Skip to Content

Press Releases

Foxx Demands Answers After Cybersecurity Breach Affected Workers’ & Families’ Access to Health Care

WASHINGTON – Today, Education and the Workforce Committee Chairwoman Virginia Foxx (R-NC) sent a letter to Acting Secretary of Labor Julie Su requesting additional information about the Employee Benefits Security Administration’s (EBSA) cybersecurity capabilities and procedures after a cybersecurity breach at Optum’s Change Healthcare unit exposed the threat cybercriminals pose to EBSA’s ability to protect workers’ information and employer-sponsored health insurance plans.

In the letter, Foxx writes: “On February 21, 2024, Optum, a subsidiary of United Health Group (UHG), reported that its Change Healthcare business unit experienced a cyber security issue and that it was working to address the problem. By February 29, Change Healthcare confirmed that it was the victim of a cyberattack by a cybercrime actor. The Committee on Education and the Workforce (Committee) has jurisdiction over health care benefits provided by private employers. In light of this attack, the Committee is concerned by threats cybercriminals pose and how the Employee Benefits Security Administration (EBSA) is working to curb that risk for itself and for employer-sponsored benefit plans.”

Foxx continues: “The Change Healthcare hack immediately affected workers’ and their families’ access to health care. Prescriptions could not be filled. Health care claims and payments were halted. Pharmacies, military hospitals, and clinics attempted workarounds to mitigate disruptions. Moreover, Change Healthcare’s backlog of medical claims resulting from the cyberattack has not been resolved. … Nearly 153 million people rely on employer-sponsored health insurance benefits. This attack is emblematic of the threats that service providers in the employer-sponsored health market face.”

Foxx concludes by requesting additional information, including:
  • How many cybersecurity investigations has EBSA conducted since February 2021? What enforcement actions did EBSA take because of these investigations? Provide any specific findings that resulted from any cybersecurity investigations.
  • What metrics does EBSA use within cybersecurity investigations? What methodologies does EBSA use in cybersecurity investigations? Provide any guidance or formalized procedures for conducting a cybersecurity investigation.
  • Has EBSA uncovered account theft, claims theft, or other asset theft from any Employee Retirement Income Security Act plan? Please quantify and explain. What steps did EBSA take to protect the security of these assets?
  • What is EBSA doing to protect its own systems from cybercriminals?
  • Has EBSA ever been hacked or compromised by cybercriminals? If so, when and was any information obtained? Provide any incident reports for any cyber incident where information was illegally obtained from EBSA.
  • Is EBSA considering updating its 2021 cybersecurity guidance? What other tools do employers need in order to protect their plans from cyber threats, and what are EBSA’s plans for communicating those best practices?

To read the full letter, click here


Stay Connected