WASHINGTON -- Senators from both sides of the aisle tore into UnitedHealth Group (UHG) CEO Andrew Witty, blaming him and the healthcare behemoth for not preventing the cyberattack on Change Healthcare, a UHG subsidiary, and for failing to minimize the fallout for patients and providers, during a Senate Finance Committee hearing on Wednesday.
"I believe the bigger the company, the bigger the responsibility to protect its systems from hackers," said Committee Chair Ron Wyden (D-Ore.), noting that with $342 billion in revenue last year, UHG is the fifth largest company in the U.S.
Change Healthcare is responsible for moving patient data from one physician's office to another, and to and from insurance companies, Wyden explained. A third of American patients' medical records pass through the healthcare clearinghouse, transmitting medical bills with sensitive information pertaining to abortions, mental health disorders, and cancer diagnoses.
The cyberattack on Change Healthcare forced UHG to disconnect the clearinghouse from the rest of the healthcare system, creating a "state of financial bedlam" for physicians across the country, many of whom continued providing services for weeks without pay, he said, adding that insurance companies were unable to reimburse providers, and patient prescriptions went unfilled.
"And Americans are still in the dark about how much of their sensitive information was stolen," Wyden pointed out. "Mr. Witty owes Americans an explanation for how a company of UHG's size and importance failed to have multi-factor authentication on a server providing open-door access to protected health information, why its recovery plans were so woefully inadequate, and how long it's going to take to finally secure all of its systems."
UHG CEO Makes His Defense
In response, Witty explained that when UHG bought Change Healthcare roughly a year and a half ago, there was "an extensive amount of modernization required" due to legacy systems, some of which were 40 years old. "Very unfortunately, this server had not been updated prior to the attack," he said.
Witty also walked through the steps UHG had taken to secure its systems since February 21, when cyber-criminals known as ALPHV or BlackCat encrypted Change Healthcare's systems, blocking access to them. UHG immediately disconnected Change Healthcare's data centers to prevent further infiltration of the broader health system, he said.
UHG also contacted the FBI "within hours" of the attack, and Witty said he made the difficult decision to pay the $22 million ransom.
"As of today, across the entire UnitedHealth Group, all external-facing systems now have multi-factor authorization," he noted. In addition, UHG has brought an expert from a leading cybersecurity service onto the company's board.
As for the disruptions in payments to providers, Witty said, "our belief, at this point, is that claims flow across the entire country is essentially back to normal."
In regard to the types of information that had been stolen, he said only medical claims information has been identified.
Senators Doubt CEO's Claims
Sen. Marsha Blackburn (R-Tenn.) disputed Witty's statement that claims flow had returned to normal.
"I will tell you this, the reality that hospitals and providers are facing is ... different from the rosy picture that you have painted," she said.
She pointed to one small independent private hospital in Tennessee that "diligently submitted" its claims, but continues to have a backlog equivalent to 30 days of revenue.
A survey from the American Medical Association conducted from April 19-24 reported that 90% of physician respondents are continuing to lose revenue from unpaid claims, and 80% are losing revenue because they can't submit claims. More than one in four respondents said their practice revenue for the last week was 70% lower than it had been during an average week prior to the cyberattack.
Blackburn said it is "widely acknowledged" that the financial assistance program that UHG implemented has failed to adequately support providers pulling from personal savings and retirement funds and others seeking bank loans to stay afloat.
"Are you going to cover all of those costs that they have had to incur in order to keep the doors open because you did not have an appropriate back-up plan?" she asked.
Witty said he would be "very happy to engage with those providers." Throughout the hearing, he emphasized that UHG has advanced more than $6 billion in interest-free loans. Practices will not be required to repay those loans until 45 days "after their business is back to normal," he noted.
Sen. Maggie Hassan (D-N.H.) raised the issue of why individual patients haven't yet been notified of the breach, pointing out that, by law, patients are supposed to be notified of any breach to HIPAA within 60 days of it being uncovered.
She also pressed Witty on exclusivity contracts that prohibit customers from using more than one company to manage their payments, which "effectively creates single points of failure."
Witty said that UHG agrees that having "business redundancy" is important and that it is releasing customers from the terms of those agreements.
As for other prevention measures, Wyden highlighted that the breadth of the fallout of the attack was in large part a result of healthcare consolidation, calling the Change Healthcare hack a "dire warning about the consequences of too-big-to-fail mega corporations gobbling up larger and larger shares of the healthcare system."
"A comprehensive scrub of UnitedHealth's anti-competitive practices" is long overdue, he added.
Currently, HHS does not require providers, payers, or healthcare clearinghouses to meet minimum cybersecurity standards, but that is something that ought to change, Wyden said. He called on federal agencies to "fast-track new cybersecurity rules" to protect Americans' private medical records, and told reporters that his team is already at work on legislation to address patient privacy issues.
![author['full_name']](https://clf1.medpagetoday.com/media/images/author/shannonFirth_188.jpg)