A massive cyberattack in February revealed apparent technical flaws at a UnitedHealth Group subsidiary and caused the Minnetonka-based health care giant to grow larger, lawmakers announced Wednesday. This raises the difficult question of whether it was too much.
UnitedHealth CEO Andrew Whitty said in testimony before the Senate Finance Committee that hackers gained access to a portal in the company's Change Healthcare division that lacked multi-factor authentication protection. I apologized.
Sen. Ron Wyden, R-Ore., the committee's chairman, said the breach revealed a serious failure to comply with “Cybersecurity 101.” There was bipartisan criticism of what one senator called a “monopoly on steroids,” with some lawmakers questioning why UnitedHealth Group couldn't restore the system sooner.
The hack has wreaked havoc on healthcare providers nationwide and, by Whitty's own admission, could involve the personal information of up to one in three Americans.
Whitty said he is also frustrated by technology issues, adding that UnitedHealth is still upgrading its security and systems after acquiring Change Healthcare in October 2022. The CEO said the company's size allows it to respond strongly to hacks, but Wyden promised further investigation into both the cyberattack and broader issues surrounding the company.
“The Change Hack is a dire warning of the consequences of 'too big to fail' giant corporations increasingly eating up market share of the health care system,” Wyden said. “It is long past time to comprehensively eliminate UHG's anti-competitive conduct, which is likely to have prolonged the impact of this hack.”
UnitedHealth Group is Minnesota's largest company by revenue and the fourth largest company in the United States by the same measure. His UnitedHealthcare division of the company is the nation's largest health insurance company. The company also owns a rapidly growing medical services division called Optum, which employs or is affiliated with approximately 90,000 physicians. Last year's profit was about $22 billion.
The company's size was a recurring topic during questions from lawmakers.
“Our revenue is greater than the GDP of some countries,” said Sen. Marsha Blackburn (R-Tenn.). “How on earth did you not have the necessary redundancy and therefore not experience this attack and find yourself so vulnerable?”
Sen. Bill Cassidy (R-Texas) asked whether UnitedHealth Group's dominance in the health care market created a “special vulnerability.” Mr Cassidy said that while the company may have had “deep pockets to deal with this issue”, its scale also meant the hack had “outsized ramifications”.
“We would have to ask: Is United's dominant role too dominant, because it touches everything – and if you screw United, you screw everyone. ” asked Cassidy.
Whitty responded that Change Healthcare's business was as big as it was before UnitedHealth Group acquired the company in 2022. He also reminded critics of the health care sector, in which the company is not a major player.
“Despite our size, for example, we don't own any hospitals in the United States and we don't own any pharmaceutical companies,” Witty said. “We have fewer than 10,000 physicians. … We contract and partner with an additional 80,000 physicians who voluntarily choose to work alongside our Optum colleagues. ”
However, Massachusetts Democratic Sen. Elizabeth Warren argued that UnitedHealth is a steroid monopoly.
This cyber attack dealt a blow to the US healthcare system. That's because UnitedHealth Group had to shut down its Change Healthcare system, which is widely used to process claims for U.S. health care providers, to contain the threat. Those systems are now back to normal, Whitty said, but senators criticized the CEO for not yet identifying how many patients had their data compromised.
The company said a significant percentage of Americans may have been affected, and Whitty said it would take more time to determine exactly who was affected, including U.S. military personnel. He said he was deaf. In response to a question at a separate House hearing Wednesday, Whitty suggested that could be as many as one-third of all U.S. residents.
The federal government announced in March that the Change Healthcare system processes 15 billion medical transactions annually and is responsible for one in three patient records.
“To everyone affected, let me just say that I am truly, truly sorry…” Witty said. “We won't rest – and I won't rest – until we solve this.”
UnitedHealth last week offered two years of credit monitoring and identity theft protection, which Wyden said amounted to “cold comfort.”
“This company is the leviathan of medicine,” he said. “I think the bigger a company is, the greater the responsibility it has to protect its systems from hackers. … Americans are still in the dark about how much of their sensitive information has been stolen.”
Witty told the committee that on Feb. 12, criminals used compromised credentials to access Change Healthcare's Citrix portal. The CEO said the portal was used for remote access to desktops and lacked multi-factor authentication, known as MFA for short.
Witty said it is company policy to enforce MFA on all external-facing systems. He told Wyden that all of these systems are currently protected in this way.
Sen. John Barrasso (R-Wyo.) understands this kind of corporate oversight, given that even small, struggling hospitals in his home state were able to implement MFA technology. He said he couldn't do it. He asked Whitty, “Did they not have enough money to put in place a multi-factor authentication system? I don't know why they haven't put this in place yet.”
Sen. Thom Tillis, R-N.C., said the slow timeline for service restoration after the cyberattack shows a clear lack of system redundancy within Change Healthcare. . Tillis told Witty while holding a copy of the book “Hacking for Dummies.'' “This is the basic content that I was missing.”
Witty admitted: “It's very unfortunate that the redundancy switch wasn't done sooner.”
Wyden said Wednesday's comments from committee members showed bipartisan support for further investigation.
“I just heard excuse after excuse from Mr. Wit,” he said. “In fact, the first server that was hacked did not have multi-factor authentication, and Mr. Whitty's cybersecurity director knew that.”
During a House committee hearing, Whitty said the company paid a $22 million ransom via cryptocurrency after the cyberattack.
“As CEO, it was my decision whether to pay the ransom or not,” he said. “This was one of the hardest decisions I've ever had to make, and I wouldn't wish that on anyone.”
Whitty said UnitedHealth Group has provided more than $6.5 billion in accelerated payments and interest-free, no-fee loans to help thousands of health care providers with cash flow issues. He said about one-third of these loans go to safety-net hospitals and federally qualified health centers that serve high-risk patients and communities.
Health care providers were critical of the company's initial financial sponsors, who paid just $90 a week for each clinic in Roseville. The company then launched his second program to provide even more assistance.
“Some of the early estimates of potential provider gaps may not fully meet needs, given the lack of visibility into providers' billing streams,” Whitty told a House committee. It wasn't, but we quickly adjusted it.”
Meanwhile, health care providers in Minnesota suggested that Whitty's testimony obscured ongoing technology issues.
Bob Hume of the Minnesota Hospital Association said, “While Change has restored financial clearinghouse functionality, there have been literally no changes to the financial services industry, from billing patients to verifying insurance coverage to authorizing critical medical procedures. Ten other applications remain,” said Bob Hume of the Minnesota Hospital Association. Statement to the Star Tribune. “This has a huge impact on patient access to care.”
