At a tense Senate hearing Wednesday, lawmakers cited failures in security systems and the potential exposure of sensitive medical information of millions of Americans, citing UnitedHealth's response to the cyberattack that paralyzed the U.S. health care system.・He harshly criticized the group's response.
Democratic and Republican senators said the cyberattack on Change Healthcare, which manages one-third of all patient records in the United States and about 15 billion transactions a year, was so large that it They questioned whether it was because UnitedHealth is so deeply integrated into nearly every aspect of U.S. health care. UnitedHealth Group is not only the parent company of Change, but also the parent company of the nation's largest health insurance company and leading pharmacy benefit manager (Optum). United Airlines also oversees nearly one in every ten of his doctors in the country.
“The Change Hack is a dire warning of the consequences of 'too-big-to-fail' giant corporations increasingly eating up a share of the health care system,” said Sen. Ron Wyden, D-Ore., who chairs the Finance Committee. the lawmaker said. .
The US healthcare system was thrown into chaos after the February 21st attack on Change, which acts as a digital highway between health insurance companies, hospitals, and doctors. Patients were unable to fill their prescriptions, and hospitals and doctors faced severe funding shortages as they were unable to pay for treatment.
UnitedHealth CEO Andrew Whitty was subpoenaed to testify before both the Senate Finance Committee and the House Energy and Commerce Committee.
He apologized Wednesday morning, defending the company's efforts to restore service.
“As a result of this malicious cyberattack, patients and healthcare providers are experiencing disruption, and people are feeling anxious about their personal health data. To all those affected, let me be clear: I’m really, really sorry,” he said.
But Whitty acknowledged lax digital security that allowed hackers to penetrate Change's network, and acknowledged that early efforts by United Airlines to cover payments to providers had failed.
Although United Airlines began disclosing just last week that hackers had indeed accessed some patient data, Whitty told senators that the company had not disclosed how widespread the patient data breach had been. He said it will take a considerable amount of time to fully grasp the situation.
Whitty said UnitedHealth is working with regulators to determine when and how to begin communicating with affected people.
“We want to avoid piecemeal communication,” he said.
United Airlines was forced to completely shut down Change's system for several weeks, sparking a heated exchange between senators and Mr. Whitty over the pace of reimbursement to hospitals and other health care providers.
“Claim flow across the country is essentially back to normal,” Whitty told senators. Wyden said he has heard from providers he billed in February that refunds will take until at least June.
“We can absolutely move sooner than that,” Whitty said, asking Wyden to contact the organizations that filed the complaints.
Wyden retorted: “Almost every provider I've encountered is waiting to be paid.”
Minutes later, Sen. Marsha Blackburn, R-Tennessee, joined Wyden in accusing Whitty of painting a “rosy” picture of the reimbursement process, saying her office is awaiting payment. He said he has been inundated with calls from health care providers.
Blackburn noted that hospitals in the state had a backlog of Medicare claims equivalent to a month's worth.
“Every day they call to get updates. Every day they call. And every day they repeat, they run around,” she said. “It seems like you all don't understand.”
Whitty also acknowledged that the company had paid the attackers a $22 million ransom, saying, “The decision to pay the ransom was mine. This was one of the hardest decisions I've ever made. was.”
Authorities including the FBI are investigating the hacking incident.
UnitedHealth has been criticized for being cautious about the details of the attack.
“You've been on every front in terms of personal responsibility,” Wyden told Whitty. “You have consistently downplayed your role in this matter.”
Wyden said UnitedHealth failed to implement the most basic type of cybersecurity measure, so-called multi-factor authentication.
As of Wednesday, all of UnitedHealth's “external facing systems” have implemented that form of authentication, Whitty said. He added that the company brought in an outside group to conduct additional scans of its technology and hired cybersecurity firm Mandiant as an advisor.
“This is something fundamental that has been overlooked,” said Sen. Thom Tillis, R-North Carolina, holding up a copy of the book “Hacking for Dummies.”
The hearing gave Mr. Whitty an opportunity to provide a more detailed timeline of the hack and the response to it.
Cybercriminals gained access to Change's systems on February 12th. That was nine days before UnitedHealth knew it needed to shut down the system. Whitty emphasized that the company quickly stopped the attack from spreading beyond Change to its parent company and other divisions, including Optum and Health Care. “We contained the blast area just for the change,” he said.
Whitty also argued that the health system's vulnerability to hacking goes far beyond United Airlines, noting that United Airlines alone cancels a break-in attempt every 70 seconds. He said United acquired Change's systems 18 months ago and was unable to fully modernize Change's “legacy technology” that made it vulnerable to hacking.
At another point in the hearing, Whitty said he was sympathetic to providers who are reluctant to use Change again.
“The reason the recovery took longer than expected is because we literally built this platform from scratch to give people peace of mind that elements of the old attacked environment were not present within the new technology. '' he said.
United Airlines' acquisition of Change Networks in 2022 was cited by some senators as an example of large-scale consolidation in the healthcare industry. The Justice Department, which oversees health insurance companies, tried to block United's acquisition of Change, but was unable to convince a federal judge that the deal was anticompetitive.
Sen. Elizabeth Warren, D-Mass., repeatedly pointed out that UnitedHealth is the 11th largest company in the world and called it a “steroid monopoly.”
She accused United of taking advantage of the disruption caused by the hack to acquire more physician practices, saying it now oversees one in 10 doctors in the United States.
Mr. Whitty disputed her claims, citing areas in which United does not operate. “Despite our size, we don't own any hospitals in America, and we don't own any pharmaceutical companies,” he said.