Lawmakers slam UnitedHealth handling of Change cyberattack amid lingering impact on physician practices
U.S. lawmakers on Wednesday slammed UnitedHealth Group and its handling of the “the biggest cybersecurity disruption to healthcare in American history,” as one lawmaker put it.
The Senate Committee on Finance held a hearing Wednesday to discuss UHG’s response to the Feb. 21 attack on claims-processing firm Change Healthcare. In the two months following the attack, the American Medical Association and other doc groups have expressed alarm about the ongoing impact on physician practices, with some considering bankruptcy due to the disruption.
Committee Chairman and Sen. Ron Wyden, D-Ore., pondered whether UnitedHealth is reaching “too big to fail” status. The Minnetonka, Minnesota-based corporation generated $324 billion in revenue last year, making it the fifth largest company in the U.S. It touches 152 million individuals each year across lines of business including insurance plans, physician practices, home health and pharmacy. And UHG has used its profits (about $22 billion in 2023) to buy up “dozens” of other healthcare companies, making it the largest purchaser of physician practices in the country.
“This corporation is a healthcare leviathan,” Wyden said in his prepared marks on May 1. “I believe the bigger the company, the bigger the responsibility to protect its systems from hackers. UHG was a big target long before it was hacked. The FBI says that the healthcare industry is the number one target of ransomware. It’s obvious why.”
Change Healthcare processes about 15 billion healthcare transactions each year, and one-third of American patients’ records pass through its “digital doors,” Wyden noted. It specializes in moving this data from a referrer’s office to radiology groups or to and from insurance companies. This can include medical bills “chock full” of sensitive information such as diagnoses.
“UHG has not revealed how many patients’ private medical records were stolen, how many providers went without reimbursement, and how many seniors were unable to pick up their prescriptions as a result of the hack,” Wyden added. “The failures of CEOs like Mr. [Andrew] Witty, who months in can’t figure out how many people have had their data stolen, validate the FBI’s warning.”
Wyden cited informal data from the American Medical Association and others, which have shown that many small practices were “left holding the bag.” Without the claims processing service working, doc offices were left “stuffing envelopes with paper claims, and unable to get straight answers on how long the outage will last.”
He called the attack “Exhibit A” on why tougher cybersecurity rules are needed in healthcare. Currently, HHS does not require providers, payers or clearinghouses like Change to meet minimum cybersecurity standards, “unlike industries regulated by other federal agencies.” But this would also require “strong enforcement” and a proactive cybersecurity audit—which hasn’t been done in years.
“Finally, the Change hack is a dire warning about the consequences of ‘too big to fail’ mega-corporations gobbling up larger and larger shares of the healthcare system,” Wyden said. “It is long past time to do a comprehensive scrub of UHG's anti-competitive practices, which likely prolonged the fallout from this hack. For example, Change Healthcare’s exclusive contracts prevented more than one-third of providers from switching clearinghouses, even though Change’s systems were down for weeks."
Republican take
Ranking Member Sen. Mike Crapo, R-Idaho, also testified during the hearing, echoing Wyden’s concerns. He noted that Change processes about $1.5 trillion in medical claims annually.
The company shut off its system following the attack, forcing physicians and hospitals to rely on reserves to cover revenue losses. More than 90% of hospitals were financially impacted by the attack, according to the American Hospital Association, with 70% reporting the outage directly affected their ability to care for patients, Crapo noted.
The attack occurred on Feb. 21, yet it took two weeks for HHS to release a public statement and guidance, he added. It wasn’t until March 9 that CMS started offering accelerated and advance payments to impacted Medicare providers.
“The administration’s delay exacerbated an already uncertain landscape, leaving providers and patients with reasonable concerns about access to essential medical services and life-saving drugs,” he said.
Although may of Change’s functions have now resumed, “trust in the security of its platforms needs to be rebuilt.” Crapo emphasized the importance of learning from UHG’s experience and addressing gaps in the healthcare cybersecurity infrastructure.
“We must also assess the response of the federal government, which plays a critical role in these efforts,” he added. “HHS has a responsibility to serve as a central hub for coordination, convening insights from other branches of government and the private sector to deploy timely information about active threats, as well as best practices to deter intrusions and resources should an attack occur.”
UnitedHealth CEO testifies
UnitedHealth CEO Andrew Witty also testified during the hearing, sharing details about how the healthcare giant responded to the attack.
“To all those impacted, let me be very clear: I am deeply sorry,” he said in prepared remarks.
Witty said UHG has been working “24/7 from the day of the incident” to try and restore services.
“I want this committee and the American public to know that the people of UnitedHealth Group will not rest—I will not rest—until we fix this,” he said. “We know there is more to be done, and we appreciate the ongoing efforts of our customers, employees and government partners—especially CMS and HHS—who have offered great support as we continue these efforts together.”
Witty said he expects such cyberattacks to continue in healthcare, with a record $1 billion collected by cybercriminals last year alone. UHG repels an attempted intrusion every 70 seconds, thwarting more than 450,000 attempted attacks per year. In this case, Witty said UHG opted to pay the ransom to the Change hackers, which he called “one of the hardest decisions I’ve ever had to make.”
The company expects to take several months of continued analysis before UHG can say exactly how many providers and patients were impacted by the attack. Witty expects to provide notification to affected individuals and said UnitedHealth is “working closely” with HHS “to make sure our notice is effective, useful and complies with the law.”
“The Change Healthcare attack demonstrates the growing need to fortify cybersecurity in healthcare,” Witty said. “I look forward to working with policymakers and other stakeholders to bring our experience to bear in helping develop strong, practical solutions. We support mandatory minimum security standards—developed collaboratively by the government and private sector—for the healthcare industry. Importantly, these efforts must include funding and training for institutions that need help in making that transition, such as hospitals in rural communities. We also support efforts to strengthen our national cybersecurity infrastructure, including greater notification to law enforcement and standardized and nationalized cybersecurity event reporting.”
You can read all of his testimony, along with remarks from the two senators, and watch a recording of the hearing here.