UnitedHealth CEO Testifies on Cyber Attack & Impact to Patients' : CSPAN3 : June 7, 2024 9:54pm-12:10am EDT : Free Borrow & Streaming : Internet Archive (2024)

9:54 pm

9:55 pm

this is two hours and 15 minutes.

9:56 pm

i ask all of her guests to please take their seats. the chair recognizes himself for five minutes of an opening statement. today's hearing is about what is likely the most consequential cyber attack and healthcare history. how could something like this happen? how did consolidation and health insurance industry reach such a state that a single ransom or attack on one company crippled the flow of payments and claims for months. change healthcare unitedhealth club subsidiary for the cyber security attack. roughly 50% of claims a pass-through or touch changes clearinghouse providers have

9:57 pm

this much of the medical claims process the market share it makes them a large target for bad actors. it's even more sounding when you consider the attack itself reportedly compromise without multi factor authentication. i am concerned about patients who have been affected. many patients were left left out of pocket for medication the pharmacy cannot process their claims or co-pay coupons. with that co-pay assistance. people walk away from diabetes medicine, antipsychotics adhd medication." one specific example is a patient having to pay $1100 for

9:58 pm

medication the pharmacy is not able to process or co-pay assistance card due to the cyber attack. contractually obligated to pay for these medications. to either walk away page large sums of money for their medications or even having to borrow money from friends providers work initial phase they were provided deep uncertainty how to float on interrupted. there was minimal all shrinking bringing expenses for the provider such as switching clearinghouse theirs and managing prior authorization. it is perfectly troublesome because of doctors to keep their practices open. by shutting down its clearinghouse effectively stopping all payments on claims

9:59 pm

make it more difficult to continue providing service. one suburban philadelphia physician who run a 6 million-dollar practice was offered only $3300 bite unitedhealth emergency loan program. she might have to sell her practice. how many millions of dollars of interest loan has united made from holding onto money that would have had to pay to providers for patients how many millions of surgeries, treatments and prescriptions were delayed or worse yet, were either canceled or did not take their medicine. i understand the substantial task united is facing while dealing cyber attackers are the bad guys look for an explanation why united did not have a backup plan. and if they did have one, it obviously failed resulting federal government had to step in and try to help. additionally we do not know how many patients had their health

10:00 pm

information breach last week conceded personal healthcare information and data of a substantial portion of americans has been stolen. at this hearing i hope we can get an understanding of just how many americans fall within the united step edition of substantial portion. even though united paid the ransom, we now have reports cyber criminals are releasing patient information, billing records and other personal and sometimes very private held by health group onto the dark web. despite having paid the ransom. i have a sweet deal of these? the shed light on these issues to the understand the full picture. i can assure this clearly watching close am always willing to hold the follow-up earrings if needed. that being said i yield back

10:01 pm

that ranking member of the subcommittee for her five minute opening statement. >> cyber attacks have become an unfortunate part of our daily lives. companies know they need to be prepared. we are so interconnected online now. communication, energy grids, online platforms and health claims clearinghouse is like change healthcare. they are all targets. ransom workgroups and other actors are constantly probing corporate government systems for vulnerability. there are reports of major data breaches almost every week. sometimes due to malfeasance. sometimes by a sophisticated cyber hackers. despite all the cautionary warnings, the largest health insurance country in was caught unprepared. change healthcare it was just

10:02 pm

part of the maga health conglomerate united healthcare, did not have basic cyber security protection in place. because of that it suffered a ransom were attacked and once unable to recover its systems and reasonable period of time leading to serious harm to doctors, pharmacies and patients across america. even with limited information that has been made public it is clear they were multiple system failures. first united healthcare was not using multifactor authentication on a remote desktop application. multi factor authentication is a very basic yet effective security measure every day americans have implemented on their mobile devices, bank accounts and e-mail logins. in fact the department of health and human services is recommended the practice in 2022 through its publication cyber security practices for medium and large healthcare organizations specifically called out importance of

10:03 pm

authentic vacation in a june 2023 newsletter. and that advisory hhs noted multifactor authentication other processes stronger password work necessary promoted access. united healthcare ignored that advice. second, it appears hackers roam through change healthcare systems for a week without being detected. their essential network cyber security monitoring features that might've picked up and flagged unusual user activity. that apparently did not happen here. third, whatever user credentials dhec had access to it appeared to allow them to roam across the entire change healthcare system unimpeded. and fourth in dhec were able to deploy at reservoir attack within the change healthcare network suggesting a lack of adequate controlled user

10:04 pm

permission that could have prevented software from holding their system valuable health data ransom. and fifth, there appears to be a lack of continuity the testimony states rebuilding your network it is unclear why there is not a reliable backup or continuity plan in place that need for network reconstruction dramatically reduce the amount of time for transaction to begin moving again. at each of these points failed whether it's too properly invest in cybersecurity or lack of adequate oversight and accountability within the company it is an open question. the bottom line is there were multiple opportunities to prevent and mitigate this attack

10:05 pm

unitedhealth group failed that every single one. in case any other company's prickly health companies are sleep at the wheel when it comes to cybersecurity, this is yet another wake-up call. cyber threats are pervasive and worsening. ransom her attacks can hold the hostage most sensitive personal data ransom or groups to grow and carry out more attacks. there are no longer exceptional events. they are a constant and must be properly prepared. there there are lessons to be learned i want to make clear this crisis is not over yet by any means. there are pharmacies and providers that have not been able to reconnect healthcare systems there is a massive amount of personal health information alpha that needs to be accounted for. and in addition to the questions you will receive today there are

