Two U.S. senators have written to UnitedHealth Group (UHG) CEO Stephen J. Hemsley demanding answers about cybersecurity and the response to the massive data breach at its subsidiary, Episource, which exposed the personal and protected health information of 5.4 million individuals earlier this year.

Episource, which was acquired by UHG-owned Optum in 2023, provides medical coding and risk adjustment services to physicians, health plans, and other healthcare companies. In June 2025, the company announced a hacking incident that involved unauthorized access to its network between January 27, 2025, and February 6, 2025. The hackers stole sensitive information such as names, dates of birth, Social Security numbers, health information, health insurance information, and Medicare/Medicaid numbers.

The hacking incident at Episource occurred within a year of a ransomware attack on another UHG subsidiary, Change Healthcare, which resulted in the largest healthcare data breach in U.S. history. Change Healthcare has recently confirmed that 192.7 million individuals were affected and had their data stolen in the attack. The attack resulted in a prolonged outage that caused major disruption to electronic prescribing, claims submission, and payment transmission, resulting in a $14 billion payment backlog, which put healthcare providers across the country under significant financial strain. Former UHG CEO Andrew Witty was grilled by Senators about the Change Healthcare ransomware attack and confirmed that the attackers accessed Change Healthcare’s systems using compromised credentials for a Citrix portal that lacked multifactor authentication.

In the letter, Senator Bill Cassidy (R-LA), Chairman of the Senate Committee on Health, Education, Labor, and Pensions (HELP), and Senator Maggie Wood Hassan (D-NH) questioned UHG’s commitment to securing patients’ protected health information given the fact that two major cyberattacks have been experienced in just 12 months and the Change Healthcare cyberattack was the result of a lack of basic cybersecurity measures and a failure to upgrade legacy systems in the two years since UHG acquired Change Healthcare. The senators also criticized UHG for the aggressive approach being taken to recover the loans issued to healthcare providers who were unable to bill for their services due to the prolonged outage of Change Healthcare’s systems.

“We have seen the recent threat that hostile actors, including Iran, may pose on healthcare entities and UHG’s repeated failures to protect against such attacks jeopardizes patient health,” wrote the senators, who have demanded answers from UHG about its response to the Episource cyberattack and how it is improving its security processes company-wide following the Change HEalthcare cyberattack.

Regarding the Episource cyberattack, the senators want to know when the attack was first detected, when federal agencies were notified about the attack, the steps being taken to identify the information compromised in the incident, when UHG anticipates finalizing that process, and how UHG is proactively communicating with potentially impacted individuals and entities.

Given the hugely disruptive attack on Change Healthcare in February 2024, which was made possible due to security deficiencies, the senators want to know what remedial steps have been taken to improve security protocols, if those action have been completed and, if not, when they will be completed, and if UHG has made any changes to how it conducts due diligence on companies it plans to acquire to assess potential security risks.  The senators require answers to their questions by August 18, 2025.

The post Senators Demand Answers from UnitedHealth After Second Massive Data Breach in a Year appeared first on The HIPAA Journal.

Alera Group has notified more than 155,000 individuals about a July 2024 hacking incident. Data breaches have also been announced by The Good Samaritan Health Center of Cobb and Western Montana Clinic.

Alera Group Notifies Individuals About July 2024 Hacking Incident

Alera Group, Inc., a provider of risk management, insurance, and financial services, has notified 155,567 individuals about the potential theft of some of their protected health information. The incident was first announced on May 21, 2025, and has recently been reported to the HHS’ Office for Civil Rights.

Suspicious network activity was detected in August 2024, and the forensic investigation confirmed unauthorized access to its network between July 19, 2024, and August 4, 2024. During that time, sensitive data may have been copied. A file review was initiated to determine the types of data involved and the individuals affected, and that process was completed on April 28, 2025.

Alera Group has confirmed that the data related to employees and certain clients, business partners, and providers. That information included names, addresses, demographic information, dates of birth, birth/marriage certificates, Social Security numbers, driver’s licenses, financial account/credit card information, passports, other government-issued IDs (such as state IDs, military IDs, tribal IDs or taxpayer identification numbers), medical information (such as medical histories, diagnosis information, medications, and treatment/testing information), medical record numbers, insurance/claims data (potentially including health insurance information and Medicare/Medicaid IDs), electronic/digital signatures, biometric information, and username/password information.  Alera Group has implemented additional cybersecurity measures to reduce the risk of similar incidents in the future.

