UnitedHealth CEO devastated over shortcomings in massive cyberattack that cripples health care • Ohio Capital Journal

WASHINGTON — Capitol Hill lawmakers from both parties grilled the CEO of UnitedHealth Group on Wednesday over the largest-ever cyberattack on the U.S. health care industry, which has crippled payments to providers and pharmacies and left millions of patients with no idea whether their information is now in it is dark. web.

A Russia-linked cybercrime organization called ‘BlackCat’ in February infiltrated a vulnerable server of Change Healthcare, a subsidiary of the massive Minnesota-based UnitedHealth. The hackers demanded a ransom for the stolen data.

UnitedHealth CEO Andrew Witty told the Senate Finance Committee that the decision to pay the $22 million ransom in Bitcoin was “mine (and) one of the most difficult decisions I have ever had to make.”

“Let me be very clear to all those affected by this: I am deeply sorry,” Witty said in his opening testimony.

The company warned in its latest update in late April that a preliminary ongoing investigation revealed that personal health had been compromised and that identifiable information “could cover a substantial portion of the people in America.”

‘Mr. Witty owes Americans an explanation’

Witty’s apology did not stop lawmakers from demanding him to answer for fundamental cybersecurity missteps, significant revenue losses and delays in notifying patients whether their personal information was among the data stolen by the cybercriminals.

Senator Ron Wyden, chairman of the committee, said that “failures start at the top.”

“Mr. Witty owes the Americans an explanation for the fact that a company of UHG’s size and importance failed to have multi-factor authentication on a server that provided open-door access to protected health information, why the recovery plans were so woefully inadequate and how long it will take to finally secure the data across all its systems,” the Oregon Democrat said.

UnitedHealth Group, which is among the nation’s largest companies, acquired Change Healthcare in a controversial 2022 deal that expanded its massive footprint in the U.S. healthcare industry.

Change Healthcare is an information highway for payments, requests for insurers to approve care and roughly a third of Americans’ medical records. It processes 14 billion “clinical, financial and operational transactions” annually, according to the company.

Witty told lawmakers that with the purchase of Change came the company’s “legacy technology,” which UnitedHealth is in the process of upgrading.

Both Wyden and the committee’s ranking member, Mike Crapo of Idaho, criticized the U.S. Department of Health and Human Services for not playing a bigger role after the attack.

Wyden criticized the agency for not conducting “a proactive cybersecurity audit in seven years.”

HHS, which has published recommended cybersecurity standards for healthcare, did not respond to a request for comment. On March 5, it released a statement and guidance on the cyberattack.

That wasn’t fast enough, Crapo said, and “the government’s delay exacerbated an already uncertain landscape, creating reasonable concerns for healthcare providers and patients about access to essential medical services and life-saving medications.”

Not a ‘rosy’ picture

The cybercriminals who attacked Change Healthcare allegedly gained access to a server using stolen credentials.

The server did not have multi-factor authentication — a common two-step login process — and hackers were in the system for nine days before they were detected, Witty confirmed to the committee.

Wyden said the attack could have been stopped by using “cybersecurity 101.”

“I don’t think there’s any excuse for that,” Wyden said.

The company immediately contacted the Federal Bureau of Investigation and disconnected Change from the rest of its network after discovering the breach, Witty said.

The system shutdown halted billing, insurance licensing and other operations for weeks, costing providers more than $100 million a day, according to the American Medical Association.

UnitedHealth claims that medical claims are flowing again at “near normal” levels, and that payment processing has reached 86% of pre-incident levels “and is increasing as additional functionality is restored,” according to Witty’s filed written testimony.

Witty told lawmakers that as of Friday, the company had issued $6.5 billion in payments and interest-free loans to medical providers.

Senator Marsha Blackburn said her office has been inundated with calls about the Change attack. The reality patients and caregivers describe “is very different from the rosy picture you’ve painted,” she said.

The Tennessee Republican said she is hearing from hospitals and doctors facing weeks of backlogged claims and payments.

“Here’s a good ‘example’ for you: a small, independent, private hospital in West Tennessee. They have diligently filed all their claims and they are saddled with a backlog of Medicare claims equal to 30 days of revenue, and they are waiting for these cases to be transferred to Medicare,” Blackburn said.

“This is all because of the missteps you all have had.”

Senator James Lankford, a Republican from Oklahoma, asked Witty for a “target time when everyone will be completely healed.”

“I hope that will be within a month or six weeks,” Witty said.

Patient records

Senator Thom Tillis of North Carolina held up the book “Hacking for Dummies,” which he said he uses as a tool in several Senate committees, and told Witty, “This is basic material.”

“Your entire enterprise is based on the movement and exchange of data,” Republican Tillis said during questioning. “This is how you create value. … If you have a breach, it should be your problem, not my problem. So anything you do to keep those people healthy from any harm in the assignment is just a function of doing business. Do you agree with that?”

“Yes, sir,” Witty replied. “And we have committed ourselves to taking full responsibility for the report, and we are awaiting that report. We have already provided credit protection and identity theft protection, and they can reach us through a 1-800 number and through our cyber support.”

The company has provided a call center at 1-866-262-5342 and a website changecybersupport.com.

Witty told Sen. Catherine Cortez Masto that the timeline for notifying health care providers and patients whether their data has been breached — as required by federal and state law — will take “several weeks.”

“You’re saying a few weeks since what, this attack was how long ago, 69 days ago?” asked Cortez-Masto, a Nevada Democrat.

“Yes, and thanks for the question. We were only able to start this process about a month after the attack when we got the dataset back and started interrogating it, a very complex process,” Witty replied.

Protesters stood up shortly after the hearing adjourned and chanted, “Andrew Witty, you can’t hide. We can see your greedy side.

Witty also testified before the U.S. House Committee on Energy and Commerce on Wednesday.

The Justice Department did not respond to a request for comment on the investigation into the attack.