Lawmakers grill UHG CEO at hearings following Change Healthcare cyberattack

May 01, 2024 - 04:01 PM
hearings-perescriptions

Senate and House lawmakers May 1 grilled UnitedHealth Group CEO Andrew Witty about the continued fallout from the Feb. 22 cyberattack on Change Healthcare — the most significant and consequential cyberattack on the U.S. health care system in American history. 

Members of the Senate Committee on Finance and House Energy and Commerce Subcommittee on Oversight and Investigations pressed Witty for answers about what the company is doing to support hospitals and providers still feeling impacts from the attack; whether the company would waive timely filing deadlines for claims; and why a Change Healthcare Citrix portal that was hacked did not have multi-factor authentication; among other areas. 
 
In a statement shared with the media May 1, AHA President and CEO Rick Pollack said, “The AHA welcomed the bipartisan scrutiny of the Change Healthcare cyberattack. Today’s hearings highlighted the real-world impact the most significant cyberattack to face the health care sector has had on so many patients, hospitals and health systems and other care providers nationwide. 
 
“At these hearings, lawmakers made clear that cybersecurity is a shared responsibility for all parts of the health care sector. We completely agree. To protect the health care infrastructure we all depend on, it’s absolutely critical that third-party entities like Change Healthcare share in that responsibility. 

“The hearings also rightly exposed the size and scope of UnitedHealth Group, the parent company of Change Healthcare, and how that has affected—and could further affect—the delivery of health care for our nation. We believe this examination is long overdue.” 

Prior to the hearings, the AHA April 29 sent letters to the Senate Committee on Finance and House Energy and Commerce Subcommittee on Oversight and Investigations providing an update regarding outstanding issues continuing to impact patients and hospitals following the Change Healthcare incident, as well as additional actions for Congress and the Administration to consider related to the cybersecurity of the health care sector. 
 
The AHA said patients and providers are continuing to experience financial and operational impacts as providers will need to work through the backlog of claims, reprocess denials received during this time, reconcile payments to accounts, and bill patients, among other tasks. 
 
“It is unclear what other impacts may emerge over the coming weeks and months, and we urge Congress and the Administration to continue oversight of the aftermath of the attack,” AHA wrote to the committees. 

Meanwhile, lawmakers also raised concerns about the size and scope of UnitedHealth Group and its reach throughout the entire health care system. 
 
“The Change hack is a dire warning about the consequences of ‘too big to fail’ mega-corporations gobbling up larger and larger shares of the health care system,” Senate Finance Committee Chair Ron Wyden, D-Ore., said. “It is long past time to do a comprehensive scrub of UHG's anti-competitive practices, which likely prolonged the fallout from this hack.” 

Rep. Morgan Griffith, R-Va., who chairs the Energy and Commerce Subcommittee on Oversight and Investigations, said consolidation in the health insurance industry has reached such a state “that a single ransomware attack on one company can cripple the flow of payments and claims for months.” 
 
During the hearings, lawmakers also discussed the issue of cybersecurity standards and requirements for the health care sector. To make meaningful progress in the war on cybercrime, the AHA continues to urge Congress and the Administration to focus on the entire health care sector and not just hospitals. The AHA supports the voluntary consensus-based cybersecurity practices, such as those announced in January by the Department of Health and Human Services, but it opposes insufficiently funded proposals for mandatory cybersecurity requirements that levy significant penalties on hospitals. 
 
“It is well-documented that the vast majority of the cybersecurity risk in the health care sector is from vulnerabilities in third-party technology, not hospitals’ primary systems,” AHA wrote April 29. “Enforcing hospital adoption of these practices would have done nothing to prevent the Change Healthcare cyberattack or most other cyberattacks on the sector to date. Instead, Congress and other policymakers should focus their efforts on ensuring all health care stakeholders adopt appropriate cyber hygiene practices with a particular priority on third-party technologies.”

Related News Articles

Headline
AHA blog: How to prepare for third-party cyber risk 
In his latest AHA Cyber Intel blog, John Riggi, AHA national advisor for cybersecurity and risk, explains why cybercriminals are shifting from directly…
Headline
CISA guidance informs users on software products which should be secure by design and demand 
The Cybersecurity and Infrastructure Security Agency and FBI Aug. 8 released guidance on secure by design software products which includes resources to assess…
Perspective
Keeping Up Our Guard and Fighting Back Against Cybercrime
It seems like barely a week goes by without a new cyberattack that affects health care providers. Often, it’s a ransomware attack conducted by foreign criminal…
Headline
Agencies issue update on BlackSuit ransomware group
The Cybersecurity and Infrastructure Security Agency and FBI today issued an updated advisory on the BlackSuit ransomware group, providing information on…
Headline
AHA podcast: The FBI’s Global Fight Against Cybercrime 
Cybercriminals are ramping up attacks on health care systems throughout the United States, with a majority of these crimes originating from international,…
AHA Cyber Intel
Third-Party Cyber Risk Impacts the Health Care Sector the Most. Here’s How to Prepare.
We all know by now that cyber risk is not just an "IT issue," but rather it is an enterprise risk issue. Cyberattacks represent a potential risk to every…