Health IT

Key Moments From the Change Healthcare Cyberattack Senate Hearing

Andrew Witty, CEO of UnitedHealth Group, faced bipartisan outrage from senators on the Senate Finance Committee angered by his company’s cybersecurity failures. Here were the key moments from the hearing on Wednesday.

The chief executive officer of UnitedHealth Group appeared in front of two Congressional Committees on Wednesday, forced to answer uncomfortable questions on how his company handled what is being described as the worst malicious ransomware attack in the history of the healthcare industry — the outage at Change Healthcare that has had ripple effects on providers and patients alike, and for which it had to pay $22 million to the bad actors that hacked its unprotected server. It was striking to see Andrew Witty — the CEO of both the largest insurance company and the largest employer of physicians — to preface almost every answer with the deferential, “Mr Chairman, thank you for that question.” A video of the hearing showed Witty looking every bit the penitent executive hauled to provide testimony on a subject that has garnered bipartisan anger.

Here are the key moments and takeaways from the 2-hour-plus hearing in the Senate Committee on Finance:

“Practically every provider I bump into is waiting to be paid”

In his direct questioning, Senator Ron Wyden (D-Oregon) wasted no time in asking how long providers who had rendered clinical services in February would need to wait to get paid because clearing the backlog would take time. Witty calmly responded that claims flow across the entire country was “broadly back to normal” noting that UnitedHealth was paying claims as quickly as possible but other insurance companies may not be.

Wyden was not willing to make the distinction between whether UnitedHealth is paying in a timely fashion vis-a-vis other insurance companies whose claims they also process and asked Witty to simply hurry up and pay. Witty repeated that he believes claims flow is broadly back to normal but asked Wyden to refer him to any providers in the states that are still waiting.

To which Wyden retorted: “Practically every provider I bump into is waiting to be paid.” He ended that line of questioning by asking Witty to send in writing how he will “meaningfully compensate” providers and insurance plans whose business was disrupted as a result of the Change Healthcare attack and subsequent outage.

Later in the hearing, Senator Marsha Blackburn (R-Tennessee) expressed indignation that it’s taking “nine weeks” for providers to get paid, seriously doubting Witty’s characterization that claims processing was “back to normal.”

“We have absolutely been inundated with phone calls since this came back” Blackburn said of Change Healthcare’s system being back online but providers not getting paid. “Things are wildly different than the rosy picture you have painted.”

When Witty was attempting to answer, Blackburn cut him off citing saying how providers are having to pull on a line of credit to remain operational.

“Are you going to pay that interest?” she asked “Are you going to reimburse that?”

Witty responded that UnitedHealth is offering interest free loans, but Blackburn shot back, “I said are you going to pay the interest cost?”

Witty couldn’t answer how many people were impacted by the attack or what data was stolen

Two and a half months after the attack was first detected, Witty couldn’t answer a question — exactly how many people were impacted by the breach. The executive did contend that so far he believes no medical records or medical history was stolen, only claims — but Wyden wasn’t buying it.

“You don’t have the logs that would show what data walked out the door because we have been working to get that and we haven’t seen it,” Wyden shot back.

Multiple senators pressed Witty on when patients will be notified, saying that he could be in violation of HIPAA rules regarding notification. But he would only say that they are working with regulators to figure it out.

“I think it will be in the next several weeks,” was what Witty allowed every single time the question was posed. Senator Bob Casey Jr. (D-Pennsylvania) noted however, that according to the company’s website the notification process will take “several months.”

“How in heaven’s name did you not have the necessary redundancies?”

When Senator Michael Crapo (R-Idaho) asked Witty what steps were being taken to strengthen the system, UnitedHealth’s chief acknowledged that multifactor authentication has now been implemented to all external facing systems across the company. [There was a policy in place to have multifactor authentication, only the policy was not being followed, Wyden later pointed out.] Witty added that the company has also hired third parties to perform “double or triple scanning of our systems” as another layer of protection. Unitedhealth has hired Mandiant Consulting to help understand the nature of the attack and do cybersecurity oversight.

“They have become a board advisor … ” Witty said of the cybersecurity consulting firm.

Crapo, who took a gentler tone with Witty than Wyden, asked whether these approaches — and even stronger defenses than the ones that UnitedHealth has adopted since the breach — should become the industry standard.

“I would agree with that,” Witty said. “What we saw with Change Healthcare, which was a company which just came into our group a little over a year and a half ago, was a company which was an older company, had older legacy technologies but I think is very typical of many small-to medium-size organizations in our healthcare environment and therefore inevitably there’s going to be a lot of work to be done to upgrade those standards ….”

Of course the question is, if it took an attack of this magnitude to get the deep-pocketed UHC to take the threat of cybersecurity seriously, can anyone hope that smaller businesses will either have the financial resources or the will to invest in stronger systems?

Witty blamed the attack on one server that didn’t have multifactor authentication and on the fact that Change Healthcare had old legacy systems but got repeatedly upbraided by Wyden and other senators for this failure. Senator Blackburn expressed disbelief that the company didn’t have the cybersecurity infrastructure given that UnitedHealth’s revenue is larger than the GDP of some small countries.

