UnitedHealth Group CEO Andrew Whitty was hit by gunfire from both sides of the aisle Wednesday while testifying before the Senate Finance Committee about the cyberattack on the company’s Change Healthcare subsidiary.
Senate Finance Committee Chairman Ron Wyden (D-Ore.) put the blame squarely on Whitty’s leadership for the cyberattack that caused widespread disruption in the health care sector.
“The failure of CEOs like Mr. Whitty, who for months have not been able to figure out how many people had their data stolen, justifies the FBI’s warning,” Wyden said in his opening remarks. mentioned how they have warned about the safety of medical insurance. The biggest target for ransomware.
During the hearing, Whitty acknowledged that it was his decision to pay the ransom to the hackers and said the company paid $22 million.
Here are the questions committee members pressed Whitty in more than two hours of testimony:
multi-factor authentication
The hacked server did not require multi-factor authentication (MFA) for access, even though UnitedHealth Group (UHG) had a company-wide policy on this exact security measure.
When asked by Sen. Thom Tillis (RN.C.) whether UHG management had been informed that the servers lacked MFA, Mr. Whitty said he was not aware of the issue being raised. He said no.
“It’s clear that if United had put in place stronger defenses like multi-factor authentication, things would have played out very differently,” Sen. Bob Casey (D-Pa.) said during Whitty’s questioning. I think so,” Whitty speculated during questioning.
Witty has pledged to mandate MFA across the company and implement the same standards used by federal agencies within the next six months. He emphasized that increasing the use of MFA is one layer of his company’s response to attacks.
“It’s one of the elements, but it’s just one of the elements of the defense,” Witty said. “For example, in addition to our normal enterprise-wide scans of our technology environment, we are now bringing in external third parties to perform double or triple scans across our systems. became.”
getting too big
UHG is the largest healthcare conglomerate in the United States. The company acquired Change His Healthcare in 2022 after losing a federal lawsuit seeking to block sales citing antitrust concerns.
The connection between the company’s enormous control over the U.S. healthcare sector and the fallout from February’s cyberattack has drawn scrutiny from lawmakers.
Sen. Elizabeth Warren (D-Mass.) said UHG owns “the nation’s largest insurance company, the nation’s largest claims processing company, and the nation’s third largest pharmacy benefits manager,” and how it is a “health care chain.” He pointed out that the company had acquired all connections between the two parties.
“Because our competitors hide their profits, we are in a position to jack up prices and pressure doctors to put profits before patients. UnitedHealth is a steroid monopoly,” Warren said. .
Warren also slammed the company, which is trying to buy a health care provider that was on the verge of going out of business after a cyberattack halted payments, and accused UHG of using the data breach as an opportunity for further growth.
Whitty declined to respond to Warren’s criticism, citing UHG’s “long-standing practice of not commenting on such matters or matters such as mergers and acquisitions.”
Who was affected?
UHG announced in April that a “substantial portion” of Americans’ personal information had been compromised in the attack. Whitty told the committee on Wednesday that consumers likely won’t know if they’re affected for some time.
“In part because the files containing the data were compromised in the attack, it will be several months before sufficient information is available to identify and notify affected customers and individuals,” Whitty said. said.
The company is offering two years of free credit monitoring and identity theft protection to affected customers, but it first needs to identify who has been affected, which will likely take some time.
Mr Tillis cautioned that he did not want the responsibility of protecting personal information to be shifted by UHG to consumers.
“I got a notification that I might be involved in a data breach. It was interesting that it said, ‘We’ll fix your problem.’ And I said, ‘No, we’ll fix your problem.’ That’s what I think. But we don’t want to make this difficult for consumers, so we’ll keep track. ”
“That should be a problem for you to solve yourself,” he added.
doctor loan
Throughout the hearing, Mr. Whitty regularly referenced the interest-free loans his company provides to health care providers as an important part of easing the financial burden they are under.
“We have advanced more than $6.5 billion in early payments and interest-free, no-fee loans to thousands of providers. Most of these funds are for non-UHC health insurance claims; Approximately 34% are sent to safety-net hospitals and federally qualified health centers, which provide this support until providers are billed and paid. [to] It’s at the level it was before the incident,” Whitty said in his opening remarks.
Sen. Marsha Blackburn (R-Tenn.) pointed out that some hospitals have taken out credit lines to stay open and asked Whitty if her company would repay those debts. I asked please. He did not directly address the study.
In response to a question from Sen. Bob Menendez (D.N.J.), Whitty clarified that the loan does not come with a condition that the hospital not partner with UHG’s competitors, and that the provider It said repayments must be made within up to 45 days after the loan details are decided. Business was back to normal.
Expected timeline
What many lawmakers wanted to know Wednesday was when they could expect the health sector to get back on track.
Sen. James Lankford (R-Okla.) directly asked Whitty when the payments and services that patients and health care providers have struggled to access since the attacks would “completely disappear.”
“I hope that happens within the next month or six weeks,” Witty replied.
Sen. Catherine Cortez Masto (D-Nev.) specifically asked, “When will Change Healthcare Network’s real-time eligibility and benefit verification capabilities be up-to-date and accurate?” did.
Witty didn’t have an answer for Cortez Masto on this point.
The American Hospital Association announced in March that 94% of hospitals reported being financially impacted by cyberattacks.
Copyright 2024 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.
