UnitedHealth Group CEO Andrew Witty endured withering criticism from lawmakers Wednesday as Congress held a pair of hearings on the Change Healthcare cyberattack and its fallout.
The Senate Finance Committee got first crack at the healthcare executive Wednesday morning before Witty headed to the other side of Capitol Hill to testify before a House Energy and Commerce Committee subcommittee in the afternoon.
Lawmakers hammered Witty over poor cybersecurity and condemned his company's response to the Change Healthcare breach, which has left providers, patients and the government scrambling for months.
"This hack could have been stopped with 'Cybersecurity 101,'" said Senate Finance Committee Chair Ron Wyden (D-Ore.). Instead, he said, UnitedHealth Group "flunked."
Witty acknowledged that a Change Healthcare server was not protected by multifactor authentication, which left it susceptible to the cyberattack that UnitedHealth Group and federal authorities attribute to the ransomware collective BlackCat (also known as APLHV and Noberus).
"That is very much still what we're trying to dig through, exactly why that server had not been protected," Witty said at the Senate hearing. "I'm as frustrated as anybody about that."
UnitedHealth Group, which owns Change Healthcare through its Optum subsidiary, paid a $22 million ransom, Witty said. The company expects the cyberattack will cost it $1.6 billion this year, although it assured investors last month that the incident will not have a material impact on its earnings.
During the House Energy and Commerce Committee's Oversight and Investigations Subcommittee hearing, full committee Chair Cathy McMorris Rodgers (R-Wash.) suggested UnitedHealth Group was "rewarding criminals" by handing over the ransom.
"I would understand that it would be a difficult decision to weigh that against protecting American's data. But here's the problem: It didn't stop the data leak," Rodgers said. "Mr. Witty, I suspect that decision will be a case study in crisis mismanagement for decades to come." Witty did not attend the panel's Health Subcommittee hearing on Change Healthcare last month.
UnitedHealth Group disclosed the Change Healthcare hack and disconnected its systems on Feb. 21. In his written testimony, Witty revealed the hackers infiltrated the company nine days earlier via the unprotected server.
"This is some basic stuff that was missed," Sen. Thom Tillis (R-N.C.) said while brandishing a copy of the book "Hacking for Dummies." - Bloomberg
Sen. Thom Tillis (R-N.C.) at a Finance Committee hearing on May 1, 2024.
UnitedHealth Group is tantalizing to cybercriminals because of its sheer scale, and should have been better prepared after federal law enforcement agencies and regulators repeatedly warned that healthcare companies were vulnerable, Wyden said.
"This corporation is a healthcare leviathan," Wyden said. "I believe the bigger the company, the bigger the responsibility to protect its systems from hackers. [UnitedHealth Group] was a big target long before it was hacked." Change Healthcare processes about one-third of all U.S. healthcare transactions.
Rep. Kathy Castor (D-Fla.), ranking member of the Oversight and Investigations Subcommittee, observed that the Health and Human Services Department issued recommendations in 2022 and 2023 that healthcare organizations employ multifactor authentication.
"UnitedHealthcare ignored that advice," Castor said, using the name of the company's health insurance subsidiary.
Effects on providers, patients
The cyberattack triggered a cascade of consequences that left hospitals, doctors and other providers shut out of claims, payment and prior authorization systems. This caused financial strain throughout the healthcare system, especially for smaller providers.
Witty said that the company has taken extraordinary efforts to rebuild the Change Healthcare systems and deliver relief to those affected. Change Healthcare is largely restored and UnitedHealth Group aims to make providers whole within six weeks, he said.
UnitedHealth Group distributed $6.5 billion in interest-free loans to providers, and other health insurance companies extended support. In addition, the Centers for Medicare and Medicaid Services offered advance reimbursements.
Witty also issued a public apology: "To all those impacted, let me be very clear: I'm deeply, deeply sorry," Witty said.
Lawmakers including Sens. Dr. Bill Cassidy (R-La.) and Ron Johnson (R-Wis.) recognized that UnitedHealth Group has made progress, and Cassidy recounted anecdotes of physicians reporting normal operations have resumed.
Nevertheless, Sen. Marsha Blackburn (R-Tenn.) and others said providers are still struggling. "The reality that hospitals and providers are facing is wildly different from the rosy picture that you have painted," Blackburn said.
Patients have faced obstacles to care and providers are bearing a financial burden because of the breach, said Oversight and Investigations Subcommittee Chair Morgan Griffith (R-Va.).
"How many millions of surgeries, treatments and prescriptions were delayed or, worse yet, were either canceled or they just didn't take their medicine?" Griffith said. "How many millions of dollars of interest alone has United made from holding onto money that it would have had to pay to providers or for patients?"
Rep. Kim Schrier (D-Wash.) said the owner of Issaquah, Washington-based Balance Physical Therapy was forced to mortgage her home to stay afloat, and that UnitedHealth Group's assistance to the provider amounted to $70.
Healthcare consolidation
Sen. Elizabeth Warren (D-Mass.) described UnitedHealth Group as a "monopoly on steroids" and said it should be broken up. UnitedHealth Group acquired Change Healthcare in 2022 over the objections of the Justice Department.
"I have a fundamental problem with the direction of consolidation in our healthcare system," Rodgers said. "I believe that it's increasing costs and reducing the quality of care. And, again, United is the poster child for this problem."
Cassidy speculated that UnitedHealth Group may be "too big to fail" and questioned whether its deep integration with the healthcare system may represent a critical vulnerability. "Is the dominant role of United too dominant because it's into everything, and messing up United messes up everybody?" he said.
"If 5% of our nation's [gross domestic product] goes though United every day, then is there something else that could be incurred upon United that would have even father-reaching effects?" Cassidy said.
Wyden pledged to work with Cassidy on large-scale healthcare mergers and acquisitions. "There are going to be senators on both sides of the aisle who want to pursue what you're talking about," he said.
These remarks echo a growing skepticism of big healthcare deals on Capitol Hill, with Republicans such as Sens. Dr. Roger Marshall (Kan.) and Mike Braun (Ind.) and Reps. Dr. Larry Bucshon (Ind.) and Buddy Carter (Ga.) among those questioning the effects of vertical integration on the healthcare system. Marshall has called UnitedHealth Group the "Standard Oil of our lifetime," referring to John D. Rockefeller's 19th century conglomerate.
In a brief interview following the House hearing, Witty declined to answer questions about healthcare consolidation.
Policy prescriptions
Congress is far from settling on a legislative strategy on mergers and acquisitions or on healthcare cybersecurity. Witty's testimony should inform how lawmakers approach the latter issue, said Finance Committee ranking member Mike Crapo (R-Idaho).
“We owe it to American patients and to our frontline healthcare providers — from health systems to clinicians and community pharmacies — to ensure that this does not and cannot happen again," Crapo said.
Sen. Mark Warner (D-Va.), who sits on the Finance Committee, authored legislation that would tie cybersecurity improvements to emergency relief and Medicare reimbursements, and President Joe Biden proposed a similar policy. Under both plans, HHS would establish minimum cybersecurity standards for healthcare organizations.
"I think minimum standards do make sense," Witty said. Provider groups such as the American Hospital Association oppose these policies.
Reporter: MICHAEL MCAULIFF