WASHINGTON – Republican lawmakers on Capitol Hill on Wednesday slammed the CEO of UnitedHealth Group over the largest-ever cyberattack on the U.S. health care industry. The cyber attack has left healthcare providers and pharmacies unable to pay their bills, leaving millions of patients in the dark about whether their information is being kept in the dark. web.
In February, a Russian-linked cybercriminal organization called BlackCat infiltrated a vulnerable server belonging to Change Healthcare, a subsidiary of Minnesota-based giant UnitedHealth. The hackers demanded a ransom for the stolen data.
Andrew Whitty, CEO of UnitedHealth, told the Senate Finance Committee that the decision to pay the $22 million ransom in Bitcoin was “one I made and one that I have never made before.” “It was one of the most difficult decisions I had to make.”
“I want to make it clear to everyone who has been affected: I am deeply sorry,” Whitty said in his opening testimony.
In its latest update in late April, the company warned that ongoing preliminary research has revealed personal health risks and personally identifiable information that “may cover a significant portion of the population in the United States.”
'Mr. A resourceful person owes the American people an explanation.”
Whitty's apology comes after lawmakers complained about basic cybersecurity mistakes, significant revenue losses, and delays in notifying patients whether their personal information was among the data stolen by cybercriminals. It did little to stop them from demanding answers from him.
“Failure starts at the top,” said Sen. Ron Wyden, the committee's chairman.
“Mr. Resourceful Americans have no idea how a company of UHG's size and importance could fail to implement multi-factor authentication on servers that provide open access to protected health information.” “We owe them an explanation as to why the company's recovery plan was woefully inadequate, and how long it will take to finally secure all of its systems,” the Oregon Democrat said. Ta.
UnitedHealth Group, one of the largest companies in the U.S., acquired Change Healthcare in a controversial 2022 deal, further expanding the company's huge footprint in the U.S. healthcare industry.
Change Healthcare is the information superhighway for payments, requesting treatment approval from insurance companies, and handling about one-third of Americans' medical records. The company says it processes “14 billion clinical, financial, and operational transactions annually.”
Whitty told lawmakers that the Change acquisition introduced the company's “legacy technology” that UnitedHealth is upgrading.
Both Mr. Wyden and the committee's ranking member, Mike Crapo of Idaho, criticized the U.S. Department of Health and Human Services for not taking a greater role after the attack.
Wyden criticized the agency for not conducting “a proactive cybersecurity audit for seven years.”
HHS, which publishes recommended cybersecurity standards for the healthcare industry, did not respond to requests for comment. The company issued a statement and guidance regarding cyber attacks on March 5th.
That's still not enough, Crapo said, adding that “the administration's delays have exacerbated an already uncertain situation and left health care providers and patients with reasonable concerns about access to essential health services and life-saving medicines.” said.
Not a “rosy” picture
The cybercriminals who attacked Change Healthcare allegedly used stolen credentials to access its servers.
The servers lacked multi-factor authentication – a widely used two-step login process – and the hackers were in the system for nine days before being detected, Whitty confirmed to the committee.
Wyden said “Cybersecurity 101” could have prevented the attack.
“I don't think there's any excuse for that,” Wyden said.
Whitty said that after the company discovered the breach, it immediately contacted the Federal Bureau of Investigation and disconnected Change from the rest of its network.
According to the American Medical Association, the outage halted billing and insurance approvals for weeks, costing health care providers more than $100 million a day.
According to written testimony submitted by Whitty, UnitedHealth said medical claims are flowing again at “near normal” levels, with payment processing reaching 86% of pre-incident levels and “as additional capabilities are restored. “It is increasing,” he claims.
Whitty told lawmakers that as of Friday, the company had issued $6.5 billion in payments and interest-free loans to health care providers.
Sen. Marsha Blackburn said her office has been inundated with calls about the Change attacks. The reality described by patients and health care workers is “very different from the rosy picture you paint,” she says.
The Tennessee Republican said he is hearing from hospitals and doctors who have faced weeks of billing and payment backlogs.
“Here is a good “example” for you. We are a small, independent, private hospital located in West Tennessee. They're diligently submitting all their claims and have a backlog of Medicare claims worth 30 days' worth of revenue waiting to be sent to Medicare,” Blackburn said. said.
“This is all because of the mistakes you all made.”
Sen. James Lankford, R-Oklahoma, asked Whitty what the “target date is for everyone to be completely sane.”
“I hope that happens within the next month or six weeks,” Witty said.
patient data
“This is basic,” North Carolina Sen. Thom Tillis told Whitty, holding up a copy of “Hacking for Dummies,” a book he says he uses as a resource before various Senate committees.
“The whole enterprise is based on moving and exchanging data,” Tillis, a Republican, said during questioning. “That's how you create value. …If a breach occurs, it should be your problem, not mine. So, to avoid harming the people listed in the brief. Everything you do to do so is just a function of business. Do you agree with that?”
“Yes,” Witty replied. “And we're going to take full responsibility for the notification, and we're waiting for that notification. You can contact us through Cyber Support.
The company has a call center (1-866-262-5342) and a website changecybersupport.com.
Whitty told Sen. Catherine Cortez Masto that the timeline for notifying health care providers and patients whether their data has been breached will take “several weeks” as required by federal and state law.
“They say it's been weeks, but how long ago was this attack? 69 days ago?” asked Cortez Masto, a Nevada Democrat.
“Yes, and thank you for your question. We were only able to begin this process about a month after the attack, when the dataset came back and we were able to begin our investigation. This is a very complex process. “It was,” Witty replied.
After the hearing concluded, the protesters briefly stood up and said, “Andrew Whitty, you can't hide. Your greedy side is showing.”
Whitty also testified Wednesday before the U.S. House Energy and Commerce Committee.
The Justice Department did not respond to requests for comment on its investigation into the attack.
