In a tense Senate hearing on Wednesday, lawmakers sharply criticized UnitedHealth Group’s handling of the cyberattack that paralyzed the U.S. health care system, citing the failure of its security systems and the potential disclosure of sensitive medical information of millions of Americans.
Democratic and Republican senators questioned whether the cyberattack of Change Healthcare, which manages a third of all U.S. patient records and some 15 billion transactions a year, was so vast because UnitedHealth is too deeply embedded in nearly every aspect of the nation’s medical care.
UnitedHealth Group, which reported $372 billion in revenues in 2023 and is one of the nation’s largest corporations, is not only the parent of Change but also the parent of the country’s largest health insurer and a big pharmacy benefit manager (OptumRx). United also oversees nearly one in 10 doctors in the country.
“The Change hack is a dire warning about the consequences of ‘too big to fail’ mega-corporations gobbling up larger and larger shares of the health care system,” said Senator Ron Wyden, the Oregon Democrat who is the chairman of the Finance Committee.
The U.S. health system was thrust into chaos after the Feb. 21 attack on Change, which serves as a digital highway between health insurers and hospitals and doctors. Patients could not fill prescriptions, and hospitals and doctors faced a severe cash crunch because they could not be paid for their care.
Congressional lawmakers have clamored for more information about how the hack happened and what UnitedHealth was doing to address it, and the company declined a request last month to appear before the House health subcommittee. On Wednesday, UnitedHealth’s chief executive, Andrew Witty, was summoned to testify before both the Senate Finance Committee and a panel of the House Energy and Commerce Committee.
In the afternoon, House lawmakers outlined their concerns, especially given the corporation’s enormous scale. Describing UnitedHealth’s “growing creep into every corner of our health care system,” Representative Cathy McMorris Rodgers, the Washington Republican who is the chairwoman of the House committee, said the corporation’s actions were likely to become “a case study in crisis mismanagement.”
In the morning, Mr. Witty defended the company’s efforts to restore services and apologized.
“As a result of this malicious cyberattack, patients and providers have experienced disruptions and people are worried about their private health data,” he said. “To all those impacted, let me be very clear: I am deeply, deeply sorry.”
But Mr. Witty acknowledged the lax digital security that enabled hackers to enter Change’s network, including an inadequate backup plan, and conceded that United fumbled initial efforts to help cover payments for providers.
Just last week, United began to reveal that hackers did get access to some patient data, although Mr. Witty told the senators it would be quite a while before the company would have a solid grasp on how extensive that breach of patient information was.
Mr. Wyden in particular expressed frustration with how little information United had provided to consumers. “Americans are still in the dark in how much of their sensitive information was stolen,” he added. He dismissed the company’s efforts to provide credit monitoring, calling it the “thoughts and prayers of data breaches.”
He also emphasized the concern about the disclosure of sensitive medical data about active military personnel covered by the company, calling it “a clear national security threat.”
Mr. Witty said that UnitedHealth was working with regulators to determine when and how to begin communicating with people who were affected.
“We want to try and avoid piecemeal communication,” he said.
United was forced to shut Change’s systems down completely for several weeks, prompting testy exchanges between senators and Mr. Witty over the pace of reimbursements to hospitals and other providers.
Mr. Witty told senators that “claims flow across the entire country is essentially back to normal.” Mr. Wyden said that he had heard from providers who filed claims in February that it would take until at least June to be reimbursed.
“We can move absolutely faster than that,” Mr. Witty said, asking to be put in touch with any organization that had complained to Mr. Wyden.
“Practically every provider I bump into is waiting to be paid,” Mr. Wyden shot back.
Minutes later, Senator Marsha Blackburn, Republican of Tennessee, echoed Mr. Wyden, accusing Mr. Witty of presenting a “rosy” portrayal of the reimbursement process and saying that her office had been bombarded by calls from health providers waiting to be paid.
One hospital in the state had a backlog of Medicare claims equivalent to a month of revenue, Ms. Blackburn noted.
“Every day they call to get an update. Every single day they’re calling. And they get the runaround every single day, repeatedly,” she said. “It’s like you all can’t figure this out.”
Mr. Witty also acknowledged that the company paid a $22 million ransom to the attackers, saying “the decision to pay a ransom was mine. This was one of the hardest decisions I’ve ever hard to make.”
The F.B.I. and other authorities are investigating the hack.
UnitedHealth has been criticized for being circumspect about the details of the attack.
“You’ve been all over the map in terms of personal accountability,” Mr. Wyden told Mr. Witty. “You have consistently downplayed your role in this.”
Mr. Wyden said that UnitedHealth had failed to enforce the most basic kind of cybersecurity measure — so-called multifactor authentication.
Mr. Witty said that as of Wednesday, all of UnitedHealth’s “external-facing systems” were deploying that form of authentication. The company had also brought in outside groups to do additional scanning of the company’s technology, he added, and had hired Mandiant, a cybersecurity firm, as an adviser.
“This is some basic stuff that was missed,” Senator Thom Tillis, Republican of North Carolina, said, holding up a copy of the book “Hacking for Dummies.”
The hearing gave Mr. Witty the chance to offer a more detailed timeline of the hack and the response to it.
The cybercriminals gained access to Change’s systems on Feb. 12, nine days before UnitedHealth realized it needed to shut them down. Mr. Witty emphasized that the company quickly prevented the attack from spreading beyond Change to the parent company or any of its other units, like Optum or the health insurer. “We contained the blast range just to Change,” he said.
Mr. Witty also argued the vulnerability of the health care system to hacks goes way beyond United. He said that because United only acquired the Change system 18 months ago, it had been unable to fully revamp Change’s “legacy technologies” that made it vulnerable to the hack.
Mr. Witty said at a different point in the hearing that he was sympathetic to providers who were reluctant to use Change again.
“The reason why it’s taken longer than you might expect to recover is we’ve literally built this platform back from scratch, so that we can reassure people that there are not elements of the old attacked environment within the new technology,” he said.
United’s acquisition of the Change network in 2022 was held up by some senators as an example of mass consolidation in the health care industry. The Justice Department, which oversees health insurers, tried to block United’s purchase of Change, but failed to persuade a federal judge that the deal was anticompetitive.
The department has opened a broader inquiry into whether the company’s activities are impeding competition.
Senator Elizabeth Warren, Democrat of Massachusetts, labeled UnitedHealth “a monopoly on steroids,” noting more than once that it was the 11th largest company in the world.
She accused United of taking advantage of the chaos created by the hack to acquire even more doctors’ practices, saying it now oversaw one in 10 of the nation’s doctors.
Mr. Witty disputed her claims, pointing to sectors where United did not do business. “Despite our size, we own no hospitals in America and no drug manufacturers,” he said.
Federal health officials are also investigating whether privacy rules governing Americans’ medical records should be stricter. Lawmakers noted that health care companies were among the most vulnerable to cyberattacks, and some have paid fines because patient data was hacked.
Just last week, Kaiser Permanente notified 13.4 million people that their personal information might have been breached when data could have been inadvertently shared with various third parties.
.
Source link: https://www.nytimes.com/2024/05/01/health/united-health-cyberattack-senate.html