Change Healthcare: ‘We will not rest … until we fix this’

UnitedHealth Group CEO Andrew Witty gestures as he testifies before the Senate Finance Committee on May 1, 2024. Witty apologized for the effects of the massive cyberattack against the company's entity Change Healthcare this year.

Andrew Witty, CEO of Change Healthcare’s corporate parent, apologized to those affected by the massive cyberattack against the company that has hobbled the U.S. health care system for months.

“To all those impacted, let me be very clear: I’m deeply, deeply sorry,” said Witty, CEO of United Health Group, based in Minnetonka, Minnesota.

“Our response to this attack has been grounded in three principles: to secure the systems, to ensure patient access to care and medication, and to assist providers with their financial needs,” he said. “We have deployed the full resources of United Health Group in this effort. I want to assure the American public: We will not rest, I will not rest, until we fix this.”

Witty spoke May 1 to the Senate Finance Committee in the hearing “Hacking America’s Health Care: Assessing the Change Healthcare Cyber Attack and What’s Next.”

The lawmakers spent more than two hours pressing Witty on issues ranging from cybersecurity to UnitedHealth Group’s size and business practices, to the financial effects on doctors, hospitals and pharmacists, to the theft, potential revelation and misuse of huge amounts of patient information.

Committee Chair Sen. Ron Wyden (D-Oregon) repeatedly chastised Witty for the company’s response to a hack that could have been stopped with “cybersecurity 101,” by using multifactor authentication (MFA). Witty admitted he is as disappointed and frustrated as anyone about the situation and the company did not get it right when rolling out financial help to physicians and other health care providers.

The latest information

Witty said he made the decision to pay a $22 million ransom to recover stolen data, and it was one of the hardest decisions he ever had to make. So far, the company has not seen evidence that materials such as doctor’s charts or full medical histories were exfiltrated from its records. It will take months to identify affected patients and notify them, so UnitedHealth is offering two years of free credit monitoring and identity theft protection, he said.

For physicians and other providers, UnitedHealth has advanced more than $6.5 billion in accelerated payments and is offering no interest, no fee loans, Witty said. There is a website devoted to the incident and a call center open for inquiries at 1-866-262-5342.

How it happened

Witty explained the cyberattack happened when hackers compromised a Change Healthcare server not protected by multifactor authentication, the technology that requires users to enter a password and an additional piece of information, such as a number, password, confirmation code sent via text, or fingerprint or facial scan, to log into a computer network.

“When your bank app asks you to enter a code sent by text or email, that's MFA. It secures your account even if your password is learned,” Wyden said.

The company requires MFA on externally facing computer systems, Witty said, and Wyden called it a security failure on Witty’s watch.

The reason the server did not have MFA is because Change Healthcare had only recently come under UnitedHealth Group and the company was in the process of upgrading Change Healthcare’s legacy computer systems, Witty said.

Once the hack happened, Witty said Change Healthcare disconnected from the rest of the health care system to stop additional cyberattacks and theft, and that worked.

Change Healthcare’s computer network largely is returning to normal, with core systems up and fully functional and safe for physicians, hospitals and pharmacies to reconnect with, Witty said.

“The reason why it's taken longer than you might expect to recover is, we've literally built this platform back from scratch, so that we can reassure people that there are not elements of the old attacked environment within the new technology, at the new technical environment that we created,” Witty said.

‘Hacking for Dummies’

Sen. Thom Tillis (R-North Carolina) asked about the security and, once the attack happened, the redundancy of information to restore services quickly. Witty acknowledged the attack implicated the prime and backup data environments and delays happened partly due to the age of the technology and because large amounts of data were not secured in cloud data storage.

Tillis recounted his cybersecurity experience through the Senate Armed Services Committee and he held up a copy of the book “Hacking for Dummies.”

“And this is some basic stuff that was missed,” Tillis said. “So, shame on internal audit, external audit and your systems folks tasked with redundancy, they're not doing their job.”

Wyden agreed.

“The other important point that you make, multifactor authentication is vital for prevention, but redundancy, which you touched on, basically helps the company get back on its feet. This company flunked both,” Wyden said.

Health care hobbled

Numerous senators shared anecdotes from their home states about patients, physicians, hospital leaders and pharmacists who all have spent months enduring the effects of the Change Healthcare cyberattack.

Committee Ranking Member Sen. Mike Crapo (R-Idaho) summarized the situation plainly.

“The fallout from this unprecedented attack has affected the entire health care sector,” Crapo said. “By crippling Change’s functionality, the hacker's left providers unable to verify patients insurance coverage, submit claims and receive payments, exchange clinical records, generate cost estimates and bills or process prior authorization requests. In the immediate aftermath of the attack. Many providers had to rely on reserves to cover the resulting revenue losses.”

‘A monopoly on steroids’

The lawmakers noted the scale and size of UnitedHealth’s operations.

The company handles the equivalent of 5% of the U.S. gross domestic product a day, said Sen. Bill Cassidy, MD (R-Louisiana). The company has become “almost a too-big-to-fail insurer, because if it fails, it's going to bring down far more than it ordinarily would,” he said.

Witty countered that the company owns no hospitals or pharmaceutical makers. It employs about 10,000 physicians and contracts with another 80,000 who choose to work with UnitedHealth Group, while hospital employ about 400,000 physicians across the country.

Sen. Elizabeth Warren (D-Massachusetts) pounced, noting UnitedHealth reported $22 billion in profits last year, making it the largest health care entity in the nation, with the largest insurer, largest claims processor, largest controller of physicians, the largest participant in Medicare Advantage, and third largest pharmacy benefit manager. By revenue it is the 11th largest company in the world, she said.

“You are now in a position to jack up prices, squeeze competitors, hide revenues, and pressure doctors to put profits ahead of patients,” Warren said. “UnitedHealth is a monopoly on steroids. The opportunities for price gouging are everywhere.”

Federal regulators are investigating company’s billing practices and now it appears UnitedHealth is scooping up physician practices brought to the edge of bankruptcy by the company’s own data breach, Warren said. In questioning by Sen. Robert Menendez (D-New Jersey) Witty agreed to “commit to not exploiting the destabilized provider markets that you created to acquire other subsidiaries,” and Wyden later pressed Witty for assurances on that point.

‘Victim of a crime’

Sen. Ron Johnson (R-Wisconsin) noted the United States government is the largest financial entity in the world with trillions in debt and that gets hacked and makes improper payments all the time.

“I’ll state the obvious: United Health, you were a victim of a crime, correct?” Johnson said.

“That is correct sir,” Witty said.

“I’m actually sympathetic with people who are victims of crime, I don’t think you went out and sought to be hacked,” Johnson said. He followed with questions about the timeline and actions of the attack.

Processing medical claims is complex, with rules by Medicare and insurance companies, Witty said.

“And, importantly, it's a software and network business, not a pipeline business, in a physical sense,” Witty said. “So, when it's attacked, the vulnerability is that the software is impacted or encrypted and that really freezes the whole system, which is why this has been such a devastating impact.”

‘Let the country down’

After Witty’s testimony, Wyden concluded the hearing by stating there is still a lot that lawmakers and the American people don’t know. That includes possible theft of personal health data that could reveal abortions, mental health conditions, sexually transmitted infections and more.

“Companies that are so big have an obligation to protect their customers and to lead on this issue,” he said. “And much of what I've read about this, you're kind of saying, the American people, you should feel lucky that we're big. I think that a lot of Americans today don't buy that and I think that your company on your watch, let the country down, and these millions of people.”