Lawmakers grill UHG CEO at hearings following Change Healthcare cyberattack

May 01, 2024 - 04:01 PM
hearings-perescriptions

Senate and House lawmakers May 1 grilled UnitedHealth Group CEO Andrew Witty about the continued fallout from the Feb. 22 cyberattack on Change Healthcare — the most significant and consequential cyberattack on the U.S. health care system in American history. 

Members of the Senate Committee on Finance and House Energy and Commerce Subcommittee on Oversight and Investigations pressed Witty for answers about what the company is doing to support hospitals and providers still feeling impacts from the attack; whether the company would waive timely filing deadlines for claims; and why a Change Healthcare Citrix portal that was hacked did not have multi-factor authentication; among other areas. 
 
In a statement shared with the media May 1, AHA President and CEO Rick Pollack said, “The AHA welcomed the bipartisan scrutiny of the Change Healthcare cyberattack. Today’s hearings highlighted the real-world impact the most significant cyberattack to face the health care sector has had on so many patients, hospitals and health systems and other care providers nationwide. 
 
“At these hearings, lawmakers made clear that cybersecurity is a shared responsibility for all parts of the health care sector. We completely agree. To protect the health care infrastructure we all depend on, it’s absolutely critical that third-party entities like Change Healthcare share in that responsibility. 

“The hearings also rightly exposed the size and scope of UnitedHealth Group, the parent company of Change Healthcare, and how that has affected—and could further affect—the delivery of health care for our nation. We believe this examination is long overdue.” 

Prior to the hearings, the AHA April 29 sent letters to the Senate Committee on Finance and House Energy and Commerce Subcommittee on Oversight and Investigations providing an update regarding outstanding issues continuing to impact patients and hospitals following the Change Healthcare incident, as well as additional actions for Congress and the Administration to consider related to the cybersecurity of the health care sector. 
 
The AHA said patients and providers are continuing to experience financial and operational impacts as providers will need to work through the backlog of claims, reprocess denials received during this time, reconcile payments to accounts, and bill patients, among other tasks. 
 
“It is unclear what other impacts may emerge over the coming weeks and months, and we urge Congress and the Administration to continue oversight of the aftermath of the attack,” AHA wrote to the committees. 

Meanwhile, lawmakers also raised concerns about the size and scope of UnitedHealth Group and its reach throughout the entire health care system. 
 
“The Change hack is a dire warning about the consequences of ‘too big to fail’ mega-corporations gobbling up larger and larger shares of the health care system,” Senate Finance Committee Chair Ron Wyden, D-Ore., said. “It is long past time to do a comprehensive scrub of UHG's anti-competitive practices, which likely prolonged the fallout from this hack.” 

Rep. Morgan Griffith, R-Va., who chairs the Energy and Commerce Subcommittee on Oversight and Investigations, said consolidation in the health insurance industry has reached such a state “that a single ransomware attack on one company can cripple the flow of payments and claims for months.” 
 
During the hearings, lawmakers also discussed the issue of cybersecurity standards and requirements for the health care sector. To make meaningful progress in the war on cybercrime, the AHA continues to urge Congress and the Administration to focus on the entire health care sector and not just hospitals. The AHA supports the voluntary consensus-based cybersecurity practices, such as those announced in January by the Department of Health and Human Services, but it opposes insufficiently funded proposals for mandatory cybersecurity requirements that levy significant penalties on hospitals. 
 
“It is well-documented that the vast majority of the cybersecurity risk in the health care sector is from vulnerabilities in third-party technology, not hospitals’ primary systems,” AHA wrote April 29. “Enforcing hospital adoption of these practices would have done nothing to prevent the Change Healthcare cyberattack or most other cyberattacks on the sector to date. Instead, Congress and other policymakers should focus their efforts on ensuring all health care stakeholders adopt appropriate cyber hygiene practices with a particular priority on third-party technologies.”

Related News Articles

Headline
Agencies issue guidance on mitigating cyberthreats with limited resources 
The Cybersecurity and Infrastructure Security Agency along with international agencies May 14 released guidance for high-risk nonprofit and other resource-…
Headline
Report: Delayed or missing payments increased for hospitals in first quarter
Hospitals and health systems nationwide saw a sizable increase in delayed or missing payments in first quarter 2024, according to a report released May 10 by…
Headline
Agencies warn of accelerating attacks on health care by Black Basta ransomware group
The Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency, Department of Health and Human Services, and Multi-State Information…
Headline
DOJ charges Russian national with developing, operating LockBit ransomware
The Department of Justice May 7 announced more than two dozen criminal charges against Dimitry Yuryevich Khoroshev, 31, of Voronezh, Russia, for his alleged…
Headline
AHA, other hospital groups urge UHG to formalize breach notification plans following Change Healthcare cyberattack 
The AHA and other national hospital groups May 8 sent a letter to UnitedHealth Group, urging the organization to formally accept responsibility for issuing…
Headline
CISA extends comment period for proposed rule on cyber incident reporting
The Cybersecurity and Infrastructure Security Agency May 3 extended the comment period to July 3 for the April 4 proposed rule that would implement cyber…