10:06 pm

numerous questions outstanding from this committee in a bipartisan letter that we will present to you and i look forward to the answers to those questions in a prompt manner i want to thank chairman for putting on this important hearing and i yield back too. >> a gentle lady yields back i recognize a chairwoman of the full committee for her five minutes of questions. thank you for agreeing to testify before us today. i was disappointed your organization declined more original to testify on the cyber attack on change healthcare. one of your subsidiary companies we had invited you to testify in front of the health subcommittee but appreciate your cooperation in being here today. most americans have likely never heard of change healthcare despite how crucial it's a functioning is to ensure access to care. change acts as a clearinghouse

10:07 pm

for 15 billion medical claims each year. that means more than 50% or right at 50% of all claims passed through change that covers everything from routine checkups of primary care physicians, to lifesaving cancer treatments with specialists. things that way until recent weeks took for granted in 2020 to your company acquired change healthcare as a part of the growing into every corner healthcare system. under the united health group umbrella recites health insurance company with more 40 million covered lives across commercial markets. pbm managed one or $59 billion in drug spending last year. provider group that owns roughly one and every 12 doctors in the united states. a bank that makes payday loans to providers. that is just a few of the ventures under your purview. i say this to emphasize the

10:08 pm

massive responsibility that comes with your position. with the family of fort being crushed by inflation you think they are forking over more than $20000 per year for health insurance senior citizen scenes the aarp brand under medicare products at taxpayer federals tens of billions in subsidies to your company there is a reasonable expectation they will get a baseline level of value for their hard earned money. i will set the bar higher. you have a responsibility to protect the data, the people who put their trust in you. or more bluntly in this case you failed. on february 21st of this year change healthcare announced it was hit with a cyber attack. severely disrupting the healthcare ecosystem for providers, payers and patients that have been more than two months since the cyber attack and according to your own

10:09 pm

companies websites change has yet to fully restore services. many negative impacts for healthcare system persists. criminal hackers gain access to change healthcare through compromise credentials so they were remotely accessing the company portal nine days before the company announced publicly the ransom were attacked. this portal did not have multifactor authentication enabled basic protection about cyber attacks allow the cyber criminals to unlock the door and break into your system. multi factor authentication would be a basic expectation for a company handling the breath of sensitive information that change healthcare it does. it's been reported your company paid a ransom we have grave concerns the precedents you created by rewarding more

10:10 pm

criminals i would understand it would be a difficult decision to weigh that against protecting americans data. but here is the problem. it did not stop the data leak. americans are personal and private information is on the dark web. this is private health data you are responsible for protecting. i suspect that decision will be a case study in crisis of mismanagement for decades to come. i would be remiss if i did not know providers especially small providers and solar practitioners continue to provide uncompensated care and submitting claims cannot be processed it is been reported some are contemplating closing and others have forced to rely on volunteers to care for patients. others have had to furlough staff so that employees can apply for other employment benefits. i would forward to hearing how

10:11 pm

this will be fixed as soon as possible. i will note in closing we are here today to learn more about what happened in the lead up to the attack what you are doing to fix it and prevent it from happening again. the american people the millions who rely upon changes, services of those whose information was leaked deserve answers. i yield back. >> a gentle lady yields a back record is the ranking member for five minutes of opening statements for. >> resulted in a prolonged just to earlier this year. cyber attacks cause serious harm to patients providers and pharmacies change healthcare platform reportedly involved with one of every three patients processing 15 billion transactions every year and as a result of this attack healthcare providers have suffered tremendous reimbursem*nt

10:12 pm

patients have been out of pocket expenses or to delay treatment. pharmacies have been unable to process claims. you have to change how consensus were taken off-line on february 21st. failed to provide clarity as to when it systems would be online again. in fact status updates the same language for over a week the disruption was i quote expected to last at least through the day. this frustrated the ability of providers and pharmacies to conduct their day-to-day operations. decide whether to use systems now over two months later the system is still not back to where it was. it's unacceptable it would not accept a bank or internet service being off-line for weeks or months without a clear end in sight.

10:13 pm

it's wrong healthcare providers, pharmacies and patients continue to bear the brunt of the failure by corporation that earned three and $71 billion last year to either prevent or quickly remedy the situation. i am sure we would be hearing about the things unitedhealth has done since he cyber attacks help provide repairs. the bottom line is the health status security practice were woefully inadequate the company did not have a plan in place to quickly recover from such an attack and to minimize the damage to everyone impacted. it's true the largest healthcare company in the country it feels like too little too late for all those who have been harmed. to make matters worse we still do not know the full extent of the damage from the cyber attack. even if all the providers pharmacies remain hold the system returns to normal huge volumes of protected healthcare information or enhance of

10:14 pm

hackers. unitedhealth announced last week that can affect the privacy and i quote of a substantial portion of people in america. as part of her working comprehensive federal consumer data privacy and security legislation the committee has held numerous committees highlighting the importance of companies strong privacy and data security protections. it's extremely frustrating to have one of the largest companies in the world failing to meet its obligations under existing law that adequately protects them from the most sensitive personal information but we are talking about sensitive information about healthcare status, what medications we take what medical services we are provided. this never should have happened and it cannot happen again. unitedhealth group must do the hard work of adopting strong data security practices that include protecting against such attacks and adopting plans that minimize the impact of social tax. it's going to take a lot of work to untangle this mess. the department of health and human services worked very hard

