Congress Grills UnitedHealth CEO Over Change Cyberattack

Legislators slammed UnitedHealth Group CEO Andrew Witty over the cyberattack on subsidiary Change Healthcare at two Congressional hearings on Wednesday, raising concerns about the technology firm’s lack of cybersecurity and the potentially huge breach of Americans’ health data.

“This hack could have been stopped with cybersecurity 101,” said Sen. Ron Wyden, D-Ore., during a hearing in the Senate Committee on Finance.

The attack, which took place in late February, has snarled the healthcare sector for months, disrupting claims processing, payments to providers, prior authorization requests and eligibility checks. 

During testimony in front of the Senate finance committee and a House Energy and Commerce subcommittee, Witty discussed new details about the incident, including an estimate of the number of individuals affected by the breach and how cybercriminals accessed Change’s systems. 

Witty said a portal hackers used to attack Change didn’t have multifactor authentication, which requires a second method to verify a user’s identity beyond a password.

Witty estimates the attack compromised the data of a third of U.S. individuals, though the company is still working to determine the extent of the exposure.

“It’s extremely frustrating to have one of the largest companies in the world failing to meet its obligations under existing law to adequately protect some of our most sensitive personal information,” said Rep. Frank Pallone, D-N.J. “[…] Mr. Witty, this never should have happened, and it can’t happen again.”

Missing cyber protections

At the hearings, Witty provided more details on how hackers were able to access Change’s systems.

On Feb. 12, cybercriminals used compromised credentials to access a portal for gaining remote access to desktops, according to written testimony. 

The portal didn’t have multifactor authentication turned on — a protection one expert told Cybersecurity Dive would likely have prevented the breach. The attacker deployed ransomware nine days after first accessing Change’s systems, according to the testimony.

At the hearings, Witty said UnitedHealth, which acquired Change about a year and half ago, was still working to bring the technology firm’s protections up to snuff at the time of the attack. UnitedHealth’s policy is to use multifactor authentication on externally facing systems, he said. 

But some legislators seemed skeptical that a company as large as UnitedHealth couldn’t have more quickly adopted cyber protections. 

Sen. John Barrasso, R-Wyo., said even a small rural hospital in his home state has multifactor authentication. The facility operates in the red, and it was established in the 1960s, long before cybersecurity was a major issue — and far earlier than Change, which was founded in 2007. 

“Did you lack the financial resources to implement a multifactorial authentication system? I’m just not sure why you haven’t had this in place yet,” he said.

Witty also confirmed UnitedHealth paid a $22 million ransom in Bitcoin in an attempt to protect personal information after the attack, which he called “one of the hardest decisions I’ve ever had to make.”

Paying a ransom is a difficult choice, but it sets a bad precedent that rewards criminals, said Rep. Cathy McMorris Rodgers, R-Wash. 

“Here’s the problem. It didn’t stop a data leak. Americans’ personal and private health information is on the dark web. This is private health data that you are responsible for protecting,” she said. “Mr. Witty, I suspect that decision will be a case study in crisis mismanagement for decades to come.”

Is UnitedHealth too big to fail?

Some legislators argued UnitedHealth has simply become too large, making the healthcare behemoth a high-risk target for cybercriminals.

The company operates the nation’s largest insurer and a major pharmacy benefit manager, and it employs thousands of physicians. At the hearings, Witty said UnitedHealth currently has less than 10,000 employed physicians, but it contracts and affiliates with another 80,000. 

“We would have to ask, is the dominant role of United too dominant? Because it’s into everything, messing up United messes up everybody?” said Sen. Bill Cassidy, R-La.

The federal government has challenged UnitedHealth’s market power before, and contested the company’s acquisition of Change.

The Department of Justice sued to block the buy, arguing the acquisition would give UnitedHealth an advantage over other payers. But a federal judge allowed the deal to close in October 2022 in a high-profile setback for the agency.

Now, UnitedHealth is reportedly under investigation from regulators over the large role the company plays in the healthcare industry, including the relationship between its insurer UnitedHealthcare and its health services arm Optum, which employs physicians.  

Witty argued that Change’s footprint was the same on the day of the cyberattack as it was before the acquisition. UnitedHealth’s size and resources could even help the firm recover, he said. 

Some lawmakers also raised concerns that UnitedHealth could take advantage of financial turmoil caused by the cyberattack to expand its reach further and acquire struggling physician practices. 

Witty said UnitedHealth acquired one practice in Oregon in a deal that was negotiated before the attack, and the company doesn’t have other planned purchases.

“I would highly recommend that anyone out there that’s thinking about buying out clinics based on the fact that they can’t file their claims through Change would reconsider,” said Rep. Larry Bucshon, R-Ind. “[…] They may be sitting in a Congressional hearing explaining why they’re doing that.”