In a tense Senate hearing on Wednesday, lawmakers sharply criticized UnitedHealth Group's handling of the cyberattack that crippled the U.S. healthcare system, citing the failure of its security systems and the potential disclosure of sensitive medical information of millions of Americans.
Democratic and Republican senators have questioned whether the cyberattack of Change Healthcare, which handles a third of all U.S. health records and about 15 billion transactions a year, was so large-scale because UnitedHealth is too deeply entrenched in almost every aspect of the nation's medical care. UnitedHealth Group is not only the parent company of Change, but also the parent company of the country's largest health insurer and a large pharmacy benefits manager (Optum). United also supervises nearly one in 10 doctors in the country.
“The Change Hack is a dire warning about the consequences of 'too big to fail' mega-corporations gobbling up ever-increasing shares of the health care system,” said Sen. Ron Wyden, the Oregon Democrat who is the committee's chairman financial. .
The U.S. healthcare system was plunged into chaos after the Feb. 21 attack on Change, which serves as a digital highway between health insurers, hospitals and doctors. Patients couldn't fill prescriptions, and hospitals and doctors faced a severe cash crunch because they couldn't get paid for their care.
UnitedHealth CEO Andrew Witty was called to testify before both the Senate Finance Committee and the House Energy and Commerce Committee.
On Wednesday morning, he defended the company's efforts to restore services and apologized.
“As a result of this malicious cyberattack, patients and providers have experienced disruptions, and people are concerned about their private healthcare data. To everyone who has been affected, let me be very clear: I am deeply, deeply sorry,” she said.
But Witty acknowledged poor digital security that allowed hackers to enter Change's network and admitted that United botched initial efforts to help cover payments for suppliers.
Just last week, United began disclosing that hackers had accessed some patient data, though Witty told senators it would be quite some time before the company had a solid understanding of how much that breach of patient information was extensive.
Mr. Witty said UnitedHealth is working with regulators to determine when and how to begin communicating with those affected.
“We want to try to avoid piecemeal communication,” he said.
United was forced to completely shut down Change's systems for several weeks, prompting testy exchanges between senators and Mr. Witty over the pace of reimbursements to hospitals and other providers.
Witty told senators that “the flow of claims across the country is essentially back to normal.” Mr Wyden said he heard from suppliers who submitted claims in February that it would take until at least June to be reimbursed.
“We can absolutely move faster than that,” Witty said, asking to be put in touch with any organization that had complained to Mr. Wyden.
“Pretty much every vendor I meet is waiting to be paid,” Mr. Wyden countered.
Minutes later, Senator Marsha Blackburn, Republican of Tennessee, echoed Wyden, accusing Witty of presenting a “rosy” portrait of the reimbursement process and saying her office had been bombarded with calls from health care workers waiting to be called. paid.
One hospital in the state had a backlog of Medicare claims equivalent to a month's revenue, Ms. Blackburn noted.
“Every day they call for an update. Every single day they call. And they walk around every single day, repeatedly,” she said. “It's like all of you can't understand it.”
Witty also acknowledged that the company paid a $22 million ransom to the attackers, stating that “the decision to pay a ransom was mine. This was one of the hardest decisions I have ever made.”
The FBI and other authorities are investigating the hack.
UnitedHealth has been criticized for being cagey about the details of the attack.
“You have been all over the place in terms of personal responsibility,” Mr. Wyden told Mr. Witty. “You have consistently downplayed your role in all of this.”
Wyden said UnitedHealth failed to apply the most basic type of cybersecurity measure: so-called multi-factor authentication.
Witty said that as of Wednesday, all of UnitedHealth's “external-facing systems” were implementing that form of authentication. The company has also brought in outside groups to perform additional scans of the company's technology, he added, and has hired Mandiant, a cybersecurity firm, as a consultant.
“These are some basic things that have been missed,” said Senator Thom Tillis, Republican of North Carolina, holding up a copy of the book “Hacking for Dummies.”
The hearing gave Witty the chance to offer a more detailed timeline of the hack and the response to it.
Cybercriminals gained access to Change's systems on February 12, nine days before UnitedHealth realized it needed to shut them down. Mr. Witty stressed that the company quickly prevented the attack from spreading beyond Change to its parent company or its other units, such as Optum or the health insurer. “We limited the scope of the explosion to the Change only,” he said.
Witty also argued that the health system's vulnerability to hacks goes far beyond United, which he said only cancels an intrusion attempt every 70 seconds. He said that because United acquired the Change system only 18 months ago, it was unable to completely revamp Change's “legacy technologies” that made it vulnerable to hacking.
Mr. Witty said elsewhere in the hearing that he sympathized with providers who were reluctant to use Change again.
“The reason the recovery took longer than you might expect is that we literally rebuilt this platform from scratch, so we can reassure people that there are no elements of the old environment attached within the new technology” , he has declared.
United's 2022 acquisition of the Change network has been seen by some senators as an example of mass consolidation in the healthcare industry. The Justice Department, which oversees health insurers, tried to block United's purchase of Change but failed to convince a federal judge that the deal was anticompetitive.
Senator Elizabeth Warren, Democrat of Massachusetts, called UnitedHealth “a monopoly on steroids,” noting more than once that it is the 11th largest company in the world.
He accused United of taking advantage of the chaos created by the hack to acquire even more medical practices, saying it now oversees one in 10 of the nation's doctors.
Mr Witty disputed his claims, pointing to the sectors in which United did not operate. “Despite our size, we don't own hospitals or drug manufacturers in America,” he said.