News
UnitedHealth Group CEO Andrew Witty asked about the Change cyber attack
Photo: US House Energy and Commerce Committee
House subcommittee members criticized UnitedHealth Group CEO Andrew Witty for the Change Healthcare cyberattack, which left providers without claims revenue and struggling to stay afloat financially and constituents without their prescriptions.
Witty began by saying, “I am deeply, deeply sorry.”
Witty, who testified before a Senate panel on Wednesday, was put on the spot before the House Oversight and Investigations Subcommittee that afternoon. Members questioned and accused Witty and UnitedHealth Group, repeatedly pressing how the company that made a $22 billion profit in 2023 and is the parent company of the nation’s largest insurance company could be blindsided by bad actors who infiltrated the Change system.
Optum, a subsidiary of UnitedHealth Group, acquired Change in October 2022. The cyber attack was discovered on February 21. The company confirmed last month that it paid a ransom to protect patients’ health information, but as of Wednesday had not commented on the amount. .
Intelligent confirmed committee that $22 million in bitcoin was paid as ransom, a number reported by Reuters in March.
“It was my decision to pay the ransom,” Witty said.
Witty said he believes access was gained through the use of stolen passwords sold on the dark web.
“We believe that through this type of path they obtained credentials,” he said.
In part due to the age of technology in the Change system, the encryption ransomware affected both primary and backup systems that were not in the cloud, Witty said. Services that were in the cloud could be brought back online quickly.
Frank Pallone, DN.J., said he didn’t understand why such a large company didn’t have adequate security for Change a year and a half after it was acquired.
“I don’t understand why you couldn’t fix it and didn’t have adequate support,” Pallone said, echoing the concerns of many members of the House subcommittee.
Shedding new light on the attack, Witty said the infiltration occurred on older systems owned by Change that had not yet been updated by UnitedHealth.
The system didn’t have MFA or multi-factor authentication, he said, but now it does.
After discovering the attack, the company secured the perimeter and contacted the Federal Bureau of Investigation, Witty said. The attack did not spread beyond Change, he said.
“I want to see someone arrested,” said Michael Burgess, R-Texas.
Witty agreed that he would love to see these people brought to justice.
Oversight and Investigations Subcommittee Chairman Morgan Griffith, R-Va., asked Witty about a statement from UnitedHealth Group that the attack had affected a “substantial” number of American citizens. Griffith wanted to know how many. Witty hesitated, saying he didn’t want to give a precise number that was wrong. Griffith pressed him to estimate a percentage.
“Maybe a third,” Witty replied.
Griffith also asked about a comment that came up during the last House Health Subcommittee hearing on Change in April that UnitedHealth, which employs about 10,000 doctors, bought medical practices after the attack that were struggling financially due to lack of claim payments.
Witty said no practices have been acquired since the cyberattack, except one in Oregon that was planned for acquisition before that event.
Health subcommittee ranking member Brett Guthrie, R-Ky., asked when to expect essential functions to be restored.
Witty said progress has been made and the company has suspended all claims. The operational impact is quickly returning to normal, he said.
Change Healthcare has several different clearinghouses, he said. The last mile is restoring the oldest parts of the Change. For providers using these very old systems, United Health will continue to provide an interest-free loan guarantee service.
Dr. Kimberly Merle Schrier, D-Wash., who serves on the House Health Subcommittee, held up a sheet of paper showing a $70 UnitedHealth loan to a physical therapy business in her district. The owners had to mortgage the house to pay salaries and continue operationsshe said.
In a testimony delivered to the Senate Finance Committee on Wednesday morning, the American Medical Association said the findings of its latest AMA survey of doctors, conducted April 19-24, strongly dispute UnitedHealth Group’s assurances that systems are nearly back up and running before the outage and that complaints are once again flowing through the system .
“Quite the opposite – medical practices, especially small and independent practices, are still in crisis and not receiving the resources or information they need to navigate the disruption or breach,” the AMA said.
According to the medical survey last week, 90% of respondents continue to lose income from unpaid claims due to the outage, 80% are losing income due to the inability to submit claims, and 63% said they are losing income due to the inability to submit claims. collect patient copayments or remaining obligations. More than 60% of respondents are using personal funds to cover practical expenses and more than a third are unable to meet their salary obligations.
AMA President Dr. Jesse M. Ehrenfeld warned about the dangers of consolidation, like that between Change and UnitedHealth. In 2021, the AMA notified the Department of Justice of several antitrust concerns regarding the proposed merger.
Speaking at the hearing, Rick Pollack, president and CEO of American Hospital Association said, “The AHA welcomed the bipartisan scrutiny of the Change Healthcare cyberattack. Today’s hearings highlighted the real-world impact that the most significant cyberattack facing the healthcare industry has had on so many patients, hospitals and health systems, and others care providers across the country. In these hearings, lawmakers made it clear that cybersecurity is a responsibility shared by all parties in the healthcare industry. We absolutely agree that to protect the healthcare infrastructure we all depend on. It is critical that third-party entities like Change Healthcare share this responsibility. The hearings also correctly exposed the size and scope of UnitedHealth Group, the parent company of Change Healthcare, and how it has affected – and may further affect – the delivery of healthcare. health for our nation.
Send an email to the writer: SMorse@himss.org