The Good Samaritan Health Center of Cobb Announces Hacking Incident

The Good Samaritan Health Center of Cobb, in Marietta, Georgia, a provider of healthcare services to underserved and uninsured individuals, has disclosed a cybersecurity incident via its legal counsel. On or around November 4, 2024, suspicious activity was identified in its computer systems. A third-party cybersecurity firm was engaged to investigate the activity and confirmed unauthorized network access by an unknown third party, who may have viewed or acquired patient information. That third party appears to be the Qilin ransomware group, which claimed responsibility for the attack on its dark web data leak site.

The file review confirmed that the exposed data included full names, Social Security numbers, financial information, driver’s license or state identification information, medical information, and health insurance information. No reports have been received to date to indicate any misuse of that information; however, as a precaution, the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Several steps have been taken since the incident to improve security, including implementing encryption, password changes, and new technical safeguards. A new Security Rule risk analysis has been conducted, and a risk management plan has been implemented. The Good Samaritan Health Center will also be conducting periodic technical and non-technical evaluations of its security measures. There is no listing on the HHS’ Office for Civil Rights breach portal at present, so it is currently unclear how many individuals have been affected.

Western Montana Clinic Targeted in Phishing Campaign

Western Montana Clinic in Missoula has notified 8,255 patients that some of their personal and protected health information has been exposed in a security incident.  Employees were targeted in a phishing campaign, and several employees responded and disclosed their login credentials, allowing unauthorized access to their accounts between March 11, 2025, and April 15, 2025.

The main purpose of the campaign was to change bank account information to divert payments to the attacker’s account, rather than to obtain patient information; however, data theft could not be ruled out. The incident was confined to email accounts, which were found to contain names, contact information, dates of birth, treating physician names, internal identification numbers, dates of service, diagnostic information, treatment information, medications, and for a small subset of patients, Social Security numbers. Western Montana Clinic said it will review email security and will continue to provide security awareness training to the workforce to help employees recognize and avoid phishing emails.

The post Alera Group Notifies 155K Individuals About July 2024 Hacking Incident appeared first on The HIPAA Journal.

A drug and alcohol addiction center and an OB/GYN Medical Center in Texas have notified patients about unauthorized access to some of their protected health information.

Nova Recovery Center Reports Unauthorized Network Access

Nova Recovery LLC (Nova Recovery Center), a drug and alcohol addiction center in Wimberley, Texas, has identified unauthorized access to certain systems hosted on the Nova Recovery network. The intrusion was identified by its IT and Security teams on May 25, 2025. The threat was neutralized, and the breach was investigated to determine if any patient data had been exposed.

On June 17, 2025, Nova Recovery confirmed that business records on its network had been accessed, some of which contained patients’ personal information. Data compromised in the incident includes first, middle, and last names, addresses, dates of birth, Social Security numbers, and financial payment information. Individual notification letters have been mailed to the 7,713 affected individuals, and complimentary credit monitoring services have been offered. The third-party consulting firm hired to investigate the incident is helping to implement additional security measures to prevent similar incidents in the future.

OB/GYN Medical Center Associates Affected by ConnectOnCall Breach

In July 2025, OB/GYN Medical Center Associates in Houston, TX, published a breach notice on its website about a security incident at one of its business associates. ConnectOnCall.com, LLC, provided a voicemail messaging service through May 2024. ConnectOnCall notified OB/GYN Medical Center Associates that an unknown third party had access to certain data within the ConnectOnCall application between February 16, 2024, and May 12, 2024. ConnectOnCall took the compromised application offline while the incident was investigated by cybersecurity experts, and after enhancing security controls, the solution was brought back online.

Since being notified about the breach, OB/GYN Medical Center Associates has been reviewing the messages left for the practice via the ConnectOnCall system and has confirmed that patient data may have been accessed. The types of data involved depended on the information disclosed by patients in the messages and may have included names, information about physical conditions, medications, procedures, and other personal and medical information. The review was completed on June 25, 2025, and notification letters were mailed to the 2,132 affected individuals on July 23, 2025.

The post Hacking Incidents Announced by Two Texas Health Clinics appeared first on The HIPAA Journal.