• Politics
  • Diversity, equity and inclusion
  • Financial Decision Making
  • Telehealth
  • Patient Experience
  • Leadership
  • Point of Care Tools
  • Product Solutions
  • Management
  • Technology
  • Healthcare Transformation
  • Data + Technology
  • Safer Hospitals
  • Business
  • Providers in Practice
  • Mergers and Acquisitions
  • AI & Data Analytics
  • Cybersecurity
  • Interoperability & EHRs
  • Medical Devices
  • Pop Health Tech
  • Precision Medicine
  • Virtual Care
  • Health equity

Senators grill UnitedHealth CEO on Change Healthcare cyberattack

News
Article

Lawmakers criticized Andrew Witty for insufficient cybersecurity protection and the lack of clarity on how many have been affected by the data breach.

Lawmakers asked tough questions of UnitedHealth Group CEO Andrew Witty regarding the Change Healthcare cyberattack and the company’s response to the breach.

Image: ©Mark - stock.adobe.com

Lawmakers asked UnitedHealth Group CEO Andrew Witty tough questions about the Change Healthcare cyberattack at a Senate Finance Committee hearing Wednesday.

Witty testified before the Senate Finance Committee Wednesday morning about the ransomware attack, which has been called the most damaging cyberattack in the healthcare sector in U.S. history.

Witty told lawmakers that the company paid a ransom of $22 million, on his order. He also acknowledged that the attack involved a Change Healthcare server that did not require multi-factor authentication. Such authentication is increasingly considered a basic step in protection, cybersecurity analysts say. With multi-factor authentication, users go through two or more steps to enter a system, such as typing a password and entering a code sent via text message.

Lawmakers said they were mystified that the company had a server without multi-step authentication.

Sen. Ron Wyden, D-Oregon, the chairman of the Senate Finance Committee, criticized Witty for the company’s failure to have multi-factor authentication in that server.

“This hack could have been stopped with cybersecurity 101,” Wyden said.

Witty testified that he was equally frustrated and said that the company is bolstering its cybersecurity. He also pointed out that UnitedHealth Group has been working to improve Change Healthcare’s cybersecurity since acquiring the company in 2022.

“There was a server which I'm incredibly frustrated to tell you was not protected by MFA (multi-factor authentication),” Witty told senators. “That was the server through which the cyber criminals were able to get into Change.”

Lawmakers repeatedly pressed Witty on that point, as Wyden said it sounded as if the CEO was making excuses.

‘Ten weeks is way too long’

Sen. John Barrasso, R-Wyoming, who is also a physician, noted that a small, community hospital in Wyoming spent about $1 million on cybersecurity in 2023.

“Hospitals take cybersecurity very seriously,” Barrasso said. “You know, Change Healthcare's commitment to cybersecurity it's not as clear.”

Other lawmakers pressed the UnitedHealth CEO about the fact that Americans still aren’t sure if their private information was exposed in the Change Healthcare attack.

At the hearing, Witty said that it will be “months” before the company has more information on how many people have been affected. The company has previously said that a large number of Americans may be impacted.

Sen. Maggie Hassan, D-New Hampshire, urged Witty to work harder to notify those affected by the Change Healthcare cyberattack on Feb. 21.

“Ten weeks is way too long for millions of Americans to not know that their records may be available to criminals,” Hassan said.

U.S. Sen. Bob Casey Jr., D-Pa., also pointed to UnitedHealth’s estimate that it will take months for notification of affected individuals. He criticized what he described as insufficient protections in such a large company.

“I think it's clear that if United had stronger defenses like multi-factor authentication, then this could have gone very differently,” Casey said. “At the same time, United is growing and expanding, it's lacking adequate and protective cybersecurity infrastructure to secure people's most private information.”

Impact on hospitals

Lawmakers also talked about the impact of the cyberattack on physicians and hospitals in their districts. Sen. Marsha Blackburn, R-Tennessee, told Witty, “The reality that hospitals and providers are facing is wildly different from the rosy picture that you have painted.”

Barrasso pointed to the ongoing struggles of rural hospitals, which have been amplified in recent months by the Change Healthcare cyberattack.

