UnitedHealth Group CEO Andrew Witty testified May 1 before both the House and Senate about the shocking Feb. 21 cyberattack of UHG subsidiary Change Healthcare, which was targeted by the ALPHV ransomware group. Intrusion.
He admitted that the absence of multi-factor authentication on an old server gave cybercriminals the means to attack successfully.
And, although the company’s forensic investigation will continue for the foreseeable future, Witty admitted that the personally identifiable information and protected health information of about one-third of Americans was stolen, according to his estimates.
“I want to say again to everyone affected, I am deeply sorry,” Witty told the House Oversight and Investigations Subcommittee as he spent nearly two hours answering questions about his finances, operations, and actions. The actions and techniques of angry committee members.
“We are working tirelessly to uncover and understand every detail possible, which we will use to make our cyber defenses ever stronger,” he said. time is over”.
Apologies and assurances
In his Congressional testimony, Witty said that UnitedHealth chose to pay the $22 million Bitcoin ransom because Change Healthcare’s compromised outdated systems crippled operations — its own and very many of their customers.
His testimony provided a glimpse into the technical aspects of the attack and UHG’s incident response.
“From the moment I learned of the intrusion, I felt a deep responsibility to do everything possible to maintain access to customer care and support,” Witty said in his opening statement. me”.
“Our response and response to this attack is based on three principles: securing systems; ensuring patient access to care and medicines; and supporting service providers according to their financial needs.”
Several members of Congress took time to ask how the company planned to help exposed patients, providers and government employees who continue to struggle financially during the shutdown.
Others — including lawmakers who are health care providers by trade and an independent pharmacist — asked about prior authorizations, pharmacy benefit management, extension of filing deadlines medical claims resulting from clearinghouse shutdowns and other constituent complaints about how UHG made decisions affecting access and patient concerns.
Multiple representatives mentioned UHG’s $370 billion in revenue last year when they asked about the financial strain on patients and providers caused by the attack and subsequent shutdown.
Unable to process claim payments, the American Medical Association said, based on a recent survey conducted March 26 to April 3, small medical practices will closed due to Change cyber attack.
Witty acknowledged that smaller suppliers are having the longest recovery times, and they are the ones receiving the majority of no-interest, no-fee loans. UHG had provided $6.5 billion in accelerated payments as of April 26, the company said.
Providers “didn’t stop their work” after the attack when they saw cash flow stop, Rep. Diana DeGette, D-Colo., noted, asking Witty about the initial loan period allowed to Optum , the UHG entity that runs Change, took the money back without notice.
“We immediately noticed [the terms] was inappropriate,” he replied. “I fully accept it was a wrong move.”
Concerns about future claim denials
During the hearing, Rep. Dr. Kim Schrier, D-Wash., also questioned the 2022 merger that the U.S. Department of Justice tried to block.
While efforts to resolve the situation and advance payments were appreciated, she said: “The reality is that this far-reaching attack has disproportionately impacted small, independent operations that are struggling to survive.”
Even though other payers “did nothing to help,” she said the loans were not enough, describing the “devastating” experience of Balance Physical Therapy in Issaquah, Washington. “The owners of the facility that employed six physical therapists had to mortgage their homes to pay rent and salaries,” Schrier said. And now that money is gone.”
In the first round of UHG loans, Balance was paid $70, she said, holding up a piece of paper to participate as an exhibit.
Schrier then said that UHG should have enough information about the claims experience to understand what activities were billed last month and last year “and could do better than that.”
She asked if UHG would help repay the value of that mortgaged house because he said he “won’t rest” until UHG gets things right.
“Madam Congressman, absolutely,” he said.
Part of the reason some providers didn’t receive support, and may still lack support, is because UHG doesn’t have “visibility to non-United flows,” Witty explained.
“Because we were trying to help quickly, we fell short, and in this case we fell short by a lot.”
She also said she heard that the loan conditions were questionable, such as a clause that the recipient could not use competitor UHG, and that some clinics and hospitals in her district had decided not to receive them.
And, given United’s reputation for acquiring “troubled” supplier operations, she asked what assurance Witty could give the committee that United would not “compromise these operations by way of not fully refunding, offering these unfair terms, then going ahead and just buying back the practices.”
“All of those provisions are now gone” and payers will “never want to act opportunistically after this,” Witty assured.
Previously, the UHG CEO had said that the health care agency was holding regular briefing calls for providers who needed assistance to reconnect to the now-resumed billing service, and said providers and patients in any county should contact UHG at 866-262-5342. (There’s also a UHG resources page.)
