$7.5M Theft of Grant Fund Explained by HHS

Senator Bill Cassidy, M.D. (R-LA), ranking member of the Senate Health, Education, Labor, and Pensions (HELP) Committee, has questioned the Department of Health and Human Services (HHS) regarding a 2023 cyberattack that involved the theft of grant funds worth millions of dollars and the inability of the HHS to inform Congress regarding the incident.

In January 2024, Bloomberg publicized a report regarding a hacking incident that happened at the HHS. Based on the report, hackers accessed an HHS system that is used for processing civilian grant payments from March 2023 to November 2023. $7.5 million was stolen during that incident. The funds were to be transmitted to five accounts that support at-risk populations, such as pregnant women, children, and patients in rural areas.

Hackers are believed to have employed spear-phishing emails to attack HHS employees, who were fooled into exposing credentials that granted access to the accounts of the grantees. The HHS made an announcement back then stating that the incident report was submitted to the HHS’ Office of Inspector General; nevertheless, in January 2024, an HHS OIG representative could not confirm whether an investigation of the incident was started.

Sen. Cassidy’s letter to HHS Secretary Xavier Becerra stated that the HHS didn’t inform Congress concerning the incident and up to now has not publicly reported the breach, even if federal legislation calls for government departments to make known major cyberattacks. Sen. Cassidy stated any interruption to grant funds can cause financial strain to the healthcare facilities and the late receipt of grant awards might hold up life-saving treatment to patients. Healthcare institutions are encountering more cyberattacks and the HHS has released standard guidance to HIPAA-covered entities about the measures that need to be taken to enhance cybersecurity. HHS also announced goals for voluntary cybersecurity performance of the HPH sector. Senator Cassidy stated that the attack raises critical questions regarding HHS’ capability to protect its systems and safeguard taxpayer funding and sensitive information.

Senator Cassidy raised questions regarding HHS’ lack of transparency about the breach as well as its incident response. This behavior undermines community trust and indicates that the Federal government is not ready to safeguard patients against cybersecurity incidents. Americans rely on the HHS to protect taxpayer money from cyberattacks. In the event of an unauthorized breach of this magnitude, it is expected that HHS will be transparent about the facts involved and that HHS leadership will take the appropriate action to make sure that it will not occur again.

Sen. Cassidy has required answers to the following questions:

  • When did HHS discover a breach of its Payment Management Services (PMS) system?
  • When did the hackers access the system?
  • How much was stolen?
  • How many grantees were impacted by the incident?
  • When did the HHS notify the Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS) concerning the breach?
  • Did the attack cause any delay in payments of grant awards?
  • What steps did the HHS take to attempt to retrieve the stolen funds?

Questions were likewise asked regarding the safety measures that were set up before the attack, its internal incident response plan, the actions taken to determine and deal with any vulnerabilities in HHS systems, and how the HHS can explain the failure to inform Congress. Sen. Cassidy has asked for answers to each question by April 5, 2024.

A representative for the HHS stated that the HHS regularly communicates with Congress concerning the incident and is trying to make sure that the impacted grantees can get access to the finances granted to them. The December attack was a scam campaign targeting the Payment Management System. It was not a cyberattack, according to the HHS representative. HHS immediately submitted the incident report to the HHS Office of Inspector General as if it was a HIPAA compliance issue. As government stewards of taxpayer money, this matter is considered with the highest regard.

Author: Daniel Lopez

Daniel Lopez is the HIPAA trainer behind HIPAA Coach and the HIPAA subject matter expert for NetSec.news. Daniel has over 10 years experience as a HIPAA coach. Daniel provides his HIPAA expertise on several publications including Healthcare IT Journal and The HIPAA Guide. Daniel has studied Health Information Management before focusing his career on HIPAA compliance and protecting patient privacy. You can follow Daniel on Twitter / X https://twitter.com/DanielLHIPAA