WASHINGTON – U.S. Senator Bill Cassidy, M.D. (R-LA), ranking member of the Senate Health, Education, Labor, and Pensions (HELP) Committee, is seeking answers from the Department of Health and Human Services (HHS) on its failure to notify Congress of a cyberattack against the agency, resulting in the theft of $7.5 million in taxpayer dollars and potential delays in providing lifesaving health care to Americans.
Earlier this year, media outlets reported that hackers breached HHS’ internal system for awarding grants, resulting in the theft of approximately $7.5 million. This includes funding to programs administered by the Health Resources and Services Administration (HRSA), which serve at-risk populations, including children, pregnant women, and patients in rural populations.
HHS did not inform Congress that this incident occurred or even make any public acknowledgment of the incident. Under federal law, agencies are required to disclose major cyber breaches to Congress. At a time when cybersecurity incidents in the health care sector are only increasing, this attack raises serious questions about HHS’ ability to safeguard its own systems and protect taxpayer funds and sensitive data.
Disruptions in grant funding can create significant financial strain on health care facilities and delay lifesaving care for at-risk patients. Cassidy is demanding answers as to how hackers were able to steal the affected grant awards, why HHS failed to publicly disclose this breach, and what steps HHS has taken to identify and address any vulnerabilities within their own systems.
There is a concerning pattern from HHS on its lack of transparency in responding to cybersecurity incidents. Last week, Cassidy urged HHS to provide information on its response to the recent cyberattack on Change Healthcare, which has had a widespread negative impact across our health care system and threatened access to health care for many Americans. Despite the serious nature of this attack, HHS has failed to provide substantive and regular updates to Congress on how it is responding and assisting affected stakeholders.
“HHS’ lack of transparency and communication regarding this breach, including communication to Congress as required by law, undermines the public trust and suggests that the Federal government is not prepared to protect patients against cybersecurity attacks,” wrote Dr. Cassidy. “Americans entrust HHS to safeguard taxpayer dollars from cyberattacks. An unauthorized breach of this nature requires transparency from HHS about the facts at issue, and leadership from HHS to take the necessary steps to ensure that it does not happen again.”
Read the full letter here or below.
Dear Secretary Becerra:
Cybersecurity attacks pose a grave risk to patients. As the Sector Risk Management Agency (SRMA) for the Health and Public Health (HPH) sector, the Department of Health and Human Services (HHS) is the primary coordinating body for cybersecurity incidents. However, recent cyberattacks affecting HHS’ internal systems raise questions about its own cybersecurity readiness.
Recent reports indicate that hackers gained access to HHS’ own systems and stole approximately $7.5 million in grant awards to be designated to individual awardees, including those administered by the Health Resources and Services Administration (HRSA).[1] This is extremely concerning. HRSA programs serve at-risk populations, including children, pregnant women, and patients in rural populations. The disruption in grant awards caused by this breach has the potential to delay patient care and create financial strain on health care facilities. HHS’ lack of transparency and communication regarding this breach, including communication to Congress as required by law, undermines the public trust and suggests that the Federal government is not prepared to protect patients against cybersecurity attacks.
Americans entrust HHS to safeguard taxpayer dollars from cyberattacks. An unauthorized breach of this nature requires transparency from HHS about the facts at issue, and leadership from HHS to take the necessary steps to ensure that it does not happen again. As such, in an effort to better understand the facts surrounding this incident and HHS’ remedial efforts, I ask that you answer the following questions, on a question-by-question basis, by April 5, 2024:
###
For all news and updates from HELP Republicans, visit our website or Twitter at @GOPHELP.