On April 25, 2024, the attorneys general of 22 states issued a letter encouraging UnitedHealth Group and its subsidiary, Change Healthcare, to take additional steps to respond to a massively disruptive cyberattack. The broad, bipartisan group of signatories reflects both the scale of the attack’s impact and its implications for the priorities of state attorneys general—from healthcare regulation to data privacy, consumer protection, and even antitrust concerns.

The Cyberattack & Response to Date
As our colleagues wrote about previously, on February 21, 2024, Change Healthcare—the largest healthcare payment system in the United States—announced that it had been targeted in a ransomware attack that resulted in its systems shutting down. The attack’s impact has been widespread:  The American Hospital Association (AHA) characterized it as “the most significant and consequential cyberattack on the U.S. healthcare system in American history,” with an AHA survey showing more than 90% of hospitals reporting some financial impact. 

In their April 25 letter to UnitedHealth Group CEO Andrew Witty, the attorneys general described how “Change Healthcare’s platform is woven throughout the nation’s health care delivery infrastructure,” leading to what they described as the attack’s “catastrophic disruptions” to providers, pharmacies, and patients. The attorneys general also noted a suspected ransom payment of $22 million, made via Bitcoin to a digital-asset wallet associated with Russian “cybersecurity threat actor ALPHV/Blackcat.” Witty has since confirmed that UnitedHealth paid the ransom to regain access to Change Healthcare’s systems, in what he called “one of the hardest decisions I’ve ever had to make.”  

The recovery process is underway. Starting on March 7, 2024, UnitedHealth has publicly announced and updated timelines to restore key Change Healthcare systems. Most recently, on April 22, 2024, the company stated that while UnitedHealth had identified some Protected Health Information (PHI) and Personally Identifiable Information (PII) among the data accessed in the attack, it had not seen any evidence of extraction of certain especially-sensitive materials, “such as doctors’ charts or full medical histories.” 

Additional Actions Called For
Nonetheless, in the April 25 letter, the attorney general coalition, led by Minnesota Attorney General Keith Ellison, called for further action from UnitedHealth and Change Healthcare to address the fallout from the attack, characterizing their response to date as “inadequate.” The bipartisan group of attorneys general—including those from California, New York, Massachusetts, Nebraska, South Dakota, and Utah—requested several specific actions, including developing a dedicated complaint resolution mechanism for state agency complaints and a helpline for affected providers and pharmacies to resolve questions or affected claims. The attorneys general also called for enhanced financial support for affected entities, noting with approval that UnitedHealth had already removed certain conditions (including a waiver of claims against UnitedHealth) initially placed on its financial assistance. Finally, the attorneys general encouraged UnitedHealth and Change Healthcare to take additional steps to notify entities whose data was exposed in the breach and to shield the information of providers and pharmacies from UnitedHealth’s other corporate lines of business. 

The attorneys general specifically noted that their letter did not resolve any ongoing or contemplated investigations, leaving open the possibility of future enforcement actions. 

Potential Implications for Future Antitrust Actions 
In a press release issued concurrently with the letter, Minnesota Attorney General Ellison, the letter’s lead signatory, highlighted that his office had previously tried to block UnitedHealth’s acquisition of Change Healthcare. In 2022, Attorney General Ellison, along with fellow letter signatory New York Attorney General Letitia James, had joined a U.S. Department of Justice lawsuit alleging that the acquisition would violate antitrust laws, an effort that proved unsuccessful when a U.S. District Court ultimately allowed the merger to proceed. In the April 25 press release, AG Ellison called out the states’ specific allegation in that 2022 suit that the acquisition would “put too much market power and data in the hands of one corporation at so many levels of the health care industry.” His press release then encouraged consumers to report concerns about anticompetitive practices via his office’s antitrust reporting site. 

While AG Ellison’s press release does not draw any specific factual connection between the acquisition and the 2024 cyberattack on Change Healthcare, AG Ellison’s invocation of the challenged acquisition suggests his office is closely scrutinizing the data-privacy implications of mergers and acquisitions that would concentrate the ownership or management of consumers’ data. We can expect to hear such concerns articulated in future antitrust inquiries and enforcement actions. 

Ellison is not alone in raising antitrust concerns about healthcare industry consolidation; members of Congress share this concern. At a May 1, 2024, hearing of the U.S. Senate Finance Committee at which UnitedHealth’s CEO Witty testified, committee Chairman Ron Wyden echoed this potential connection to antitrust enforcement. Sen. Wyden called the attack a warning about “the consequences of ‘too big to fail’ mega-corporations” and suggested that “anticompetitive practices likely prolonged the fallout from this hack.” When asked directly, Witty assured the committee that UnitedHealth would not “take advantage” of “destabilized provider markets” to acquire additional subsidiaries. 

It remains to be seen whether the rhetoric in press releases and committee hearings ultimately translates to future actions seeking to block merger activity, but entities contemplating mergers or acquisitions should expect and plan for increased regulatory scrutiny of their data-privacy policies and protections.