Senate Finance Committee Ranking Member Ron Wyden (D-OR) and Senate Banking Committee Ranking Member Elizabeth Warren (D-MA) have demanded answers from UnitedHealth Group about the alleged aggressive tactics being used to recover the funds lent to healthcare providers following the ransomware attack on Change Healthcare last year.

Change Healthcare fell victim to a ransomware attack in February 2024, causing a prolonged outage of Change Healthcare’s systems, which handled approximately 45% of all healthcare transactions at the time of the attack. Providers were reliant on those systems for obtaining authorization and payment from health insurers, and the outage caused severe payment and reimbursement problems, with providers having to cover the costs of treatment, tests, vaccinations, and even prescriptions. Patients also faced disruptions, especially those unable to afford to pay for their medications without copay assistance.

UnitedHealth Group, through its industrial bank subsidiary Optum Financial, established a temporary funding assistance program, which provided interest-free loans to hospitals and medical practices experiencing financial difficulties due to the outage. More than $9 billion in loans were paid to struggling providers. Systems were brought back online after several months; however, the financial difficulties have continued for many providers, who are now having to repay the loans. There have been multiple reports that UnitedHealth Group has been adopting aggressive tactics to recover funds, including withholding payments or health insurance claims through its insurance subsidiary UnitedHealthcare.

“These reports are particularly troubling because they underscore the extraordinary market power of United’s massive, vertically-integrated conglomerate: the problem was caused by a breach of United’s payment clearinghouse, Change; the loans were offered by United’s industrial bank, Optum Financial; and now the company is using its insurance arm as a collection tool,” explained the senators in the August 27, 2025 letter to UnitedHealth Group CEO, Stephen J. Hemsley, and Optum Financial CEO, Dhivya Suryadevara.

UnitedHealth Group has been accused of using loan shark tactics to recover the loans, including refusing to negotiate payment plans. Providers have claimed they were told to immediately repay the loans in full, which in some cases runs to hundreds of thousands of dollars. Some have been threatened with withholding all current claims payments if the debt is not repaid within five business days, and funds will be withheld until the debt is repaid in full. Further, claims have allegedly been rejected for failing to meet the filing deadline from the period after the cyberattack, when Change Healthcare’s systems were offline.

UnitedHealth had previously told the Senate Committee on Banking, Housing, and Urban Affairs and the Senate Committee on Finance that loan recipients were given 45 days to repay the loans, and UnitedHealth Group contacted each multiple times during those 45 days. If no response was received after the 45-day period, providers were contacted and told to pay within five business days. Then, if no response is received, claims will be offset and moved into recoupment. If providers cannot repay within that time frame, UnitedHealth Group suggested that they would work out a mutually agreeable repayment plan.

The senators have demanded answers from UnitedHealth Group and Optum Financial on the loan repayment process and have requested answers to the following questions by September 12, 2025.

1. Provide data indicating the total number of loans lent to providers from March 2024 to present.
2. Provide documents detailing the process and criteria that Optum Financial used to distribute funds to providers who were adversely impacted by the February 2024 attack.
3. Provide documents detailing Optum Financial’s repayment process.
4. Provide a copy of any and all written agreements that were given to providers when they accepted funds.
5. Provide any and all copies of express repayment plans that Optum Financial offers to health care providers who accepted funds.
6. Provide documents detailing redress options that Optum Financial makes available to providers who are unable to repay funds within 45 days of initial notification.
7. Does Optum Financial plan to outsource collection efforts to a third-party?
8. Provide documents related to any intercompany loans that were made to Optum Financial, if applicable.
9. Did United Health or Optum Financial solicit or use third-party financing for the purposes of making either loans to providers or intercompany loans? If yes, provide details.

The post Senators Demand Answers from UHG on Aggressive Loan Repayment Tactics Following Cyberattack appeared first on The HIPAA Journal.

Absolute Dental, a Nevada dental practice with over 50 locations in Las Vegas, Carson City, Reno, Sparks, and Minden, has completed its investigation of a February 2025 cyberattack and has confirmed that more than 1.2 million individuals had some of their personal and protected health information exposed.

Absolute Dental reported the data breach to the HHS’ Office for Civil Rights in May 2025 using a placeholder figure of 501 affected individuals. At the time, it was unclear how many individuals had been affected. While the breach portal has not yet been updated with the new total, the Oregon Attorney General was informed that 1,223,635 individuals have been affected.

Absolute Dental explained in its substitute breach notice that an issue was identified within its information systems on February 26, 2025. Steps were taken to secure its systems and investigate the nature and scope of the activity. Third-party cybersecurity experts were engaged to assist with the investigation and confirmed that an unauthorized third party had access to its network between February 26, 2025, and March 5, 2025.

The file review was completed on July 28, 2025, when it was confirmed that sensitive personal data was exposed and potentially stolen. The affected individuals had their name exposed along with one or more of the following: contact information, date of birth, Social Security number, driver’s license or state-issued ID information, passport or other governmental ID information, and health information. Health information may have included health history, diagnosis/treatment information, explanation of benefits, health insurance information, and/or MRN number or patient identification number. A small subset of the affected individuals also had their financial account and/or payment card information exposed.

Absolute Dental said the third-party forensic investigation revealed that initial access to its network occurred via the execution of a malicious version of a legitimate software tool through an account associated with its managed services provider. Absolute Dental did not state which legitimate software tool was involved. The description suggests that a threat actor breached the network of its managed services provider, then either tricked an Absolute Dental employee into executing a malicious version of the software tool or the threat actor abused the privileged access of the managed services provider to install the tool, thus providing access to Absolute Dental’s information systems.

Absolute Dental has reported the data breach to regulators, notified law enforcement, and has implemented additional safeguards and technical security measures to prevent similar incidents in the future. Notification letters are being mailed to the affected individuals who have been offered two years of complimentary credit monitoring services.

The post Absolute Dental Confirmed Data Breach Affecting Over 1.2 Million Individuals appeared first on The HIPAA Journal.

On Friday last week, University of Iowa Health Care and its affiliated UI Community HomeCare, a home infusion and medical equipment service provider, announced a hacking incident that was identified on July 3, 2025.

Immediate action was taken to contain the threat, and its systems were safely restored within one business day. Third-party cybersecurity experts were engaged to conduct a forensic investigation to determine the nature and scope of the unauthorized activity, and it was confirmed that a cybercriminal hacker had access to the UI Community HomeCare network on July 3, 2025.

While the networks of University of Iowa Health Care and affiliated UI Community HomeCare are separate, both entities share some patients, employees, and data files. Some of those data files were exfiltrated by the hacker, although the investigation confirmed that there was no unauthorized access to its electronic medical record system.

The review of the affected data revealed that the files contained the personal and protected health information of approximately 211,000 individuals. Notification letters were mailed to those individuals last week. Information compromised in the incident varies from individual to individual and may include an individual’s name in combination with some or all of the following: address, phone number, date of birth, provider name, medical record number, visit type, date(s) of service, insurance information, and Social Security number.

At the time of issuing the notification letters, no evidence of misuse of any of the affected information had been identified; however, the affected individuals have been encouraged to closely monitor their account statements, credit reports, and explanation of benefits statements, and should report any suspicious activity.

UI Health Care and Health Care and UI Community HomeCare said several steps have been taken to improve security and prevent similar incidents in the future, and monitoring for unauthorized access to its computer systems has been enhanced.

The post UI Community HomeCare Hacking Incident Affects 211,000 Patients appeared first on The HIPAA Journal.