10:15 pm

throughout this crisis to minimize essential health program. hhs work ahead examines what went wrong here and the harm caused by the staff potential release of protected data. bottom line is a sweet learn more about what went wrong this committee should examine whether additional guard rail such as establishing several security requirements on medicare contractors whether they need to be in place to prevent this from happening again. this hearing is a good start want to thank the chair for holding it on the issues raising here that can close opening statements. pursuant to committee rules all opening statements will remain part of the record. we ask you provide the opening

10:16 pm

statements to the clerk promptly. want to thank our witness for being here today to testify before the subcommittee. wise to practice squad on the senate side today followed by a round of questions. our witness today sir andrew whitty chief executive officer of unitedhealth group. we appreciate you being here and look forward to hearing from you. you are aware the subcommittee's holding an oversight hearing and doing so have a practicing cap testimony under oath she have any objection to testifying under oath? >> no i don't serve her. >> seat no objection and hearing no objection we will proceed i'd also advise you pursuant to house rules you desire to be advised by counsel during her

10:17 pm

testimony today? >> no, sir. succeeding none if you'd please rise and raise your right hand. >> you promised or provincial truth, holds with the nothing but the truth shall be god? witness has responded in the affirmative. seeing he has done so you are now sworn in and under oath such as pam is set forth in title 18 section 1001 of the night states code. with that we will now recognize for five minutes for an opening statement. >> thank you. good afternoon chairman griffith, chairwoman, ranking member castor, ranking member. thank you for the opportunity to testify here today. i served as chief executive officer of unitedhealth group. our mission is to help people live healthier lives help make the health system work better for everyone. we pursue this mission through two distinct businesses. united healthcare which provides which brings together care

10:18 pm

delivery pharmacy services technology and data to advance patient centered care. change healthcare is now part it enables information claims and payments to flow quickly echoed between physicians, pharmacists, health plans and governments. i appreciate the committee's interest in the recent cyber attack on change healthcare. as a result of this malicious siebel attack providers have disruptions worried about their private health data. to all those impacted limit be very clear. i am deeply deeply sorry our response of this attack has been grounded in three principles. secure the systems to ensure patient access to counter medication and tube assist providers with their needs. we have the full resource if unit health group in this effort and i want to assure the american public we will not rest and i will not rest until we fix this.

10:19 pm

cyber experts continue to investigate. what we will learn more in our understanding may change is what i can share today. cyber criminals enter the change healthcare portal x full traded data and on february 21 deployed rent somewhere. the part that access was not asked that our response was swift and forceful to contain infection we immediately connectivity secured the perimeter of the attack to prevent malware from spreading it worked there has been no evidence of spread beyond change healthcare. within hours of the ransom ware launch we contacted the fbi. we continue to share information with them to make sure these criminals can be brought to justice. as we have responded to this attack included dealing with the demand for ransom overarching priority is meant to do everything possible to try and protect people's personal health

10:20 pm

information. the decision to pay a ransom was mine. this is when the hardest decisions i have ever had to make. i would not wish it on anyone. as you know we found files in the next full traded data containing protected health information. personally identifiable information. which could cover a substantial proportion of people in america. so far we have not seen evidence that materials such as doctors charge for full medical history were given for it will take seven months before enough information will be available to identify customers and individuals partly because the files contained and that date at work compromise in the attack. rather than waiting to complete this review we are providing free credit monitoring and theft protection for two years along with the call center staff by

10:21 pm

clinicians anyone concerned their data may have been impacted should visit changes cyber support.com for more information. meanwhile we continue to mixed substantial progress and restore services. first, the team built a new technology environment in weeks. and secondly prioritize the restoration effort on services most vital to ensuring access to care. pharmacy services claims payments to providers and third, all the efforts were underway we worked quickly to provide financial assistance as needed. we have advanced more than $6.5 billion in accelerated payments no interest no fee loans to thousands of providers. most of these funds are for claims for non- healthcare plans about 34% of loans have gone to safety net hospitals and federally qualified health

10:22 pm

centers. we will provide this assistance for as long as it takes to get providers claims flowing at preincident levels. if there are providers in your district who need help please put us in touch with them. fighting cybercrime is an enormous task and one that requires us all industry, law enforcement and policymakers to come together. i look forward to answering your questions today. >> think if your testament will move into questions. as a question/answer portion i'll begin the questioning and recognize myself for five minutes. what does that mean customer chemistry talking 20% 50% are we talking 70 ellis. >> we continue to estimate the data it involved we do think it will be substantial. because we have not completed the process i am hesitant to be

10:23 pm

overly precise on that and be wrong in the future but i would not want to mislead anyone in that regard. >> i would not shoot to mislead us either. when you say substantial government range bottoms a high don't mind was talking 20 -- 50? >> i think it may be one third or some more of that. >> okay and i appreciate you letting us know that as a suspect number the worst thing you can do is come here and tell us something that sounds like it's a fact you're giving us and have it be difference i appreciate that. your country is contractually obligated to place your beneficiary services and medicines. your silk looking premium dollars and collecting interest on that money you heard me sing in the opening i am concerned about the issues. particularly i am concerned about providers in particular concerned about the report of the lady who had to spend $1100 out-of-pocket and see understand in my district i don't think about this lady's circ*mstances that's private information.

