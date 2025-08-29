Criminals have hacked the data of millions of Americans this year in cyberattacks on health insurance companies and hospital systems, and AARP is urging more action to protect consumers.

​We wrote to the head of the Department of Health and Human Services (HHS) to express our deep concern over the recent spate of cyberattacks, calling them “a wake-up call” for the industry.

​“Persistent vulnerabilities in the American health care system are putting our sensitive personal, financial and health information at risk of being exposed and exploited,” AARP Senior Vice President for Government Affairs Bill Sweeney wrote in a July 31 letter to HHS Secretary Xavier Becerra.

​An attack on the Ascension health ﻿ system in May delayed appointments, disrupted access to medical tests and forced some emergency rooms to divert ambulances to other hospitals, according to news reports.

​In February, cybercriminals stole what has been described as a substantial amount of data in a ransomware attack on UnitedHealth Group subsidiary Change Healthcare. The company is still determining how many people were affected, but HHS has called the impact﻿ on patient care and privacy "unprecedented.."

​“We are particularly concerned that after the recent attacks, some consumers still have not been directly notified or encouraged to take steps to protect themselves,” Sweeney told HHS in the letter. “People cannot afford to wait months until an investigation verifies their data was compromised.”

​AARP called on HHS and the health care industry to take a number of actions in response to the attacks. They include: rapid notification whenever consumers are impacted; a holistic analysis of IT vulnerabilities within health care systems that handle consumer data; and an examination of laws and regulations to make sure patients are protected.

​HHS and health care companies should focus not only on preventing future attacks, we wrote, but also on developing notification and contingency plans to lessen the impact on patients when they do occur.

​Read our letter and learn more about how to protect yourself from identity theft and fraud.