UnitedHealth CEO testifies at Senate cyberattack hearing

ADA sends letter recommending cybersecurity support for dental practices

At the U.S. Senate Committee on Finance’s May 1 hearing, UnitedHealth Group CEO Andrew Witty shared his apologies, response to the recent Change Healthcare cyberattack and plans to mitigate something like this from happening again. 

The meeting, “Hacking America’s Health Care: Assessing the Change Healthcare Cyber Attack and What’s Next,” was held to discuss the Feb. 21 attack that hit Change Healthcare, one of the largest health care technology companies in the U.S. UnitedHealth Group, which owns Change Healthcare, recently confirmed that patient data was compromised in the Change cyberattack when 22 screenshots of files with protected health information — thought to be obtained by hackers — were posted for about one week on the dark web. 

At the top of the hearing, Sen. Ron Wyden, D-Ore., chairman of the Senate Committee on Finance, criticized Mr. Witty for not employing multifactor authentication to protect patient data and for still not providing data on how many people’s data was stolen months after the attack.  

“Mr. Witty owes Americans an explanation for how a company of [UnitedHealth Group’s] size and importance failed to have multifactor authentication on a server providing open door access to protected health information, why its recovery plans were so woefully inadequate and how long it’s going to take to finally secure all of its systems,” he said.  

Mr. Witty testified at the hearing, stating he is “deeply, deeply sorry” to everyone who has been impacted by the cyberattack and that UnitedHealth “will not rest until we fix this.” Following the cyberattack, he said that the organization acted quickly to contain infection. 

“We immediately severed connectivity and secured the perimeter of the attack to prevent malware from spreading. It worked. There is no evidence of spread beyond Change Healthcare,” he said. “As we’ve responded to this attack, including dealing with the demand for ransom, my overarching priority has been to do everything possible to protect people’s personal health information.”

Mr. Witty noted that UnitedHealth Group has advanced more than $6.5 billion in accelerated payments and no interest fee loans to thousands of providers and that the organization has made “substantial progress” in restoring health care services.

“First, the team built a new technology environment in just a matter of weeks. Second, we prioritized our restoration effort on services most vital to ensure an access to care, pharmacy services, claims and payments to providers. And third, while these efforts were underway, we worked quickly to provide financial assistance to providers who need it,” Mr. Witty said.  

In advance of the hearing the ADA sent a letter to the committee’s leaders, Sens. Wyden and Mike Crapo, R-Idaho, which provided insights and several recommendations to ensure the resilience of health care infrastructure against cyber threats, such as comprehensive financial impact assessments and enactment of prompt pay legislation. The Association also urged the committee to consider legislative measures that would improve options for health care providers impacted by cyberattacks and help to prevent incidents in the future.  
  
“We are particularly interested in policies addressing gaps in cybersecurity regulations and enforcement mechanisms such as measures to enhance penalties for cybercrimes, streamlining transparency on incident reporting requirements, support for contingency planning and facilitating information sharing among law enforcement agencies and healthcare providers,” the letter said.

At the May 1 hearing, Mr. Witty said that so far there is no evidence that materials like doctors’ charts or full medical histories were exfiltrated. 

“It will take several months before enough information will be available to identify and notify impacted customers and individuals, partly because the files contained in the data were compromised in the attack,” he said, adding that the health group will provide free credit monitoring and identity theft protections for two years. 

There will also be a dedicated call center staffed by clinicians to provide support services. For more information on resources from UnitedHealth, visit changecybersupport.com.