10:24 pm

the average take-home pay and my district is $50037. so $1100 to the big amount of money even people make more than that don't generally keep $1100 laying around. what you all going to do to try to make those people hold? , thank you very much for the question. on the first part of your question concerning ongoing payment versus a premium that we collect. i want to reassure you we have lifted all claim holds we have for weeks been paying claims as soon as they arrive at the company. very accelerated formats. we know not everyone in the marketplace is doing that but we certainly are. as far as the situation of the lady of described let me say how sorry i am to hear of the situation like that. i am aware there are clearly people about the situations. >> probably thousands of them we don't know about. >> these particular situations

10:25 pm

two things i like to reassure you of first of all the systems are back online in terms of those coupons and card systems they are back online. we have and continue to honor any prescription fulfillment for somebody it was out of pocket in good faith. we will honor the out-of-pocket cost. if your office would like to connect us up we be happy. >> develop the proper privacy forms we don't want to be guilty of giving away secrets. they going to have to fill out a lot of forms? a lot of folks particular about $1100 it's $110 if you give them a lot of paperwork to do they're going to say forget it. or choice of words.

10:26 pm

[laughter] >> no and again thank you for the follow-up question. to fulfill a prescription or honoring those in good faith quick to look forward to work at the on that one to solve this for all americans i look forward for toremove your company on th. i want to get to it's one of those things may be an unintended consequence but i think it is a consequence. medical practices. what we are hearing is a lot of practices are particularly in underserved areas anyway. your company is willing to buy the practice which i think is good on its face. but, as you heard chairwoman or rogers say, one in 12 positions are doctors currently works for

10:27 pm

one of your subsidiaries already. this is giving you all a leg up on buying other practices. how many other clinics do you think were hurt by the cyber attack question mr. chairman, thank you very much for the question. just hundred 10,000 physicians and our practices member they talk about much larger number. that includes those over to make sure that's clear. since this attack went to reassure you in that situation i was a transaction which was negotiated. >> my time is running out.

10:28 pm

any other practices you're about to require? >> no not at all. i recognize member of the subcommittee for her five minutes of question progress one of the most aspects of the cyber attack how unprepared unitedhealth group your testimony states you are perpetually bombarded with attempted intrusions. roughly one per minute. change healthcare may 2022 filing extensive disclosures about the risks of eight cyber attack and the processes it has in place to mitigate the risk. that filing specifically stated quote is our employees and business partners employees work from home and access our system remote lately may be subject to heightened security privacy at risk. including risk of cyber attack

10:29 pm

and privacy incidents. you are clearly on noticed your company's networks were regular targets for attacks and remote access in particular was potentially vulnerable. but that being the case why is it one of your remote access applications did not have something as basic as multifactor authentication enabled and is it the case it was never enabled gorgeous and not enabled at the time of the cyber attack? >> congressman thank you very much for the question. we are continuing to investigate exactly why it was not on that particular services it clearly was not. i am as frustrated as you are the timing of the declarations you just described.

10:30 pm

we change healthcare it was a relatively older company with older technologies which we've been working to upgrade since the acquisition. for some reason which we continue to investigate this service did not have. >> it is not clear today. when on why was it activated? >> has been going on over the last several weeks there that should have been done that were not. who is responsible for that? what's emily who was responsible multifactor authentication was activated wasn't? >> company policy is to have multi- factual on externally

10:31 pm

facing systems. in certain situations you might have for example all of the technology that have been upgraded. you may have security controls around those systems as a compensating factor. that whole framework is clearly something we ascribe too. >> who in the organization would be responsible for whether or not those activated or not? >> that would all be part of our information security structure within our technology organization projects ultimately is that your responsibility? what's ultimately everything in the entry is my responsibility. >> united health most recent reports that have systems and procedures in place to detect and contain cyber security incidents. unitedhealth regulate tests and updates continuity and resiliency plans to contain it remediate potential disruptions or cyber events. unitedhealth systems are detecting did not work as it

10:32 pm

vibrates wealth from hackers to gain access healthcare through february 21 when they carried out a rant somewhere. did unitedhealth ever test cybersecurity weather to change healthcare is tested those systems or prior to coming into the organization. that nine-day. it is a focus of whether or not there was a failure of the system they are. or some other reason why the systems did not pick up what was going on. >> what continuity and contingency were in place prior to the attack and account for disruptions at the scale we have seen over the last two months? >> significant contingency however in this particular attack and partly because of the age of the technology within

10:33 pm

change healthcare which is been built up over many decades. the encryption rant somewhere was decimated within the system affect not just the prime system but the backup systems as well when they were not in the cloud. some change the key systems were not in the cloud. were they word in the cloud we were able to bring them back up very rapidly some of our services were back up within a day or two. but impact across both the backups in the prime system. which really is a consequence of all the technologies. reckon us the full committee for five minutes of questions.

10:34 pm

you stated nine days before the ransom or attack occurred quote criminals use compromise credentials to remotely access one of your portals what do you mean about compromise credentials and how did that happen people refer first to stealing passwords you may be aware people's passwords being stolen and sold on the dark a web in that kind of thing we believe to that pathway they originally got credentials which allowed them access into the system. use the server we've been talking about to prosecute the attack. switching gears i have along the said i'm skeptical of arrangements for the insurance are paying for patient care maintains ownership over the doctor that supposed to be providing it. united is the poster child for such arrangements as the single

10:35 pm

largest owner of physicians in the nation. i've a fundamental problem with the direction of consolidation or healthcare system. i believe it's increasing costst of reducing the quality of care. again the poster child for this probably do not seem to agree that you recently said and i quote where comparative small part of the 5 trillion u.s. health system. united has released a statement that says the company has found files containing ph i identifiable which could cover a substantial portion of people in america. how would have the phi of a substantial portion of americans? quick to madame chairwoman thank you very much for the question. i think the distinction i would draw between those two things is

10:36 pm

a change healthcare was processing about 40% of claims point to the system on behalf of all payers. they do other work that's change activity. change itself was relatively is relativelysmall company had t role in a clearly have we are relate the market leader were very rarely number one in the situations we compete in all the key areas similarly across the states we have been developing what we believe is an improved way of ensuring higher quality care by aligning incentives between physicians and payers. >> the chairman asked about substantial portion earlier. i'm going to move on. you said numerous times has allowed to recover more quickly and otherwise would have.