“This breach may send some of them in a spiral from which they can’t come back,” Barrasso said.

Senators pressed Witty on when they would be made whole. Willy said that the company hopes to make all providers whole “in the next month or six weeks.”

Hospitals, doctors and medical groups have suffered losses due to the disruption in processing claims. Nearly all hospitals have seen at least some financial impact from the cyberattack, and most have said the disruptions have affected patient care. The American Medical Association has warned that some physician practices may end up closing.

In response to questions from senators, Witty said that claim processing after the Change Healthcare cyberattack is “broadly back to normal.”

“Where we still have lag is payment on those claims,” Witty said.

Witty was asked how UnitedHealth will prevent other breaches. He responded, “We are clearly trying to take responsibility in this attack. We are also trying to learn from it and we want to make sure we share all of these learnings.”

‘A lot we don’t know’

Some of the most pointed criticism came from Wyden, the chairman of the committee. After Witty discussed UnitedHealth’s offer of two years of credit monitoring and identity theft protection, Wyden said those steps are the “thoughts and prayers of data breaches.”

After two hours of testimony, Wyden said, “There's a lot we don't know. There's a lot that the American people don't know. We don't even know what data was stolen, and I'm not convinced that we are going to find that out anytime soon. We may never find it out.”

Wyden said UnitedHealth Group has failed in both protecting patient data and in responding to the attack.

“Your company, on your watch, let the country down,” Wyden said.

In his opening remarks to the committee, Witty offered an apology for the disruptions caused by the Change Healthcare cyberattack. He also said the company has distributed more than $6.5 billion to providers.

“To all those affected, let me be very clear: I’m deeply, deeply sorry,” Witty said. “We will not rest, I will not rest, until we fix this.”

Witty also acknowledged that the initial terms for UnitedHealth Group’s financial assistance were overly restrictive, and hospitals and doctors both derided the terms as too onerous. He told senators the company is offering “no interest, no fee” loans.

Witty also said payments on loans wouldn’t be due until 45 days after the providers say that they have returned to business as usual. Upon repeated questions from senators, Witty said providers - not UnitedHealth Group - would make the determination that they are recovered.


Related Videos
Image credit: ©Shevchukandrey - stock.adobe.com
Image: Ron Southwick, Chief Healthcare Executive
Image credit: HIMSS
Related Content
Image credit: ©Kawee - stock.adobe.com

Caregivers are struggling to handle work and family duties. Employers can offer more help.

May 17th 2024
Article

Some are reducing hours, or simply leaving jobs, because of the difficulties in managing work and caregiving, according to a survey by AARP and S&P Global. Employers can do more to help workers.

Why preventive medicine needs more support | Healthy Bottom Line podcast

Why preventive medicine needs more support | Healthy Bottom Line podcast

April 16th 2024
Podcast

Mirza Rahman, president of the American College of Preventive Medicine, talks about the need for more federal support for residency programs and a greater appreciation for population health.

Images: N.C. Medical Society, Lorna Breen Foundation

Working to improve the mental health of North Carolina clinicians

May 16th 2024
Article

The Dr. Lorna Breen Heroes’ Foundation is teaming with North Carolina leaders to improve the well-being of caregivers. They’re pushing hospitals to drop invasive questions about mental health.

The rise of third party cyberattacks in healthcare | Data Book podcast

The rise of third party cyberattacks in healthcare | Data Book podcast

March 11th 2024
Podcast

Dan Dodson, the CEO of Fortified Health Security, talks about the risks to hospitals, AI in attacks and defense, and what health systems can do to protect themselves.

Image credit: ©Nuttapong punna - stock.adobe.com

Mental health inequities cost $477B annually, and could reach trillions

May 15th 2024
Article

The U.S. is spending billions unnecessarily due to the failure to address mental health needs, a new report finds. Jay Bhatt of Deloitte talks about the report and expanding access to mental health services.

Image credit: ©Melinda Nagy - stock.abode.com

Ascension cyberattack: How some states have been affected

May 15th 2024
Article

The health system continues to work to recover from a ransomware attack. Some hospitals continue to divert ambulances.

© 2024 MJH Life Sciences

All rights reserved.