Topics
Reimbursement
Home health agencies get half a percent pay increase
Home health agencies get half a percent pay increase
Revenue Cycle Management
Mary Washington Healthcare latest to outsource revenue cycle 
Mary Washington Healthcare latest to outsource revenue cycle 
Strategic Planning
Two CFOs see promise of AI, but have yet to build a dedicated budget
Two CFOs see promise of AI, but have yet to build a dedicated budget
Capital Finance
Cigna nixes speculation of a Humana merger
Cigna nixes speculation of a Humana merger
Supply Chain
Feds shore up healthcare supply chain in wake of hurricanes Helene and Milton
Feds shore up supply chain in wake of hurricanes
Accounting & Financial Management
Labor expenses continue to challenge hospitals
Labor expenses continue to challenge hospitals
Budgeting
Health system operating margins declined in August
Health system operating margins declined in August
Quality and Safety
US healthcare system ranks last in equity, access
US healthcare system ranks last in equity, access
Billing and Collections
CFPB warns of illegal tactics by medical debt collectors
CFPB warns of illegal tactics by medical debt collectors
Claims Processing
Denials top reason for eroding provider-payer relationship
Denials top reason for eroding provider-payer relationship
Workforce
Elevance laying off 123 California employees
Elevance laying off 123 California employees
Operations
UAB, Press Ganey launch certificate program for healthcare leaders
UAB, Press Ganey launch certificate program for healthcare leaders
Medical Devices
Healthcare chatbots may promote racist misinformation
Healthcare chatbots may promote racist misinformation
Hospital/physician relations
Hospitals, physicians submit opposing views to FTC ruling on noncompetes
Hospitals, physicians submit opposing views to FTC ruling
Construction & Facilities Management
University Hospitals expanding with $3.2 million donation
University Hospitals expanding with $3.2M donation
Compliance & Legal
Johnson and Johnson sues HRSA for blocking 340B plan
J&J sues HRSA for blocking 340B plan
Policy and Legislation
Planned Parenthood, other groups decry executive power in House bill
Planned Parenthood, other groups decry House bill
Community Benefit
AMA pushes for stricter standards for hospital charity care policies
AMA pushes for stricter standards for hospital charity care policies
Accountable Care
NAACOS pushes ACO REACH extension after $1.54B in savings
NAACOS pushes ACO REACH extension
Acute Care
SDOH, tech key to advancing value-based care, says UHG
SDOH, tech key to advancing value-based care
Ambulatory Care
Cleveland Clinic and Amazon One Medical collaborate on primary care clinics
Cleveland Clinic and Amazon One Medical collaborate
Analytics
Interoperability in healthcare moving forward despite challenges
Interoperability in healthcare moving forward despite challenges
Business Intelligence
MD Anderson launches new cancer research center
MD Anderson launches new cancer research center
ICD-10 & Coding
Physician practices examine risk adjustment coding in wake of federal lawsuits
Practices keeping close watch on risk adjustment coding
Meaningful Use
Financial disincentives for providers who commit information blocking 
Financial disincentives for providers who commit information blocking 
Medicare & Medicaid
Elevance Health 'considering options' following star ratings hit
Elevance Health 'considering options' following star ratings hit
Patient Engagement
Patients see narrow networks in ACA marketplace plans, KFF finds
KFF: Patients see narrow networks in ACA marketplace plans
Pharmacy
CerpassRx, Waltz team on AI platform to manage specialty drug spend
CerpassRx, Waltz team on AI to manage specialty drug spend
Population Health
Reproductive care, including abortion, facing challenges
Reproductive care, including abortion, facing challenges
Risk Management
UPMC for You partners to offer Medicaid redetermination coverage in laundromats
UPMC for You offers Medicaid redetermination coverage in laundromats
Telehealth
Telehealth prescribing of controlled drugs extended through 2025
Telehealth prescribing of controlled drugs extended
Mergers & Acquisitions
Cardinal Health set to acquire two companies for combined $3.9B
Cardinal Health set to acquire two companies for combined $3.9B
View more
May 01 More on Privacy & Security

UnitedHealth Group CEO Andrew Witty grilled on Change cyberattack

Witty confirmed he made the decision to pay $22M in ransom to protect patient information.

Susan Morse, Executive Editor

Photo: U.S. House Committee on Energy & Commerce

House subcommittee members slammed UnitedHealth Group CEO Andrew Witty for the Change Healthcare cyberattack that left providers without claims revenue and scrambling to stay afloat financially  and left constituents without their prescriptions.

Witty opened by saying, "I am deeply, deeply sorry."

Witty, who had testified before a Senate panel earlier on Wednesday, was put on the hot seat before the House Oversight and Investigations Subcommittee that afternoon. Members both questioned and accused Witty and UnitedHealth Group, repeatedly pressing for how the company that made $22 billion in profit in 2023, and is the parent company to the nation's largest insurer, could be caught off guard by bad actors infiltrating the Change system.

