UnitedHealth Group CEO Andrew Witty took fire from both sides of the aisle Wednesday during his testimony before the Senate Finance Committee on the cyberattack on Change Healthcare, a subsidiary of his company.
Senate Finance Chair Ron Wyden (D-Ore.) made it clear straight out of the gate that he blamed Witty’s leadership for the cyberattack, which caused widespread disruptions to the health care sector.
“The failures of CEOs like Mr. Witty, who months in can’t figure out how many people have had their data stolen, validate the FBI’s warning,” Wyden said in his opening remarks, referencing how the FBI had cautioned that health care is the top target for ransomware.
During the hearing, Witty confirmed it was his decision to pay a ransom to the hackers, stating the company had paid $22 million.
Here are the issues members of the committee pressed Witty on for more than two hours of testimony.
Multifactor authentication
The server that was hacked did not require multifactor authentication (MFA) for access, despite UnitedHealth Group’s (UHG) apparent companywide policy for this exact security measure.
When asked by Sen. Thom Tillis (R-N.C.) whether management at UHG had been alerted of the server’s lack of MFA, Witty said he was not aware of the issue having been raised.
“I think it’s clear that if United had stronger defenses like multifactor authentication, then this could have gone very differently,” Sen. Bob Casey (D-Pa.) said when questioning Witty.
Witty committed to requiring MFA companywide and deploying the same standards used for federal agencies within the next six months. He emphasized that enhancing MFA use was one layer of the company’s response to the attack.
“That is one element, but it’s only one element of the defense,” said Witty. “For example, we now have implemented in addition to our normal corporate wide scanning of our technology environment, we’ve now brought external third parties to do double or triple scanning across our systems.”
Growing too big
UHG is the largest health care conglomerate in the U.S. The company acquired Change Healthcare in 2022, after the federal government unsuccessfully sued to stop the sale due to antitrust concerns.
The company’s enormous control over the U.S. health care sector, and its relation to the fallout resulting from the February cyberattack, did not escape scrutiny from lawmakers.
Sen. Elizabeth Warren (D-Mass.) noted how UHG has “bought up every link in the health care chain,” owning “the country’s largest insurer, the country’s largest claims processor, the country’s third-largest pharmacy benefit manager.”
“You’re now in a position to jack up prices, squeeze competitors, hide revenues and pressure doctors to put profits ahead of patients. UnitedHealth is a monopoly on steroids,” said Warren.
Warren also blasted the company for seeking to buy out medical practices that have grown close to going out of business due to the cyberattack pausing payments, accusing UHG of using the data breach as an opportunity to grow bigger still.
Witty declined to respond to Warren’s criticisms, citing UHG’s “long-standing practice of not commenting on matters such as that or things like mergers and acquisitions.”
Who’s been impacted
UHG said in April that a “substantial proportion” of Americans’ personal information had been compromised in the attack. Witty told the committee on Wednesday that consumers likely won’t know whether they’ve been impacted for some time.
“It will take several months before enough information will be available to identify and notify impacted customers and individuals, partly because the files contained in that data were compromised in the attack,” Witty said.
The company is offering free credit monitoring and identity theft protections for two years to affected customers, though it must first determine who was impacted, which will apparently take some time.
Tillis warned that he did not want any of the onus for protecting private information to be shifted onto consumers by UHG.
“I got a notice, you know, on possibly being involved in a data breach and it was kind of interesting saying, ‘We will help you with your problem.’ And I’m thinking, ‘No I will help you with your problem.’ But you’re not going to make this difficult for consumers and we’ll be keeping track.”
“It’s got to be your problem to fix,” he added.
Physician loans
Throughout the hearing, Witty routinely referenced the interest-free loans his company is making available to health care providers as a key part of the ameliorating the financial strain they’ve been placed under.
“We have advanced more than $6.5 billion in accelerated payments and no-interest, no-fee loans to thousands of providers. Most of these funds are for claims for non UHC health plans, and about 34 percent of the loans have gone to safety net hospitals and federally qualified health centers. We will provide this assistance for as long as it takes to get providers claims and payments flowing up [to] pre-incident levels,” Witty said in his opening remarks.
Sen. Marsha Blackburn (R-Tenn.) noted some hospitals have opened up lines of credit to continue operating and asked Witty if his company would reimburse them for these debts. He did not directly address this inquiry.
Under questioning from Sen. Bob Menendez (D-N.J.), Witty clarified that the loans did not come with the condition that hospitals not work with UHG’s competitors and stated providers would have up to 45 days to repay the loan after they had determined their operations had returned to normal.
Expected timeline
What many lawmakers wanted to know on Wednesday was when the health care sector could expect to get back on track.
Sen. James Lankford (R-Okla.) directly asked Witty when patients and providers would be “made whole” of the payments and services they have struggled to access since the attack.
“I would hope that that’s in the next month or six weeks,” Witty responded.
Sen. Catherine Cortez Masto (D-Nev.) specifically asked when “the real time eligibility and benefits verification functions of the Change Healthcare network be up to date and accurate.”
Witty did not have an answer for Cortez Masto on this front.
According to the American Hospital Association in March, 94 percent of hospitals reported being financially impacted by the cyberattack.