UnitedHealth CEO savaged for failings in massive cyberattack that’s crippled health care

UnitedHealth CEO Andrew Witty testified before the U.S. Senate Finance Committee on Wednesday, May 1, 2024, about a cyberattack on Change Healthcare, a subsidiary. (Screenshot from committee webcast)

WASHINGTON (States Newsroom) — Capitol Hill lawmakers from both parties on Wednesday grilled UnitedHealth Group’s CEO over the largest-ever cyberattack on the U.S. health care industry, which has crippled payments to providers and pharmacies and left millions of patients clueless about whether their information is now on the dark web.

A Russia-linked cybercrime organization dubbed “BlackCat” infiltrated a vulnerable server in February belonging to Change Healthcare, a subsidiary of the massive Minnesota-based UnitedHealth. The hackers demanded ransom for stolen data.

UnitedHealth’s CEO Andrew Witty told the Senate Committee on Finance the decision to pay the $22 million ransom in Bitcoin “was mine (and) was one of the hardest decisions I’ve ever had to make.”

“To all those impacted, let me be very clear: I am deeply sorry,” Witty said in his opening testimony.

The company warned in its latest update in late April that a preliminary ongoing investigation revealed compromised personal health and identifiable information that “could cover a substantial proportion of people in America.”

‘Mr. Witty owes Americans an explanation’

Witty’s apology did little to stop lawmakers from demanding that he answer for basic cybersecurity missteps, significant revenue losses and delays in notifying patients whether their personal information was among data stolen by the cyber criminals.

Sen. Ron Wyden, the committee’s chair, said “failure starts at the top.”

“Mr. Witty owes Americans an explanation for how a company of UHG’s size and importance failed to have multi-factor authentication on a server providing open door access to protected health information, why its recovery plans were so woefully inadequate and how long it will take to finally secure all of its systems,” the Oregon Democrat said.

UnitedHealth Group, which ranks among the nation’s largest companies, acquired Change Healthcare in a controversial 2022 deal that added to its behemoth footprint in the American health care industry.

Change Healthcare is an information superhighway for payments, requests for insurers to authorize care and roughly a third of Americans’ medical records. It processes 14 billion “clinical, financial and operational transactions annually,” according to the company.

Witty told lawmakers that with the Change purchase came the company’s “legacy technology” that UnitedHealth has been in the process of upgrading.

Both Wyden and the committee’s ranking member, Mike Crapo of Idaho, criticized the U.S. Department of Health and Human Services for not playing a larger role after the attack.

Wyden panned the agency for not conducting “a proactive cybersecurity audit in seven years.”

HHS, which has published recommended cybersecurity standards for the health care industry, did not respond to a request for comment. It released a statement and guidance about the cyberattack on March 5.

That wasn’t soon enough, Crapo said, and “the administration’s delay exacerbated an already uncertain landscape, leaving providers and patients with reasonable concerns about access to essential medical services and life-saving drugs.”

Not a ‘rosy’ picture

The cybercriminals that attacked Change Healthcare allegedly accessed a server using stolen credentials.

The server did not have multi-factor authentication — a widely used two-step log-in process — and hackers were in the system for nine days before being detected, Witty confirmed for the committee.

Wyden said the attack could have been stopped by using “cybersecurity 101.”

“I don’t believe there are any excuses for that,” Wyden said.

The company immediately contacted the Federal Bureau of Investigation and disconnected Change from the rest of its network after discovering the breach, Witty said.

Cutting off the system halted billing, insurance authorizations and other activities for weeks, costing providers more than $100 million a day, according to the American Medical Association.

UnitedHealth maintains medical claims are flowing again at “near normal” levels, and payment processing has reached 86% of pre-incident levels “and is increasing as additional functionality is restored,” according to Witty’s submitted written testimony.

Witty told lawmakers that as of Friday the company had issued $6.5 billion in payments and no-interest loans to medical providers.

Sen. Marsha Blackburn said her office has been inundated with calls about the Change attack. The reality patients and providers are describing “is wildly different from the rosy picture that you have painted,” she said.

The Tennessee Republican said she’s hearing from hospitals and doctors who are facing weeks of backlogged claims and payments.

“Here’s a good ‘for instance’ for you: a small, independent, private hospital in West Tennessee. They have diligently submitted all of their claims, and they are burdened with a backlog of Medicare claims that is equivalent to 30 days revenue, and they’re waiting for these things to be transmitted to Medicare,” Blackburn said.

“This is all because of the missteps you all have had.”

Sen. James Lankford, an Oklahoma Republican, asked Witty for a “target time when everyone will be made completely whole.”

“I would hope that that’s in the next month or six weeks,” Witty said.

Patient data

Sen. Thom Tillis of North Carolina held up the book “Hacking for Dummies,” which he said he’s used as a resource on various Senate committees, and told Witty “this is basic stuff.”

“Your entire enterprise is based on the movement and exchange of data,” Tillis, a Republican, said during his questioning. “That’s how you create value. … When you have a breach, it’s gotta be your problem, not my problem. So everything that you do to keep those folks whole for any damage in the brief is just a function of doing business. Do you agree with that?”

“I do sir,” Witty responded. “And we’ve (leaned) in to take full responsibility on notification, and we are waiting for that notification. We’ve already stood up credit protection, identity theft protection, and they can reach us through a 1-800 number and through our cyber support.”

The company has provided a call center at 1-866-262-5342 and a website changecybersupport.com.

Witty told Sen. Catherine Cortez-Masto that the timeline for notifying providers and patients whether their data has been breached — as required by federal and state law — will take “several weeks.”

“You’ve been saying several more weeks since what, this attack was how long ago, 69 days ago?” asked Cortez-Masto, a Nevada Democrat.

“Yes, and thank you for the question. We only were able to start this process about a month after the attack when we got the dataset back and were able to start to interrogate it, a very complex process,” Witty replied.

Protesters briefly stood after the hearing adjourned and chanted “Andrew Witty, you can’t hide. We can see your greedy side.”

Witty also testified before the U.S. House Committee on Energy and Commerce Wednesday.

The Department of Justice did not respond to a request for comment on the investigation into the attack.