UnitedHealth Group CEO Andrew Witty on Wednesday blamed outdated technology for a hack that likely exposed the health information of millions of people and hampered claims processing at thousands of providers for several weeks.
During an appearance at a Senate Finance Committee hearing — his first before lawmakers since the Change Healthcare hack in February — Witty noted that UnitedHealth Group acquired Change Healthcare in 2022 and was still in the process of updating and modernizing its technology. outdated when the attack happened.
The senators did not believe this explanation. Finance Chairman Ron Wyden, D-Ore., accused UnitedHealth Group of failing its customers by not employing widely recommended cybersecurity practices such as multi-factor authentication, which requires users to log into systems with more information than just a password.
“I think your company, under your watch, has let the country down,” Wyden said. “This hack could have been stopped with Cybersecurity 101.”
UnitedHealth Group discovered the attack in late February and shut down systems to prevent the spread of malware. This resulted in thousands of providers being unable to receive payments for claims processed by Change Healthcare. Witty also said on Wednesday that he personally made the decision to pay a $22 million ransom to the hackers.
Witty said Change Healthcare “unfortunately and frustratingly” still did not have multi-factor authentication on its servers, despite it being an enterprise-wide requirement at UnitedHealth Group.
“We’re trying to figure out exactly why this server wasn’t secured by multi-factor authentication,” he said. “I’m as frustrated as anyone by this fact.”
And due to the “age of technology,” backup systems — called “redundancies” — that were intended to mitigate the impact of an attack were also compromised, Witty said.
“Multi-factor authentication is vital for prevention, but redundancies…help the company recover,” Wyden said. “This company failed both.”
Witty said that starting Wednesday, all external systems will have multi-factor authentication. It has also hired third parties to review its technology and ensure it is safe from attack.
“This was a basic thing that was overlooked,” said Sen. Thom Tillis, R-N.C., waving a copy of a book titled “Hacking for Dummies.”
Wednesday marked the first time Witty publicly answered questions about the attack. Witty later appeared before the House Energy and Commerce Oversight and Investigations Subcommittee.
The consequences and long-term consequences are still largely unknown, with Witty saying the hack could potentially impact a “substantial proportion” of Americans, although the type of information obtained is not yet clear.
The files obtained by the hackers contained protected health information and personally identifiable information, but there is no evidence that medical records or complete medical histories were stolen, Witty said.
Witty said he expects UnitedHealth to notify affected patients in the “coming weeks.”
“We want to try to avoid fragmented communication and it is our top priority to do this as quickly as possible,” he said.
Still, senators pressured Witty to act more quickly.
“Ten weeks is a long time for millions of Americans to be unaware that their records could be available to criminals on the dark web,” said Sen. Maggie Hassan, D-N.H. Witty said UnitedHealth Group is offering two years of free credit monitoring to potentially affected patients.
Continuous delays
Although Witty said claims processing is back to normal, that claim was disputed by senators who said they are still receiving complaints from providers in their states.
“There is a backlog that many of our providers and hospitals are facing for nine weeks of not being able to come in and make these claims,” said Sen. Marsha Blackburn, R-Tenn.
Witty said that while UnitedHealth processes payments instantly, other insurers may not pay until 30 days after receiving a claim.
“That would explain why we continue to see this delay,” Witty said, noting that providers can still apply for interest-free loans from UnitedHealth that don’t need to be repaid until their cash flows return to normal.
The attack — considered the largest to hit the U.S. healthcare sector — prompted calls for Congress and the Biden administration to implement stricter cybersecurity requirements.
Wyden said Congress needs to pass minimum cybersecurity requirements for the healthcare industry. Wyden also said federal agencies need to fast-track new cybersecurity rules for Americans’ private medical records.
“We’re making a huge mistake by not having federal rules about data privacy and data breaches and how these companies should mitigate those things,” Tillis said. “We really need to work on this because right now we have a patchwork of over a dozen states that are doing this differently.”
On Wednesday afternoon, the Energy and Commerce Oversight and Investigations Subcommittee covered similar ground, but focused particularly on UnitedHealth Group’s large presence in the health care sector due to decades of acquisitions.
Members questioned whether UnitedHealth Group was taking advantage of the attack’s negative financial impacts on providers to acquire more practices.
Witty responded that the company only acquired one practice in Oregon — an acquisition that was initiated before the attack.
Still, Rep. Earl L. “Buddy” Carter, R-Ga., criticized the company’s use of vertical integration, in which it acquired medical practices, pharmacy benefit managers and other players in the health care system.
“Let me assure you that I will continue to work to put an end to this,” Carter said. “This vertical integration that exists in healthcare in general has to end.”
Several members also took the opportunity to rebuke United Healthcare’s use of prior authorization, which Witty said resumed for its Medicare Advantage plans on April 15.
The company should “carefully review how this prior authorization” affected patient outcomes, said Rep. John Joyce, R-Pa.
