UnitedHealth Group CEO Andrew Whitty said Wednesday that a hack compromised the medical information of millions of people and disrupted claims processing for thousands of health care providers for weeks. It likely blamed outdated technology.
At a Senate Finance Committee hearing, his first appearance before lawmakers since the Change Healthcare hack in February, Whitty said UnitedHealth Group will acquire Change Healthcare in 2022 and that the attack He pointed out that at the time of the incident, the company was still in the process of upgrading and modernizing outdated technology.
Senators did not accept that explanation. Oregon Treasurer Ron Wyden said UnitedHealth Group will adopt widely recommended cybersecurity practices, such as multi-factor authentication, which requires users to log into systems with more than just a password. They accused the company of disappointing customers by not doing so.
“I think your company has let the country down, just as you watched,” Wyden said. “This hack could have been stopped with Cybersecurity 101.”
UnitedHealth Group discovered the attack in late February and took its systems offline to prevent the malware from spreading. As a result, thousands of healthcare providers were unable to receive payment for claims processed by Change Healthcare. Whitty also said Wednesday that he personally decided to pay the hackers a $22 million ransom.
Whitty said Change Healthcare has “unfortunately and frustratingly” not yet implemented multi-factor authentication on its servers, even though multi-factor authentication is a company-wide requirement at UnitedHealth Group. said.
“We are trying to investigate exactly why that server was not secured by multi-factor authentication,” he said. “I'm as frustrated as anyone about that fact.”
And because of the “age of technology,” backup systems, known as “redundancies” meant to reduce the impact of attacks, were also compromised, Whitty said.
“Multi-factor authentication is essential for prevention, but redundancy … can help companies get back on their feet,” Wyden said. “This company has failed on both counts.”
As of Wednesday, all external systems have multi-factor authentication in place, Whitty said. We also hired a third party to review our technology to ensure it was secure against attacks.
“This is some basic content that has been overlooked,” said Sen. Thom Tillis, R-N.C., waving a copy of a book titled “Hacking for Dummies.”
Wednesday was the first time Whitty publicly answered questions about the attack. Mr. Whitty then appeared before the Oversight and Investigations Subcommittee of the House Energy and Commerce Committee.
The long-term effects and fallout are still largely unknown, with Whitty saying the hack could affect a “significant percentage” of Americans, but it remains unclear what kind of information is available. It's still unclear what happened.
The files obtained by the hackers included protected health information and personally identifiable information, but there is no evidence yet that doctor records or complete medical histories were stolen, Witty said.
Whitty said he expects UnitedHealth to notify affected patients in the “coming weeks.”
“We want to avoid piecemeal communication and completing this as soon as possible is our top priority,” he said.
Still, senators pressed Whitty to act more quickly.
“Ten weeks is too long for millions of Americans to not know that their records are available to criminals on the dark web,” said Sen. Maggie Hassan (D.N.H.). “I will.” Whitty said UnitedHealth Group is offering two years of free credit monitoring to potentially affected patients.
continuous backlog
Whitty said claims processing is mostly back to normal, but that claim was challenged by senators who said they were still receiving complaints from providers in each state.
“Many health care providers and hospitals have been left with a backlog of not being able to go to hospitals and file claims for nine weeks,” said Sen. Marsha Blackburn (R-Tenn.).
Whitty said that while UnitedHealth processes payments immediately, other insurance companies may not pay within 30 days of receiving a claim.
Whitty noted that providers can still apply for interest-free loans from UnitedHealth that don't have to be repaid until cash flow returns to normal, “which would explain why the delays continue.” Ta.
The attack is believed to be the largest ever to hit the U.S. healthcare industry and has prompted calls for Congress and the Biden administration to implement stricter cybersecurity requirements.
Wyden said Congress needs to pass minimum cybersecurity requirements for the health care sector. Wyden also said federal agencies must urgently develop new cybersecurity rules for Americans' personal health records.
“We're making a huge mistake by not having federal regulations around data privacy and data breaches and how companies have to mitigate these things,” Tillis said. Ta. “We've really had to wrestle because there's a patchwork of a dozen states doing things differently.”
On Wednesday afternoon, the Energy and Commerce Oversight and Investigations Subcommittee addressed similar areas, with a particular focus on UnitedHealth Group's large footprint in health care after decades of acquisitions.
Members questioned whether UnitedHealth Group was trying to use the economic fallout from attacks on health care providers to acquire more medical practices.
Whitty responded that his company had only made one acquisition in Oregon, and that the acquisition began before the attack.
Still, Republican Rep. Earl L. “Buddy” Carter of Georgia blasted the company's use of vertical integration to buy physician practices, pharmacy benefit managers and other health system players.
“I will continue to work to resolve this issue,” Carter said. “This vertical integration that exists across health care has to end.”
Authorization resumed for Medicare Advantage plans on April 15, Whitty said, and several members used the opportunity to criticize United Healthcare's use of prior authorization.
Republican Rep. John Joyce said the company should carefully consider how its “prior authorization” affected patient outcomes.