At a tense Senate hearing Wednesday, lawmakers sharply criticized UnitedHealth Group’s handling of the cyberattack that crippled the U.S. health care system, citing the failure of its security systems and the potential disclosure of sensitive health information from million Americans.
Democratic and Republican senators questioned whether the cyberattack on Change Healthcare, which handles a third of all U.S. patient records and some 15 billion transactions a year, was so broad because UnitedHealth is too deeply entrenched in almost every aspect medical care in the country.
UnitedHealth Group, which reported 2023 revenue of $372 billion and is one of the nation’s largest companies, is not only the parent company of Change, but also the parent company of the nation’s largest health insurer. country and a large pharmaceutical benefits manager (OptumRx). United also supervises nearly one in ten doctors in the country.
“The change hack is a dire warning about the consequences of ‘too big to fail’ mega-corporations swallowing up ever-larger portions of the health care system,” said Sen. Ron Wyden, Democrat of Oregon. and chairman of the finance committee. .
The American health system was plunged into chaos after the February 21 attacks. attack on Change, which serves as a digital highway between health insurers, hospitals and doctors. Patients couldn’t fill their prescriptions, and hospitals and doctors faced a severe cash flow crisis because they couldn’t get paid for their care.
Lawmakers in Congress have called for more information about how the hack happened and what UnitedHealth was doing about it, and the company last month declined a request to appear before the Health subcommittee from the room. On Wednesday, UnitedHealth CEO Andrew Witty was summoned to testify before the Senate Finance Committee and before a panel of the House Energy and Commerce Committee.
In the afternoon, House lawmakers voiced concerns, especially given the company’s enormous scale. Describing UnitedHealth’s “increasing intrusion into every corner of our health care system,” Rep. Cathy McMorris Rodgers, Republican of Washington and chairwoman of the House committee, said the company’s actions were likely to become “a case study of poor crisis management”.
In the morning, Mr. Witty defended the company’s efforts to restore services and apologized.
“As a result of this malicious cyberattack, patients and providers have experienced disruption and people are concerned about their private health data,” he said. “To everyone affected, let me be very clear: I am deeply, deeply sorry. »
But Mr. Witty acknowledged the lax digital security that allowed hackers to access Change’s network, including an inadequate backup plan, and acknowledged that United had failed in its initial efforts to help cover the supplier payments.
Last week, United began disclosing that hackers had indeed gained access to some patient data, although Mr. Witty told senators it would be some time before the company had a clear idea of the extent of this breach of patient information.
Mr. Wyden specifically expressed frustration with the lack of information United had provided to consumers. “The Americans still don’t know how much sensitive information was stolen from them,” he added. He dismissed the company’s efforts to provide credit monitoring, calling them “thoughts and prayers in the event of a data breach.”
He also highlighted concern over the disclosure of sensitive medical data on active military personnel covered by the company, calling it a “clear threat to national security.”
Mr. Witty said UnitedHealth was working with regulators to determine when and how to begin communicating with affected individuals.
“We want to try to avoid piecemeal communication,” he said.
United was forced to completely shut down Change’s systems for several weeks, prompting difficult exchanges between senators and Mr. Witty over the pace of reimbursements to hospitals and other providers.
Mr. Witty told senators that “the flow of claims across the country has essentially returned to normal.” Mr. Wyden said he had heard from providers who filed claims in February that it would take at least until June to be reimbursed.
“We can act absolutely faster than that,” Mr. Witty said, asking to be put in touch with any organization that had complained to Mr. Wyden.
“Virtually every provider I meet is waiting to be paid,” Mr. Wyden retorted.
Minutes later, Senator Marsha Blackburn, Republican of Tennessee, echoed Mr. Wyden, accusing Mr. Witty of presenting a “rosy” picture of the reimbursement process and saying that her office had been bombarded with calls from providers health workers waiting to be paid.
One hospital in the state had a backlog of Medicare claims equivalent to a month’s worth of revenue, Ms. Blackburn noted.
“Every day they call for news. Every day they call. And they experience escapes every day, repeatedly,” she said. “It’s like you can’t understand this.”
Mr. Witty also acknowledged that the company paid a $22 million ransom to the attackers, saying “the decision to pay a ransom was mine.” This was one of the hardest decisions I have ever struggled to make.
The FBI and other authorities are investigating the hack.
UnitedHealth has been criticized for being circumspect about the details of the attack.
“You have been all over the place in terms of personal responsibility,” Mr. Wyden told Mr. Witty. “You have consistently minimized your role in this matter. »
Mr. Wyden said UnitedHealth had failed to implement the most basic type of cybersecurity measure: so-called multi-factor authentication.
Mr. Witty said that as of Wednesday, all of UnitedHealth’s “external systems” were deploying this form of authentication. The company also brought in outside groups to do additional analysis of its technology, he added, and hired Mandiant, a cybersecurity company, as an advisor.
“These are fundamental things that have been forgotten,” said Sen. Thom Tillis, Republican of North Carolina, holding up a copy of the book “Hacking for Dummies.”
The hearing gave Mr. Witty the opportunity to offer a more detailed timeline of the hack and the response to it.
Cybercriminals gained access to Change’s systems on February 12, nine days before UnitedHealth realized it needed to shut them down. Mr. Witty pointed out that the company quickly stopped the attack from spreading beyond Change to the parent company or any of its other units, like Optum or the health insurer. “We limited the scope of the explosion just for a change,” he said.
Mr. Witty also argued that the health system’s vulnerability to hacks extends well beyond United. He said that because United only acquired the Change system 18 months ago, it had not been able to completely revamp Change’s “legacy technologies”, making it vulnerable to hacking.
Mr. Witty said at another point in the hearing that he sympathized with providers who were reluctant to use Change again.
“The reason the recovery took longer than expected is that we literally rebuilt this platform from scratch, so we could reassure people that there are no elements of the old environment under attack in the new technology,” he said.
United’s acquisition of the Change network in 2022 has been cited by some senators as an example of massive consolidation in the health care industry. The Justice Department, which oversees health insurers, tried to block United’s purchase of Change but failed to convince a federal judge that the deal was anticompetitive.
The department has opened a broader investigation to determine whether the company’s activities hinder competition.
Senator Elizabeth Warren, Democrat of Massachusetts, called UnitedHealth a “steroid monopoly,” repeatedly emphasizing that it was the 11th largest company in the world.
She accused United of taking advantage of the chaos created by the hack to acquire even more medical practices, saying the company now oversaw one in 10 doctors in the country.
Mr. Witty disputed his claims, pointing out sectors in which United did not do business. “Despite our size, we don’t own a single hospital in America or a single drug manufacturer,” he said.
Federal health officials are also investigate whether privacy rules governing Americans’ medical records should be stricter. Lawmakers noted that health care companies were among the most vulnerable to cyberattacks, and some paid fines because patient data was hacked.
Last week, Kaiser Permanente notified 13.4 million people that their personal information may have been breached when data may have been inadvertently shared with various third parties.
.