UnitedHealth Group’s response to a major cyberattack in February that wreaked havoc with medical payments nationwide has been “inadequate” and must be improved immediately, a group of 22 state attorneys general (AGs) told the company.

Change Healthcare, a unit within UnitedHealth’s Optum division, handles 15 billion transactions each year for providers and pharmacies. The cyberattack brought much of the country’s payment processing to a standstill, as the systems themselves were not just infiltrated but damaged. The personal health data of “a substantial proportion of people in America” might have been among the compromised files, the company said, and it confirmed it paid at least one ransom related to the attack.

In a letter dated April 25 to UnitedHealth Chief Executive Andrew Witty, the AGs said providers and facilities have been unable to reach UnitedHealth for assistance in bringing their payment processes back online. Hospitals and others are contacting UnitedHealth and Change Healthcare for information about what data has been breached and which vulnerabilities in the processing systems have been patched.