UnitedHealth Group CEO Andrew Witty grilled on Change cyberattack
Witty confirmed he made the decision to pay $22M in ransom to protect patient information.
Photo: U.S. House Committee on Energy & Commerce
House subcommittee members slammed UnitedHealth Group CEO Andrew Witty for the Change Healthcare cyberattack that left providers without claims revenue and scrambling to stay afloat financially – and left constituents without their prescriptions.
Witty opened by saying, "I am deeply, deeply sorry."
Witty, who had testified before a Senate panel earlier on Wednesday, was put on the hot seat before the House Oversight and Investigations Subcommittee that afternoon. Members both questioned and accused Witty and UnitedHealth Group, repeatedly pressing for how the company that made $22 billion in profit in 2023, and is the parent company to the nation's largest insurer, could be caught off guard by bad actors infiltrating the Change system.
Optum, a subsidiary of UnitedHealth Group, acquired Change in October 2022. The cyberattack was discovered on February 21. The company confirmed last month that it paid a ransom to protect the health information of patients, but until Wednesday, had not commented on the amount.
Witty confirmed to the committee that $22 million in bitcoin was paid as ransom, a number reported by Reuters in March.
"The decision to pay a ransom was mine," Witty said.
Witty said he believed access was gained through the use of stolen passwords sold on the dark web.
"We believe through that kind of pathway they got credentials," he said.
Partly because of the age of the technology in the Change system, encryption ransomware affected prime and backup systems that were not in the cloud, Witty said. Services that were in the cloud were able to be brought back online quickly.
Frank Pallone, D-N.J., said he didn't understand why such a large company didn't have appropriate security for Change a year-and-a-half after it was acquired.
"I don't understand why you couldn't correct it and had no adequate backup," Pallone said, echoing the concerns of many on the House subcommittee.
Shedding new light on the attack, Witty said the infiltration occurred in the oldest systems owned by Change that had yet to be updated by UnitedHealth.
The system had no MFA, or multifactor authentication, he said, but it does now.
After discovering the attack, the company secured the perimeter and contacted the Federal Bureau of Investigation, Witty said. The attack did not spread beyond Change, he said.
"I want to see someone arrested," said Michael Burgess, R-Texas.
Witty agreed that he'd love to see these people brought to justice.
Subcommittee on Oversight and Investigations Chair Morgan Griffith, R-Va., asked Witty about a statement from UnitedHealth Group that the attack had affected a "substantial" number of American citizens. Griffith wanted to know how many. Witty hesitated, saying he didn't want to give a precise number that was wrong. Griffith pressed him to estimate a percentage.
"Maybe a third," Witty answered.
Griffith also asked about a comment that arose during the last House Subcommittee on Health hearing on Change in April that UnitedHealth, which employs an estimated 10,000 physicians, bought medical practices after the attack that were struggling financially due to lack of claims payments.
Witty said no practices have been acquired since the cyberattack, except for one in Oregon that was planned for acquisition prior to that event.
Health subcommittee member Brett Guthrie, R-Ky., asked when to expect core functions to be restored.
Witty said progress has been made, and the company has lifted all claim holds. The operational impact is rapidly coming back to normal, he said.
Change Healthcare has several different clearinghouses, he said. The last mile is restoring the oldest pieces in Change. For providers using those very old systems, United Health will continue to provide a loan guarantee service at no interest.
Dr. Kimberly Merle Schrier, D-Wash., who serves on the House Subcommittee on Health, held up a sheet of paper showing a UnitedHealth loan for a physical therapy firm in her district. The owners had to mortgage their house to make payroll and continue operations, she said.
In testimony given to the Senate Finance Committee on Wednesday morning, the American Medical Association said the findings in its latest AMA survey of physicians conducted between April 19 and April 24 strongly dispute UnitedHealth Group's assurances that systems are nearly back to pre-outage function and that claims are again flowing through the system.
"Quite the contrary – physician practices, particularly small and independent practices, are still very much in crisis and not receiving the resources or information they need to navigate the outage or breach," the AMA said.
According to the physician survey, as of last week, 90% of respondents continue to lose revenue from unpaid claims because of the outage, 80% are losing revenue from the inability to submit claims, and 63% said they are losing revenue, due to the inability to charge patient co-pays, or remaining obligations. More than 60% of respondents are using personal funds to cover practice expenses, and more than a third are unable to meet their payroll obligations.
AMA president Dr. Jesse M. Ehrenfeld warned of the dangers of consolidation, such as the one between Change and UnitedHealth. In 2021, the AMA notified the Department of Justice of several antitrust concerns regarding the proposed merger.
In statements made about the hearing, Rick Pollack, president and CEO of the American Hospital Association said, "The AHA welcomed the bipartisan scrutiny of the Change Healthcare cyberattack. Today's hearings highlighted the real-world impact the most significant cyberattack to face the healthcare sector has had on so many patients, hospitals and health systems and other care providers nationwide. At these hearings, lawmakers made clear that cybersecurity is a shared responsibility for all parts of the healthcare sector.
"We completely agree. To protect the healthcare infrastructure we all depend on, it's absolutely critical that third-party entities like Change Healthcare share in that responsibility. The hearings also rightly exposed the size and scope of UnitedHealth Group, the parent company of Change Healthcare, and how that has affected – and could further affect – the delivery of healthcare for our nation. We believe this examination is long overdue."
Email the writer: SMorse@himss.org