UnitedHealth CEO to testify in House committee about Change Healthcare cyberattack

© Sagittarius Pro - stock.adobe.com

UnitedHealth Group Inc. CEO Andrew Witty will appear before Congress to discuss the cyberattack on subsidiary Change Healthcare that continues to affect the U.S. health care system.

House of Representatives Energy and Commerce Committee Chair Rep. Cathy McMorris Rodgers (R-Washington) and Oversight and Investigations Subcommittee Chair Rep. Morgan Griffith (R-Virginia) announced the May 1 hearing. Their announcement comes on the heels of a Health Subcommittee hearing this week, “Examining Health Sector Cybersecurity In The Wake Of The Change Healthcare Attack,” with almost three hours of testimony from expert witnesses.

“Americans are still dealing with the fallout of the Change Healthcare hack. Individuals and smaller providers, in particular, have struggled financially following the cyberattack, threatening critical access for patients,” Rodgers and Griffith said in a joint statement April 19.

“While we’re disappointed that UnitedHealth could not join us for the recent Health Subcommittee hearing on cybersecurity, we look forward to learning more on what happened in the lead up to, and in the weeks following, the attack,” they said. “This hearing will help inform the Committee as we continue working toward solutions that protect the health and well-being of all Americans.”

Seeking answers

The Feb. 21, 2024, cyberattack caused UnitedHealth Group to take Change Healthcare offline to contain the incident, according to the House Committee. Billing services, claims transmittals, eligibility verifications and more all became inoperable, with some systems now down for more than a month.

Change Healthcare’s systems touch an estimated one in three patient records in the United States. It processes an estimated 15 billion transactions a year, involving an estimated 900,000 physicians, 118,000 dentists, 33,000 pharmacies and 5,500 hospitals around the nation.

On April 15, Rodgers and Griffith were joined by Committee Ranking Member Rep. Frank Pallone (D-New Jersey), Health Subcommittee Chair Rep. Brett Guthrie (R-Kentucky) and Ranking Member Rep. Anna Eshoo (D-California), and Oversight Subcommittee Ranking Member Rep. Kathy Castor (D-Florida) cosigning an eight-page letter to Witty demanding answers about the incident.

“The health care system is rapidly consolidating at virtually every level, creating fewer redundancies and more vulnerability to the entire system if an entity with significant market share at any level of the system is compromised,” the letter said. “In order to understand better the steps UnitedHealth has taken to address this situation, we request information about the impact of the cyberattack, the actions the company is taking to secure its systems, and the outreach to the health care community in the aftermath.”

Additional recommendations

The effect of the cyberattack has been financial and administrative disaster for members of the Medical Group Management Association. MGMA Senior Vice President for Government Affairs Anders Gilberg this week wrote to the Health Subcommittee with a statement prepared for the cybersecurity hearing.

Negative consequences included severe billing and cash flow disruptions, inability to submit claims, limited or no electronic remittance advice from health plans, blocked transmittal of electronic prescriptions, lack of connectivity to data, and more, he said.

“Physician practices diligently instituted workarounds for various processes to remain operational, which required significant labor costs and time to institute, diverting critical resources from patient care,” Gilberg’s letter said.

He recommended actions that Congress should consider for better defense against future attacks, or means to at least make recovery easier.

For starters: “Health plans, clearinghouses, and other third-party vendors must have safeguards and contingency plans in place to better protect physician practices from such significant cash flow and administrative impacts resulting from a cyber incident,” the letter said. Additionally:

• Lawmakers should examine further authorities and flexibilities for federal agencies responding to future attacks to support physician practices.
• Doctors’ offices should have resources similar to a proposed $500 million incentive program for cybersecurity for hospitals.
• Beyond existing rules, there should not be additional penalties against medical groups and practices not responsible for the attack and operating in full compliance.
• Law enforcement needs additional resources to combat cyberattacks and prevent them before they begin.