10:37 pm

but have complying they do not want to be told less competition strongly recommend you put that to creating that system. moving back to cybersecurity infiltrated users to remotely access your system the ranking member asked about why you did on the multifactor's that have it now? >> is a portal and now today. all facing systems across unitedhealth group has ms a. we have third-party testing

10:38 pm

technologies a rapid evolving space we have to beat relentlessly checking on that almost every day. a new application or something new happening. policy is very clear. >> think i'm going to move on. how are dhec communicating with unitedhealth to get the ransom question did you communicate directly with dhec? >> i did not. >> how much did you pay and ransom how was it paid was it dollars, bitcoin or of her crypto currency? >> $22 billion in bitcoin. >> was the date you paid the ransom? >> am sorry i do not have that in mind i can suddenly get back to you with that pickwick kitty or firm affirmatively say dhec you paid did not make copies of protected data at a later date pull it to the internet are dark web? >> i cannot affirmatively say that. >> thank you. i yield back.

10:39 pm

>> a gentle lady yields back recognize the ranking over the full committee for his five minutes of questioning. >> thank you, mr. chairman. required healthcare in 2022 it touted stated the acquisition would ensure physicians get paid more quickly, accurately and exact opposite of the largest in that country disruption that have persist for so long. i know you said and less site misunderstood i think you said a few times you acquired all systems, all technology but you had a year end a half from when you acquired it until the cyber attack. so i don't understand why you cannot correct it.

10:40 pm

why you did not have an adequate backup. you had a year end a half a why couldn't you correct that? and why didn't you have an adequate backup in place? >> mr. congressman thank you much for the question. as soon as we were able to close the transaction the core technology the very layers of activity obsolete you're saying it would take backup plan in place? actually backup for many of the

10:41 pm

systems ransom or attack made those backups in operable. that is one of the lessons we have to learn from this. so how we build true isolation of backups and maybe just emphasize the points about the importance of having those services in the cloud versus on premises, undated centers which is the case in that legacy change environment. >> okay have three questions limited to the second and third period there's a lot been said by my colleagues about small providers and pharmacies that were particularly hard manually typing claims the required hours of labor and upfront costs. i am told these workouts were not realistic. i am wondering why -- whether you believe these workouts for small providers did the trick.

10:42 pm

weren't there a lot of problems with their ability to do that does that still persist? quick thank you for the question. to work or to encourage i do acknowledge and recognize that is what we put in place the funding program to support small providers recognizing they probably have the longest disruption in terms of their cash flow support. and i believe the majority certainly a large fraction of the six and half billion dollars of interest-free loans have gone to smaller providers for quick let me ask you again about the small providers. even though you are getting the system back online, they need to

10:43 pm

reconnect, right to your system. what is it doing to meet may not have the same resources as large hospitals continue to provide assistance to them so they can reconnect. >> think utes are absolutely. we are reaching out to providers actively as each system comes online to help them make sure that the technical capability of any member wheat wit absolute prioritize making sure we get connections to the key for us is knowing who has the problem. we will do that. >> >> i appreciate your offering that you made earlier. we made some that continue to have problems. and so to the chair i do intend to get back with you and identify those for you. >> thank you, thank you, mr. chairman. what the gentleman yields back.

10:44 pm

as they are generally available a website or telephone number a practice is there generally available a website or telephone number a practice can call right now if they are have a continuing problem. yes and thank you very much for the question. change support.com is the best website for anyone to access. whether it be to provide or individual. both sides would like to note the number available for individuals to call them any questions at all about data or anything like that. (866)262-5342. that service line is available and makes available very quickly very simple process it wants things that credit protection identity theft protection, those services are all available to be enrolled through a simple phone call. >> are providers still contacting you as he mentioned

10:45 pm

continue to hear from people are they still reaching out to say they have trouble? quick sporadically. not so many. but i certainly encourage any member who has a knowledge of folks continuing problems please send them our way we will either get them technically reconnected or make sure they have a robust offer of cash flow support so they are carried through by what's left of the cycle. >> a practice that uploaded data to the websites, the website gets hacked and now the information appears in the dark web who is liable if a patient finds her information has been compromised are obviously going to ask their doctor and say how did this happen and then who has the liability for that data? >> mr. congressman brad thank you very much for that question. first and foremost we are

10:46 pm

offering to take full responsibility of all notification obligations for everyone involved in this. we are working with the regulative offices to manage that process. ideally we would like to take the oversight positions don't have to worry about the situations. we do have to make sure the various oversight organizations support that approach. that is very much that weight we went to step in and take that responsibility. >> can we help you with that? who are the regulatory agencies that would need to understand the importance of this? >> we are working within hhs. those conversations are ongoing part of very much appreciate the offer and if it is acceptable to you will come back to in the future if necessary. but today those conversations are engaged. i hope we will be able to get to a simple solution which takes the anxiety notification off everyone else's shoulders. we want to be able to do that pickwick said it's good to know.