“How in heaven’s name did you not have the necessary redundancies so that you did not experience this attack and find yourself so vulnerable?” she asked incredulously.

Witty responded that Change Healthcare has only been part of UnitedHealth Group for a short time and they were in the process of upgrading their systems. He added that one of the reasons it has taken so long to get back online was because UnitedHealth has built a new technical environment from scratch to ensure it was modern and that wasn’t “infected” by the attack.

Another important tidbit: The hackers had broken into the system nine days before UnitedHealth detected the breach.

The $6.5 billion worth of financial assistance just doesn’t cut it

In his opening statement Witty said that the company has extended $6.5 billion worth of financial assistance in the form of accelerated payments and no-interest, no-fee loans to thousands of affected providers.

But Senator Bob Menendez (D-New Jersey) said the backlog of claims is “estimated to be easily over $14 billion” before noting that the actual figure may be “many multiples of that.” He added that the company knows to the penny how much payment an average provider gets on any given day — but Witty pushed back on that, stating that UnitedHealth doesn’t know what payments other insurers make to providers in their network and that is why it was slow in getting the proper terms of financial assistance to providers.

Menendez then asked if Witty would commit to not demanding loan repayment from providers until the claims backlog has cleared.

“… we’ve already told providers there is no need to repay these interest-free loans until 45 days after they have concluded they are back to normal,” Witty replied.

“Does messing up United mess up everybody?”

Even though Senator Bill Cassidy (R-Louisiana) praised Witty for his hard work in trying to deal with the fallout of the Change Healthcare cyberattack, he did not shy away from asking about the elephant in the room: Citing a Washington Post article that five percent of U.S. GDP flows through UnitedHealth everyday, he declared:

“The fact that you are so big and so dominant poses a special vulnerability. And that yes, you have the deep pockets to address this but the very fact that you are so big means that it had a wide ranging ripple effect that was outsized. And so for us, we would have to ask is the dominant role of United too dominant because it’s into everything and messing up United messes up everybody?”

Witty tried to push back against this line of query by noting that Change Healthcare has the same footprint today as it did prior to being acquired by UnitedHealth. But Cassidy said the concern goes beyond just Change Healthcare because a future attack that goes beyond Change’s footprint could jeopardize even a larger aspect of healthcare.

Later Senator Elizabeth Warren cast UnitedHealth as a “monopoly on steroids.”

It’s important to note here that the Department of Justice has opened an antitrust investigation of the insurance giant, per a Wall Street Journal article in late February.

We don’t “control” them, they “choose” to work with us

These hearings are fascinating from the perspective of semantics. Warren, known for being a consumer protection warrior and a thorn on the side of big business, began her questioning by describing just how mammoth the Minnesota corporation is. It’s the largest insurer, largest claims processor, the nation’s third largest pharmacy benefits provider, owner of a huge pharmacy chain and the country’s largest employer and controller of physicians numbering at least 90,000.

“That’s one out of every 10 doctors in the country,” Warren said before asking him to confirm that her descriptions were accurate.

Witty responded that UnitedHealth employs “under 10,000” physicians and the rest are “affiliated” to which Warren replied, that’s precisely why she used the term controlled by. Witty then responded with this gem:

“Not controlled. They choose to work with us.”

Whether they are controlled by UnitedHealth or not, there was a fear among several senators that the company would buy even more physicians’ groups. Why? As the company provides no-interest loans to providers, they would get information on each group’s financial status and thereby ample opportunity to buy up more struggling practices.

“I would like to see at a minimum a firewall established so [that] you can’t use the data from these doctors through the loans process to go out and buy up more doctors because that’s the last thing we need in America,” Wyden said. “Will you support that?”

Witty answered that he thought it was a good idea.

Everything is not broadly back to normal

Multiple senators challenged the notion that everything is broadly back to normal as Witty described. Senator Catherine Cortez Masto (D-Nevada) cited the experience of Nevada Health Centers, a FQHC (federally qualified health center) in her state. That center relies on Change Healthcare for real time patient eligibility verification, Cortez Masto said.

“I am hearing despite portals being back online that critical provider and patient information is often missing or mismatched with nearly 50 percent of payer information being inaccurate,” she said asking when these problems will be fixed.

Witty said he didn’t have the information but would get back to her within the day with updated information.

The hearing was about more than just the recent cyberattack

While most of the senators’ opening comments and questions directed at Witty were about the Change Healthcare cyberattack, some senators took the time to lament the state of healthcare overall and lay some blame at the feet of UnitedHealthcare. Senator James Lankford (R-Oklahoma) talked about inaccurate provider directories burdening patients and how hospitals are no longer accepted Medicare Advantage patients because plans were paying lower than Medicare rates and there were often denials of care.

Senator Sherrod Brown (D-Ohio) explained how local, independent pharmacies were closing in Ohio because of bad PBM practices and declared that reigning in these “corporate middle men” is a priority.

Photo: Screenshot of video recording of May 1 Hearing