Senators slam UnitedHealth’s CEO
Cyberattack on massive health care company upended services across U.S., including in S.F.
In a tense Senate hearing Wednesday, lawmakers sharply criticized UnitedHealth Group’s handling of the cyberattack that paralyzed the U.S. health care system, citing the failure of its security systems and the potential disclosure of sensitive medical information of millions of Americans.
Democratic and Republican senators questioned whether the cyberattack of Change Healthcare, which manages one-third of all U.S. patient records and some 15 billion transactions a year, was so vast because UnitedHealth is too deeply embedded in nearly every aspect of the nation’s medical care.
UnitedHealth Group, which reported $372 billion in revenues in 2023 and is one of the nation’s largest corporations, is not only the parent of Change but also the parent of the country’s largest health insurer and a big pharmacy benefit manager (OptumRx). United also oversees nearly 1 in 10 doctors in the country.
“The Change hack is a dire warning about the consequences of ‘too big to fail’ megacorporations gobbling up larger and larger shares of the health care system,” said Sen. Ron Wyden, D-Ore., the chair of the Finance Committee.
The U.S. health system was
thrust into chaos after the Feb. 21 attack on Change, which serves as a digital highway between health insurers and hospitals and doctors. Patients could not fill prescriptions, and hospitals and doctors faced a severe cash crunch because they could not be paid for their care. Several clinics in and around Santa Fe were affected by the outage, with some having to resort to uploading patient information or insurance claims manually, as they had to 15 to 20 years ago. Small office practices in the state have also described difficulties accessing insurance reimbursements and programs UnitedHealth Group set up to cover shortfalls during the outage, which cut off a vital source of income.
Congressional lawmakers have clamored for more information about how the hack happened
and what UnitedHealth was doing to address it, and the company declined a request last month to appear before the House health subcommittee. On Wednesday, UnitedHealth CEO Andrew Witty was summoned to testify before both the Senate Finance Committee and a panel of the House Energy and Commerce Committee.
In the afternoon, House lawmakers outlined their concerns, especially given the corporation’s enormous scale. Describing UnitedHealth’s “growing creep into every corner of our health care system,” Rep. Cathy McMorris Rodgers, R-Wash., the chairwoman of the House committee, said the corporation’s actions were likely to become “a case study in crisis mismanagement.”
In the morning, Witty defended the company’s efforts to restore services and apologized.
But Witty acknowledged the lax digital security that enabled hackers to enter Change’s network, including an inadequate backup plan, and conceded United fumbled initial efforts to help cover payments for providers.
Just last week, United began to reveal hackers did get access to some patient data, although Witty told the senators it would be quite a while before the company would have a solid grasp on how extensive that breach of patient information was.
Wyden in particular expressed frustration with how little information United had provided to consumers. “Americans are still in the dark in how much of their sensitive information was stolen,” he said. He dismissed the company’s efforts to provide credit monitoring, calling it the “thoughts and prayers of data breaches.”
United was forced to shut Change’s systems down completely for several weeks, prompting testy exchanges between senators and Witty over the pace of reimbursements to hospitals and other providers.
Witty told senators that “claims flow across the entire country is essentially back to normal.” Wyden said he had heard from providers who filed claims in February that it would take until at least June to be reimbursed.
“We can move absolutely faster than that,” Witty said, asking to be put in touch with any organization that had complained to Wyden.
“Practically every provider I bump into is waiting to be paid,” Wyden shot back.