UnitedHealth CEO Testifies Before Congress on Change Healthcare Cyberattack

During a Congressional hearing, UnitedHealth CEO Andrew Witty fielded questions from a series of senators on the February Change Healthcare cyberattack. The conversation mainly revolved around multi-factor authentication (MFA), interest-free loans given to health care entities affected by the attack, and UnitedHealth Group’s role in ameliorating the effects of the attack, among other themes stemming from the incident.

What’s The Issue?

During the hearing, Witty was asked about the attack and how Change Healthcare was not using multi-factor authentication to protect its hypersensitive data. | image credit: Rokas / stock.adobe.com

On February 21, 2024, a hacker group infiltrated the computer systems of Change Healthcare, a claim-processing subsidiary of UnitedHealth Group. The attack forced hospitals and pharmacies to shut down operations for more than a week, resulting in permanent health system shutdowns and several hospitals and pharmacies closing their doors.¹

• During the hearing, Witty was asked about the attack and how Change Healthcare was not using MFA to protect its hypersensitive data. Change, which was acquired by UnitedHealth in 2021, is a company that processes insurance claims and keeps health records for millions of Americans utilizing Medicare services. Witty addressed the company’s failure to use MFA and apologized to the millions of Americans whose confidential data were at risk from the attack. Witty also addressed the $22 million ransom his company paid to the hackers in the form of bitcoin, stating that it “was one of the hardest decisions I've ever had to make and I wouldn't wish it on anyone.”¹
• Witty was also asked about what his company is doing to address the millions of Americans and health care providers affected by the attack. As of right now, his company has offered interest-free loans to health care providers that will not be due until systems and businesses are 100% restored.

READ MORE: HHS Says It’s Working to Help Those Impacted by Change Healthcare Cyberattack

Why It Matters

Change Healthcare is a subsidiary of Witty’s UnitedHealth Group—the largest health care company in the world and the overall 11th most profitable.² At the May 1 hearing, Witty was grilled by committee members on Change’s negligence prior to the attacks. He was also asked about the larger effects that resulted from the attack and how it could even benefit Witty’s UnitedHealth Group when all is said and done.

• Much of the conversation revolved around Change’s failure to utilize MFA, a negligent action that Witty understands Change is responsible for. After apologizing for the unprecedented data breach, Witty was then asked further questions regarding UnitedHealth’s role in the incident. While several health systems were affected by the attack, UnitedHealth has since been able to acquire failing providers and, in turn, grow its business because of the attack. Witty insisted that the attack was not an opportunity to grow UnitedHealth and that him and his colleagues could not have seen the attack coming.
• Key statistics from the attack include the fact that 90% of hospitals were financially affected. And, according to US senators, Change touches 1 in 3 medical records in the US, further exacerbating the growing effects of the unprecedented attack.² While UnitedHealth continues to grow, individuals are questioning how this is possible amidst its negligent security measures. “UnitedHealth is a monopoly on steroids,” said Senator Elizabeth Warren (D, Massachusetts).

Expert Commentary

• “The Change hack is a dire warning about the consequences of too-big-to-fail mega-corporations gobbling up larger and larger shares of the health care system,” said Senate Finance Committee Chair Senator Ron Wyden (D, Oregon).³ “It is long past time to do a comprehensive scrub.”
• “Too much of our health care system is being allowed to flow through gigantic corporate monsters like UnitedHealth; this unfortunate circumstance is proof-positive of that,” says National Community Pharmacists Association CEO B. Douglas Hoey, pharmacist, MBA, ahead of the hearing.⁴ “This entity rakes in a tremendous amount of cash, yet it arbitrarily denies or slow-walks patient care, under-reimburses providers and otherwise makes it difficult to provide health care services, and fails to protect itself and its customers from a catastrophic cyberattack. These broad, debilitating disruptions reiterate independent pharmacy’s view that UnitedHealth Group should not have been allowed to acquire Change Healthcare in the first place and that Congress and other policymakers must finalize and enforce stronger laws to rein in these behemoths as swiftly as possible.”

In Depth Insights

Change’s inability to implement proper security measures prior to the attack was put on full blast during the committee hearing. While the company’s negligence was the subject of the hearing, it opened further questions about UnitedHealth’s stranglehold on the US health care industry.

• Senator Thom Tillis (R, North Carolina) brought with him to the hearing a copy of “Hacking for Dummies” to show Witty that MFA was a simple step to implement in order to avoid the cyberattack. “This is some basic stuff that was missed,” said Tillis.³
• Witty was also asked about his company’s PBM, Optum Rx, and stood on his claim that Optum and other PBMs are not the reason several independent pharmacies are expected to shut their doors. Senator Sherrod Brown (D, Ohio) discussed Optum’s $116 billion in revenue and asked Witty if some of that could be sacrificed in order to keep independent pharmacies open and relieve them from operating at the will of larger, consolidated PBMs—further identifying UnitedHealth’s ever-growing business model of acquiring smaller businesses.

Extra Reading

• UnitedHealth Group CEO takes bipartisan heat in Senate hearing over cyberattack (The Hill)
• UnitedHealth CEO Andrew Witty is set to go before Congress this week. Here's a look at his testimony (Fierce Healthcare)

References

1. Brooks K. UnitedHealth CEO Andrew Witty defends ransom payment in testimony on cyberattack. CBS News. May 1, 2024. Accessed May 1, 2024. https://www.cbsnews.com/news/unitedhealth-senate-hearing-cyberattack-change-healthcare/

2. UnitedHealth CEO Andrew Witty testifies about cyberattack. Youtube. May 1, 2024. Accessed May 1, 2024. https://www.youtube.com/watch?v=vjQAcWy1_dQ

3. Gilbert D, Diamond D. UnitedHealth CEO faces grilling from Congress over Change Healthcare hack. Washington Post. https://www.washingtonpost.com/business/2024/05/01/united-health-hack-ceo-congress-change-healthcare/. May 1, 2024. Accessed May 1, 2024.

4. Change Healthcare cyberattack still harming independent pharmacies, NCPA says. NCPA. May 1, 2024. Accessed May 1, 2024. https://ncpa.org/newsroom/news-releases/2024/05/01/change-healthcare-cyberattack-still-harming-independent