10:47 pm

from the scope of this committee but you mentioned the bit coin ransom. you work with the department of justice. i want to see someone arrested and marched to the center of town and shop for doing this. are you helping law enforcement track these people down? >> absolutely in the very first hours we reached out to fbi i would like to acknowledge a fantastic engagement we've had from fbi through this entire period through today. we have been every step of the weight with fbi we will continue to provide them whatever information they need or is helpful to them to hopefully track down and catch these folks. i am completely aligned with you i would love to see these people brought to justice. >> of course this is not the

10:48 pm

first time. it's actors from outside the united states hope we can engage on that is a problem not going away for member dealing with this very same set of circ*mstances in 2015. we just cannot keep doing the same things over and over again. mention the testimony that there are loans of two practices who are having difficulties those are low interest loans. >> it yes they are interest-free. and no fee. and wait so far issued advanced

10:49 pm

payments or loans of $6.5 million to about 142,000 so tax id numbers, all interest-free. no cost and no need for the provider until her back and cash flow. >> that is wonderful. are you relying on stem back up to normal now you can start? >> essentially yes. we will work with providers were so far we've not asked him to repay. providers have begun to repay they have begun to come back to us i think that's a good sign still drawing down some interest-free loans work with both ends of that spectrum corrects the judgment yields back reckon is a gentle lady in

10:50 pm

the wake of the cyber attack on change health grace" otherwise it would have less change and i think it may be true that resources of united health group have allowed change health care to survive and recover parade that is good. i also think it is important those resources be used to ensure the stability of the broader healthcare system. so, understand change and systems are being restored on a rolling basis. and the good news i have heard from service providers in my state of colorado they are largely back on track and submitting claims but although there are some difficulties we will be sure to call you when we hear about them. but, i think we need to do more work to get everyone reconnected. i just have a few questions.

10:51 pm

united healthcare group just that over three to $70 billion in revenue in 2023 is that correct? >> that is correct to pray. >> the premiums on a risk based products make up about 80% of united house revenues, is that right? >> yes super. >> the amount of that was just over $290 billion in 2023, correct? >> yes i believe so. >> that translates to $24 billion in premiums every month, is that right? >> that would be about right. >> i point all of that out because it while it change it was down united healthcare is not paying out claims, that it would have received providers around the country did not stop their work. he referenced this before they were spending money purchasing supplies, paying salaries, keeping the lights on. but in many cases payments were coming in.

10:52 pm

but yet at the same time that happens, united healthcare did not stop taking in premiums while change was down and claims were unable to be processed through change healthcare, is that right? >> we did but perhaps i could just explain we continue to be paid premiums but we also continue to pay on claims. united healthcare was a relatively small user of change healthcare. united healthcare continued to be able to fulfill the vast majority of its claims. >> but still but all of the payment to providers was not happening at that time, correct? >> a very small fraction for united healthcare. for other payers there is more disruption. >> right, okay. now, in the weeks after the attack united health group through its financial arm began

10:53 pm

making loans to providers use the change system. as of march 27 as reported in the media united health group had paid out advances of $3.3 billion to providers affected. i now i understand even more has been paid out. the loan program originally structured required repayment within five days of receiving notice. i allowed financial services to take back funds with communication. do you think those terms were fair? are those terms you would accept in your business? >> thank you for the question. those terms were at the very beginning of the loan program. we immediately realized they were not appropriate and we got some good feedback from providers which we eliminated all of those terms and essentially the program which is in place and has been a place for several weeks now it represents the bulk of the payments has none of those terms

10:54 pm

associated with it and fully accept that was a misstep. >> what do you say it you work terms and now art fair art treating providers fairly and not unnecessarily auditing or denying providers claims? works i do believe that. as we have in place today interest fee no fee loan based on the provider declaration of the impact they have suffered. not our assessment and they define what they need. we advance those loans they only need to repay those loans 45 business days after they have confirmed their back to cash flow normal. >> is a crudely more favorable toward the entities. and i appreciate you changing that. but i will reserve the right to ask additional questions if i

10:55 pm

hear otherwise from the providers i yield back. >> of course, thank you for. >> a gentle lady yields back. reckitt is a chairman of the hill mr. guthrie for his five minutes of questions for. >> thank you, thank you for being here. according to united health update last week your payment systems are functioning in the eligibility criteria systems are functioning at 80% levels. when you expect the core functions to be fully restored? and the delay sink in the systems fully restored mean in practice?

10:56 pm

if they had been able to connect to a different system, so we are looking right now with people to connect them into the more modern platforms brought back online order ready or diverted to a competitor of change to get running in the very small number and i accept it's not know and we provided the loan guarantee. to change healthcare since and there's not another portal. that can be exploited.

10:57 pm

the interfaces that is something that we have been a very rigorous about and i feel very good about where we are. >> but there's not other legacy equipment. >> we are relentlessly trying to explore that possibility and use the third parties to make sure that occurs. one of the reasons it's taken longer than you may expect to bring back a change is because we are building much of this from scratch with modern technologies with security capabilities with pre-existing the attack. so both in terms of diligence around protection but then also how we are redesigning and constructing the platforms also is building in greater strength and at the same time we continue to be under enormous attack like

10:58 pm

everybody else. they issued a joint cybersecurity alert detailing the methods of a sophisticated russian hacker with access to critical infrastructure and especially as you just mentioned healthcare systems where mitigations have protected the breaches. the change of the mitigation recommendations and which of these are already in place ahead of this joint alert. >> ahead of, we certainly had a those sort of protections in place. in this particular case we are still trying to investigate and understand why it didn't have that protection in place. >> is this the first data breach since acquiring the change in healthcare and if not i will ask my second question follow-up what steps were previously taken

10:59 pm

following the earlier breaches? >> every time we've had either a breach or a near miss we've always looked at lessons learned and how we can strengthen it to lead to continuous raises and standards and protections of new approaches, but we are also dealing with a threat of actors who continuously change the targeted approach. every time we go back and do the root cause analysis and figure out how to solve for that of course we are doing that right now and with expedited the change situation. we've already brought in a whole series of extra levels of screening for the company and we brought through party leaders in cybersecurity to actively and permanently work alongside our own a security organization's so we had more than one organization screening everything as an example.

