Lawmakers criticized Andrew Witty for insufficient cybersecurity protection and the lack of clarity on how many have been affected by the data breach.
Lawmakers asked tough questions of UnitedHealth Group CEO Andrew Witty regarding the Change Healthcare cyberattack and the company’s response to the breach.
Witty testified before the Senate Finance Committee Wednesday morning about the ransomware attack, which has been called the most damaging cyberattack in the healthcare sector in U.S. history.
Witty told lawmakers that the company paid a ransom of $22 million, on his order. He also acknowledged that the attack involved a Change Healthcare server that did not require multi-factor authentication. Such authentication is increasingly considered a basic step in protection, cybersecurity analysts say. With multi-factor authentication, users go through two or more steps to enter a system, such as typing a password and entering a code sent via text message.
Lawmakers said they were mystified that the company had a server without multi-step authentication.
Sen. Ron Wyden, D-Oregon, the chairman of the Senate Finance Committee, criticized Witty for the company’s failure to have multi-factor authentication in that server.
“This hack could have been stopped with cybersecurity 101,” Wyden said.
Witty testified that he was equally frustrated and said that the company is bolstering its cybersecurity. He also pointed out that UnitedHealth Group has been working to improve Change Healthcare’s cybersecurity since acquiring the company in 2022.
“There was a server which I'm incredibly frustrated to tell you was not protected by MFA (multi-factor authentication),” Witty told senators. “That was the server through which the cyber criminals were able to get into Change.”
Lawmakers repeatedly pressed Witty on that point, as Wyden said it sounded as if the CEO was making excuses.
‘Ten weeks is way too long’
Sen. John Barrasso, R-Wyoming, who is also a physician, noted that a small, community hospital in Wyoming spent about $1 million on cybersecurity in 2023.
“Hospitals take cybersecurity very seriously,” Barrasso said. “You know, Change Healthcare's commitment to cybersecurity it's not as clear.”
Other lawmakers pressed the UnitedHealth CEO about the fact that Americans still aren’t sure if their private information was exposed in the Change Healthcare attack.
At the hearing, Witty said that it will be “months” before the company has more information on how many people have been affected. The company has previously said that a large number of Americans may be impacted.
Sen. Maggie Hassan, D-New Hampshire, urged Witty to work harder to notify those affected by the Change Healthcare cyberattack on Feb. 21.
“Ten weeks is way too long for millions of Americans to not know that their records may be available to criminals,” Hassan said.
U.S. Sen. Bob Casey Jr., D-Pa., also pointed to UnitedHealth’s estimate that it will take months for notification of affected individuals. He criticized what he described as insufficient protections in such a large company.
“I think it's clear that if United had stronger defenses like multi-factor authentication, then this could have gone very differently,” Casey said. “At the same time, United is growing and expanding, it's lacking adequate and protective cybersecurity infrastructure to secure people's most private information.”
Impact on hospitals
Lawmakers also talked about the impact of the cyberattack on physicians and hospitals in their districts. Sen. Marsha Blackburn, R-Tennessee, told Witty, “The reality that hospitals and providers are facing is wildly different from the rosy picture that you have painted.”
Barrasso pointed to the ongoing struggles of rural hospitals, which have been amplified in recent months by the Change Healthcare cyberattack.
“This breach may send some of them in a spiral from which they can’t come back,” Barrasso said.
Senators pressed Witty on when they would be made whole. Willy said that the company hopes to make all providers whole “in the next month or six weeks.”
Hospitals, doctors and medical groups have suffered losses due to the disruption in processing claims. Nearly all hospitals have seen at least some financial impact from the cyberattack, and most have said the disruptions have affected patient care. The American Medical Association has warned that some physician practices may end up closing.
In response to questions from senators, Witty said that claim processing after the Change Healthcare cyberattack is “broadly back to normal.”
“Where we still have lag is payment on those claims,” Witty said.
Witty was asked how UnitedHealth will prevent other breaches. He responded, “We are clearly trying to take responsibility in this attack. We are also trying to learn from it and we want to make sure we share all of these learnings.”
‘A lot we don’t know’
Some of the most pointed criticism came from Wyden, the chairman of the committee. After Witty discussed UnitedHealth’s offer of two years of credit monitoring and identity theft protection, Wyden said those steps are the “thoughts and prayers of data breaches.”
After two hours of testimony, Wyden said, “There's a lot we don't know. There's a lot that the American people don't know. We don't even know what data was stolen, and I'm not convinced that we are going to find that out anytime soon. We may never find it out.”
Wyden said UnitedHealth Group has failed in both protecting patient data and in responding to the attack.
“Your company, on your watch, let the country down,” Wyden said.
In his opening remarks to the committee, Witty offered an apology for the disruptions caused by the Change Healthcare cyberattack. He also said the company has distributed more than $6.5 billion to providers.
“To all those affected, let me be very clear: I’m deeply, deeply sorry,” Witty said. “We will not rest, I will not rest, until we fix this.”
Witty also acknowledged that the initial terms for UnitedHealth Group’s financial assistance were overly restrictive, and hospitals and doctors both derided the terms as too onerous. He told senators the company is offering “no interest, no fee” loans.
Witty also said payments on loans wouldn’t be due until 45 days after the providers say that they have returned to business as usual. Upon repeated questions from senators, Witty said providers - not UnitedHealth Group - would make the determination that they are recovered.