that "a substantial proportion of people in America" may have had protected health information or personally identifiable information exposed in the hack, though the company stressed it has no evidence doctors' charts or full medical histories are among the stolen data.

"Given the ongoing nature and complexity of the data review, it is likely to take several months of continued analysis before enough information will be available to identify and notify impacted customers and individuals," the company said in a news release.

The hack and UnitedHealth's response have garnered considerable scrutiny in Congress. Witty was called to testify before two congressional panels on Wednesday, where he revealed initial estimates are that about one-third of Americans could have had data compromised in the attack and that hackers entered the system through one server that lacked multifactor authentication.

Multifactor authentication is a basic cybersecurity measure on most computer systems these days that requires users to verify their identity beyond just entering a password, often by entering a code that's emailed or texted.

At a news conference last week, VA Secretary Denis McDonough said that, while the department had "no confirmation" yet that veterans' data was stolen in the hack, it was proactively reaching out to 15 million veterans and family members to alert them about the issue and provide ways to protect themselves from identity theft and fraud. The department also set up a website with information on how veterans can protect themselves.

In a letter to Bost last month, the VA also expressed frustration at UnitedHealth's lack of cooperation with the department.

"On March 28, 2024, CHC informed VA that impact attestations were available, but that CHC would provide those attestations to all customers at a later date," Kurt DelBene, the VA's under secretary for information and technology, wrote in the April 8 letter, a copy of which was obtained by "CHC did not provide VA a time frame when we would receive impact attestations. This is indefensible."

DelBene added that "VA remains concerned that we have not received information about what, if any, information was taken in the attack on CHC nor received a timeline when we can expect any such information."

In his letter to Witty, Bost said he finds Change Healthcare's response to the VA "impossible to understand."

"While nearly every institution is the target of cyberattacks, your company's reticence seems to be impeding VA from fully understanding and recovering from this incident," he wrote.

Bost's letter was sent April 18, but the committee did not publicly release it until after the panel had a conversation with UnitedHealth that "did not change our assessment of the situation," a committee spokesperson told

A spokesperson for UnitedHealth did not immediately respond to's request for comment Thursday on the letter or the hack's effect on veterans.

UnitedHealth is offering two years of free credit monitoring services for anyone worried their personal information may be compromised. More information on signing up for the credit monitoring is available here.

Related: Military Pharmacies Return to Full Operation Following Breach by Transnational Hacking Group

Story Continues