11:00 pm

>> i don't have time for a second question so i will yield back nine seconds. >> recognizing the gentlelady of illinois ms. schakowsky for her five minutes of questioning. >> thank you mr. chairman. i have three questions i'm going to ask because i want to make sure i get them all asked. i think they are very simple. i want to tell you about a constituent one who's from a district who spent an entire weekend without her medications and then had to drive 40 miles in order to get a doctor's certification and some patients because the situations have had to pay even thousands of dollars

11:01 pm

and i wanted to know in my first question how united is planning to compensate these constituents and these people and i think the question was asked but i would like to hear it again. i have another constituent my second question, beth runs a mental health clinic that addresses pregnant mothers and because of the cyber attack, she is now in a very serious situation in terms of making her program work. she is in desperate need right now and so what is united doing

11:02 pm

to address the problem that these providers are experiencing right now and last is this question. i know that -- i am trying to find it. watching the time here. i've got it. what is the first one? okay. change of course suffered from

11:03 pm

this very bad, actually the data breach but i wanted to talk about, here we go. and united promised earlier that it would have absolutely robust security so the final question is why should we feel confident right now that there are not going to be those kind of data breaches and also i wanted to ask if have any united employees gotten their hand on any of the data from consumers? >> thank you for the questions. let me first of all say how sorry i am to hear about your constituents in the first

11:04 pm

example that you gave. i am aware of a number of patients who have had a similar inconvenience and difficulties getting their medicines. a several things we are trying to do, first making sure that they are held as they have dispensed medicine without knowing whether it would be under benefit or not and if there's anything we can do we would be more than happy to help. help. >> we will let you know. >> it would be very much qualifying for our interest-free loans to help cover that cash flow need until they resume to normal so we can help directly. >> they don't have to repay until the business is back to normal under their definitions.

11:05 pm

many things we've done lady the most important bringing in the leading cybersecurity external organizations who are now also overseeing our security environments making sure that -- >> have any employees gotten a hold of the data? >> if we are talking about these data breaches wondering that no employees got any of that information. we have retrieved the information that allows us to investigate and notify people so employees are looking at it from that point of view under the

11:06 pm

process. >> the chairman of the energy subcommittee on energy and commerce. mr. duncan of south carolina. >> it's been a long day with of the secretary of energy, but the chairman, thanks for holding this important hearing through the leadership on oversight matters. i represent the rural district in south carolina that consists of providers that rely on the service whether that includes community pharmacists, health centers were faith-based services, constituents or the third district that rely on the providers to maintain quality and to process their healthcare transactions. during the first two weeks following the attack if smaller providers in financial need want to communicate with change healthcare, how do they do so? >> during the first couple of

11:07 pm

weeks would have been the best approach. one of the challenges we realized through all of this is many small providers didn't have a direct relationship with change but they would operate through a company that of themselves had connectivity. we made sure you as soon as we understood what was happening that it was going to be more than a very brief. it calls for participants in the marketplace and made available various website sources of information. >> was every proprietor that reached out responded to? >> we hope so, but i would hope that that would be the case. >> no provider was left out in the dark when they reached out.

11:08 pm

>> the goal was to be as responsive as we could to every provider that reached out to us. i know at the beginning there were some providers that were frustrated for example the terms and conditions and i'm sorry and that is why we changed the programs and completely eliminated those conditions. >> were you able to justify your communication with providers by as good today as it was in the first two weeks after? >> i think we've continued to try to improve every stage and how we communicate. i'm sure there are lessons we can learn to do better and one of the challenges, which we've had within this attack is the

11:09 pm

customer database was encrypted in the attacks. we've reached out to other healthcare associations and we've run a number of national calls to try to get the word out around where the service was for example the loan programs to make sure providers knew about it. >> what i'm hearing is it's been very receptive. they know they had an account and payment processing issue somebody they could reach out to. i ask unanimous consent to insert in the record wall street journal article entitled united health grapples with communications from april 3rd, 2024. >> and we will take that up at

11:10 pm

the end of the list. i appreciate you being proactive in pushing the information out and i think a lot of based on the research, a lot of people were left in the dark and had no access to get their questions answered and i would recommend some sort of call center and communication because these folks know they have payments and processes they could have provided so the customers know what they have in process and they have business with you guys and it would have been helpful so going forward, setting up a system where those folks can communicate directly versus pushing information out showing that these things haven't been

11:11 pm

done like to be a little better but i appreciate you being here and yield back, mr. chair. i want to talk about prior authorization requirements that can delay care and earlier in the outage they expressed concerns that insurers were not appropriately modifying their prior authorization practices to help providers who cannot process prior authorization for services during the outage. i'm pleased united healthcare ways that certain requirements for some medicare advantage plans and services during the destruction prior authorization remains in effect for non-medicare advantage plans. why did they only suspend prior authorization for its medicare

11:12 pm

advantage plans and not all of its plans affected by the outage? >> thank you for the question. you are absolutely correct we did suspend temporarily. that is the one part of our business where we have the ability to make that decision quickly. >> why did you decide to do it for medicare advantage and not all of its plan? >> medicaid is a decision for the state and the states needed to make those decisions so the commercial marketplace is an employer-based decision. >> with prior authorization it would remain in effect for durable medical equipment and many procedures. given the size of the disruption what did the group lot way out for all services making sure by