He then noted that 142,000 tax codes took advantage of the free loan program, and he emphasized multiple times throughout the hearing that providers do not need to start repaying until they decide that Their activities have returned to normal.
“We are committed to doing everything in our power to fix their systems or bail out their cash flow, simple as that,” he promised in his opening statement.
Although much of the functionality of the payment and claims system has been restored, according to an April 29 letter from the American Hospital Association to Sen. Ron Wyden, D-Ore., Chairman The Finance Committee and Mike Crapo, R-Idaho, ranking member, health systems and hospitals are concerned about capital recovery.
“Reconnecting is not the only step toward recovery,” the AHA says.
“Disruptions and delays in claims submission will inevitably lead to multiple denials, especially since most payers do not waive certain administrative requirements affected by the Change Healthcare outage.”
Rebuild old system
Some House committee members asked basic questions about where defenses were breached, HIPAA compliance and whether the company heeded federal agencies’ warnings about vulnerable groups. targeted by international law enforcement agencies, as the ALPHV BlackCat has been active since November 2021.
Without true isolation of cloud backups and legacy servers without MFA, Change Healthcare left its parent company liable for a series of damages that stretched from coast to coast .
Ranking Member Frank Pallone, D-N.J., said he wanted to know why UHG had not upgraded legacy systems or implemented full backups in the year and a half since the acquisition was completed.
Only when the company was acquired did UHG review the network, and from that point on, Change’s systems were updated, Witty explains.
“This change, this risk, existed before the United acquisition,” he said.
The specific ransomware attack left primary systems and backups inoperable.
“That’s one of the lessons we have to learn from this about how we build real isolation in backups and maybe just underscores the point about how important it is to have those services in the cloud versus older on-premises data centers, which is the case in legacy Change environments,” he said.
Witty also told Rep. Dr. Mariannette Miller-Meeks, R-Idaho, who was invited to the hearing, that the fault lay with the “small” company’s deeply embedded legacy systems.
“I believe the risk issue really existed when Change was a fairly independent business, or in fact a public company, but a fairly small public company. It was brought into the fold. officials and it is unfortunate that this attack occurred during the early days of our ownership of this business.”
However, the presence of older backups and upgrades in process is no excuse for UHG to some observers.
“Unlike smaller organizations, the giants,” said Asaf Kochan, co-founder and president of Sentra, a cloud-based data security platform based in New York City. Giants in this industry often have greater resources available, there is no reason to maintain lax data security.” Healthcare IT news by email.
“The difference is that United has the financial wherewithal to solve this problem and I believe will rebuild Change into a much more secure, modern platform,” Witty said.
Rep. Brett Guthrie, R-Ky., also asked about Change’s legacy equipment and whether any outdated systems could be compromised.
“We are constantly trying to quash that possibility,” he replied. We are using third parties to ensure that happens.”
“In the process of rebuilding Change – so one of the reasons Change is taking longer than you might expect is because we’re building much of the platform from scratch using completely modern technologies new, often cloud-based, with built-in security capabilities far greater than anything that existed before the attack.”
When asked about the implementation of the measures in the joint advisory body of the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation and the US Health and Human Services, Witty said that with investigation, UHG is trying to find out why all Change systems were not reviewed.
Witty said UHG’s policy is to review lessons learned for any violations or “any near misses.” “Every time we do a root cause analysis.”
The impact of the violation is broad and unclear
Witty said during the hearing that UHG is working regularly to responsibly notify all affected individuals.
Rep. Gary Palmer, R-Ala., asked about the timeline for fallout from the cyberattack. He said his colleagues did a good job asking about the impacts, but he wanted to ask about the thousands of government employees with “very high security clearances” that could be included in the data.
He asked Witty to prioritize notifying federal employees that their PII may have been exposed and provide assurances.
“Some of our worst fears are becoming a reality as the health data of millions of Americans is at risk due to a data breach,” said Paul Tonko, D-N.Y.
Although HIPAA requires minimum data security standards, Palmer asked whether Change was fully HIPAA compliant and asked UHG to analyze Change’s systems for HIPAA compliance.
Witty said they were only able to analyze the system after purchase: “Given its size and complexity, this took some time to do.”
Tonko then asked why a notice of violation with HHS had not yet been filed.
Witty responded that UHG did not have access to any exfiltrated data until mid-March and that they were still analyzing it.
“I am extremely concerned that we are only seeing the beginning of the impact of this cyberattack,” Schrier said.
Andrea Fox is a senior editor at Healthcare IT News.
Email: [email protected]
Healthcare IT News is a publication of HIMSS Media.