Optum, a subsidiary of UnitedHealth Group, acquired Change in October 2022. The cyberattack was discovered on February 21. The company confirmed last month that it paid a ransom to protect the health information of patients, but until Wednesday, had not commented on the amount.

Witty confirmed to the committee that $22 million in bitcoin was paid as ransom, a number reported by Reuters in March.

"The decision to pay a ransom was mine," Witty said.

Witty said he believed access was gained through the use of stolen passwords sold on the dark web.

"We believe through that kind of pathway they got credentials," he said.

Partly because of the age of the technology in the Change system, encryption ransomware affected prime and backup systems that were not in the cloud, Witty said. Services that were in the cloud were able to be brought back online quickly.

Frank Pallone, D-N.J., said he didn't understand why such a large company didn't have appropriate security for Change a year-and-a-half after it was acquired.

"I don't understand why you couldn't correct it and had no adequate backup," Pallone said, echoing the concerns of many on the House subcommittee.

Shedding new light on the attack, Witty said the infiltration occurred in the oldest systems owned by Change that had yet to be updated by UnitedHealth.

The system had no MFA, or multifactor authentication, he said, but it does now.

After discovering the attack, the company secured the perimeter and contacted the Federal Bureau of Investigation, Witty said. The attack did not spread beyond Change, he said.

"I want to see someone arrested," said Michael Burgess, R-Texas.

Witty agreed that he'd love to see these people brought to justice.

Subcommittee on Oversight and Investigations Chair Morgan Griffith, R-Va., asked Witty about a statement from UnitedHealth Group that the attack had affected a "substantial" number of American citizens. Griffith wanted to know how many. Witty hesitated, saying he didn't want to give a precise number that was wrong. Griffith pressed him to estimate a percentage.

"Maybe a third," Witty answered.

Griffith also asked about a comment that arose during the last House Subcommittee on Health hearing on Change in April that UnitedHealth, which employs an estimated 10,000 physicians, bought medical practices after the attack that were struggling financially due to lack of claims payments.

Witty said no practices have been acquired since the cyberattack, except for one in Oregon that was planned for acquisition prior to that event. 

Health subcommittee member Brett Guthrie, R-Ky., asked when to expect core functions to be restored.

Witty said progress has been made, and the company has lifted all claim holds. The operational impact is rapidly coming back to normal, he said.

Change Healthcare has several different clearinghouses, he said. The last mile is restoring the oldest pieces in Change. For providers using those very old systems, United Health will continue to provide a loan guarantee service at no interest.

Dr. Kimberly Merle Schrier, D-Wash., who serves on the House Subcommittee on Health, held up a sheet of paper showing a UnitedHealth loan for a physical therapy firm in her district. The owners had to mortgage their house to make payroll and continue operations, she said.

In testimony given to the Senate Finance Committee on Wednesday morning, the American Medical Association said the findings in its latest AMA survey of physicians conducted between April 19 and April 24 strongly dispute UnitedHealth Group's assurances that systems are nearly back to pre-outage function and that claims are again flowing through the system.

"Quite the contrary  physician practices, particularly small and independent practices, are still very much in crisis and not receiving the resources or information they need to navigate the outage or breach," the AMA said.

According to the physician survey, as of last week, 90% of respondents continue to lose revenue from unpaid claims because of the outage, 80% are losing revenue from the inability to submit claims, and 63% said they are losing revenue, due to the inability to charge patient co-pays, or remaining obligations. More than 60% of respondents are using personal funds to cover practice expenses, and more than a third are unable to meet their payroll obligations.

AMA president Dr. Jesse M. Ehrenfeld warned of the dangers of consolidation, such as the one between Change and UnitedHealth. In 2021, the AMA notified the Department of Justice of several antitrust concerns regarding the proposed merger.

In statements made about the hearing, Rick Pollack, president and CEO of the American Hospital Association said, "The AHA welcomed the bipartisan scrutiny of the Change Healthcare cyberattack. Today's hearings highlighted the real-world impact the most significant cyberattack to face the healthcare sector has had on so many patients, hospitals and health systems and other care providers nationwide. At these hearings, lawmakers made clear that cybersecurity is a shared responsibility for all parts of the healthcare sector.

"We completely agree. To protect the healthcare infrastructure we all depend on, it's absolutely critical that third-party entities like Change Healthcare share in that responsibility. The hearings also rightly exposed the size and scope of UnitedHealth Group, the parent company of Change Healthcare, and how that has affected and could further affect the delivery of healthcare for our nation. We believe this examination is long overdue." 

Email the writer: SMorse@himss.org

News
Ending racism in healthcare often begins with medical education - and is the target of a new national project Ending racism in healthcare often begins with medical education - and is the target of a new national project Inequities can be found in every facet of the industry, but targeting medical students and residents can help stem the tide.