UnitedHealth CEO grilled over ‘clear national security threat’ from Change Healthcare hack

Senators lobbed UnitedHealth CEO Andrew Witty with difficult questions over lax security practices that recently allowed ransomware hackers to breach the company’s Change Healthcare unit and cripple parts of the U.S. prescription market.

Witty on Wednesday testified before the Senate Finance Committee about the effects of the Feb. 21 cyberattack, claimed by the ALPHV/Blackcat ransomware gang, which roiled Change, one of the largest healthcare processing systems in America. The incident caused several healthcare processing challenges that have continued into May, including delayed prescription fillings and cash crunches at rural clinics and hospitals.

The company made a $22 million ransom payment, a decision ultimately made by Witty. Not all stolen data, which may have included sensitive health information on U.S. military personnel, has been recovered. The hackers used stolen credentials and broke into a Change Healthcare server that was not protected by multifactor authentication, a method which double checks whether a user is fraudulently impersonating someone else when logging into a platform.

Panel chairman Ron Wyden, D-Ore. called the impact a “clear national security threat,” comparing it to the OPM data breach in 2015.

“It is Exhibit A … that tough cybersecurity standards are necessary to protect critical infrastructure — and patients — in this country,” he said in opening remarks.

“I’m deeply, deeply, sorry,” Witty said in his opening statement. “We will not rest — I will not rest — until we fix this.” Change has sent some $6.5 billion to affected providers and has taken other steps to remediate and minimize the hack’s effects, including identity theft protection services, the company previously said.

The hack had massive cascading effects in what was arguably the largest cyberattack on the U.S. healthcare industry to date. Some 36% of respondents to an American Medical Association survey conducted between March 26 and April 3 experienced claim payments suspensions, while 32% said they were unable to submit claims altogether. 

Additionally, 80% of physician practices lost revenue from unpaid claims, while 55% of respondents said they needed to use personal funds to cover expenses. Claims processing is back to normal, though payments on those claims are still delayed.

There are also potential national security concerns linked to the hack, with Witty saying “we do believe there will be members of the armed forces” affected in the incident. He committed to providing the panel with more information within two weeks, and later said breach notifications to all affected patients would be ready in the coming weeks.

The Veterans Affairs Department said last week there is no confirmation that veterans’ data was leaked in the hack, though it still notified more than 15 million veterans and their families of the matter.

The company has been engaged daily with the Health and Human Services Department, Witty said. HHS’s civil rights office in March launched an investigation into the company examining UnitedHealth’s compliance with the Health Insurance Portability and Accountability Act, or HIPAA, that enforces safeguards for patients’ healthcare data.

The incident has resurfaced a frequent cybersecurity debate on whether victims targeted in ransomware attacks — where their data and systems are held hostage for a payment — should willingly pay those ransoms.

The U.S. over the past year has been working with international partners to take a firm stance against ransom payments, though surveyed experts have not agreed on a single policy.

Witty notably agreed to exploring minimum regulatory standards for healthcare cybersecurity. 

“I think we need those minimum [cybersecurity] standards” in the healthcare industry, said Mark Warner, D-Va., who chairs the Senate Intelligence Committee. “We were just waiting for a crisis” to happen, he added.

Some lawmakers posed the question of whether UnitedHealth holds too much of the U.S. healthcare market and whether it creates cyber risks. Witty said that when its Change Healthcare subsidiary was purchased, it brought with it the company’s legacy IT systems. UnitedHealth’s Optum business, which is focused on pharmaceutical services, combined with Change Healthcare in 2022.

“I think for us, we would have to ask: Is the dominant role of United too dominant?” said Bill Cassidy, R-La. The Wall Street Journal reported in February that the Justice Department is investigating the healthcare giant about the effects of its acquisitions on competitors and their customers.

Others pointed to broader data privacy concerns. The U.S. does not have a comprehensive federal data privacy law, and debates over how to get one to the White House have been at a stalemate for years. A new bipartisan, bicameral draft was recently put on the table.

“We are making a huge mistake by not having federal rules of the road on data privacy, data breach and how these enterprises have to really work on it,” said Sen. Tom Tillis, R-N.D., who presented the committee with a copy of the Hacking for Dummies book to stress his point that UnitedHealth failed basic cybersecurity hygiene.

“The bigger the company, the more significant your responsibilities are to have smart cybersecurity policies,” Wyden told reporters after the hearing, adding that his office is drafting legislation related to HIPAA.