11:13 pm

making those steps and i think cms felt good about what we were doing within that set of decisions we were making the maximum contribution for the prior office. >> the same press release read they would resume prior authorization but as we know, some change does remain off-line beyond the 31st so is your company still offering any prior authorization suspensions for those whose systems are still off-line? >> thank you sir we actually did not bring them back first. we brought them back on april 15th when the major systems were back. >> providers that took advantage of these flexibilities are

11:14 pm

understandably concerned that they could be subject to cumbersome audits and the united health group might second-guess the decisions users had to make while systems were down. this would put a strain on time and resources particularly for the providers that have already experienced tremendous hardships from the change healthcare disruption. can you provide any assurance that they will not pursue unfair retroactive denials and clawbacks based on services providers performed while prior authorization was waived for certain plants? >> i can certainly give you that, yes. >> it's a very important. we will be keeping a close eye on the recovery process to make sure all providers are able to resume regular operation and patients can be confident they have consistent access to the care they need and with that i yield back. >> mr. palmer of alabama for his five minutes of questioning. >> thank you mr. chairman.

11:15 pm

based on the initial sampling today, your company found titles with protected information and notification information which could cover a substantial portion. where did you find those files referenced on the internet, the dark web? >> thank you very much for the question. so -- >> has to be brief. >> after the attack -- >> i'm just asking did you find them on the internet or the dark web? >> those are in the data that we were able to retrieve, so we were able to retrieve a copy of the data within that investigation. >> you said it's likely to take several months of continued analysis before there is enough information available to identify and notify the impacted customers and individuals. are you telling us that the fallout from the cyber hack could last until christmas? >> i think the operational impact we've been talking about

11:16 pm

will rapidly becoming back to normal. >> i have a different point. i think my colleagues on both sides of the aisle have done a good job at addressing the customer impact and healthcare providers impact. there is another issue that i'm concerned about because thousands of government employees including many federal employees who have very high-level security clearances who were customers of united, were any of the government employees healthcare records who were federal government employees a part of the data files that were accessed by the hackers? >> we continue to investigate those files and we haven't completed that process. >> you should know by now whether or not federal employees files were accessed. >> i would expect that within the data what we are seeing is

11:17 pm

it represents -- >> i understand you're trying to avoid a direct answer to a direct question. were they hacked? it's important because if federal employees with high-level security clearances had their personal identifiable information, in particular their personal health records do you understand the problems that could create a down the road from a national security perspective? >> what i'm asking is that you make it a priority for those individuals to notify them because it is extremely important that we do that mr. chairman that is a priority

11:18 pm

we are going as fast as we possibly can and we will get that notification as fast as we can. >> it raises concerns about the possibility of the bridge to national security and some of this information that is handed over to adversarial nations and it's very likely that it will be. i think that this should be a top priority. i'm not discounting the need to make sure that your customers records are protected and bills are paid for and providers are compensated. there is this next level that i think should raise concerns for every member of the committee and with that i will yield back. >> i'm pleased to assure it is a top priority for us to deal with. >> i'm sure that he will follow

11:19 pm

up with questions for the record but also you may want to get that information to the committee to ensure that those folks know if there's a risk they might be looking at a black male or something from a foreign adversary. with that, the gentleman is yielded back and mr. tucker from new york. >> first let's take a moment to recognize that this breach has greatly impacted a lot of critical institutions, providers and patients in our communities. personally, i've heard directly from providers, hospitals, pharmacists, home care providers into so many others of new york's 20th district. i want to make certain everyone knows that this is unacceptable and that we need to make sure there is a accountability and oversight so nothing like this happens again. with the announcement last week that hackers may have access to protected health information or a substantial portion of people some of our worst fears are

11:20 pm

coming true. the sensitive health data for tens of millions of americans is at risk and that is why hipaa is so important. it requires establishing minimum data security standards versus covered entities like united health group to try to prevent breaches of sensitive data. while the security rule provides covered entities with some flexibility determining best how to secure information it does require the companies, and i quote, protect against any reasonably anticipated threats, which as your testimony points out, an attack like this was. is it your position united health group didn't change healthcare would fully comply with of the security rule even though the multifactor authentication was not being used or moved to citrix access and the systems failed to detect and prevent the attack? >> mr. congressman, thank you

11:21 pm

for the question. compliance is a tough priority and i believe across our organization and that is incredibly serious. unfortunately, the situation did not always it was used to penetrate into the healthcare which was a platform that had only recently become a part of the company with the process of being upgraded. did united health group conduct any audits or tests to ensure the change healthcare systems were fully compliant with of the security rule and also were in line with industry's best practices? >> it was a public company prior to the acquisition prohibited from doing any preacquisition audits of that type. once we acquired the company, we began to go through the process of understanding it and given the size and complexity, that takes some time to do it was underway when this attack happened. >> it also requires a risk

11:22 pm

analysis be conducted. part of your company's security management processes to identify and address potential risks to protected health information. did change healthcare conduct such an analysis after being acquired by united health group and if so, will you be changing that risk analysis conducted going forward to account for what went wrong? >> thank you for the question and certainly we are reviewing all of our management of those types of risks to make sure we are eliminating any residual risks and the outcome. >> and hepa requires they violate the breach notification with hhs office of civil rights within 60 days i believe of discovering of a breach of protected health information as today more than two months after the attack you still haven't filed that mandatory notification. why have you not filed the breach notification even though

11:23 pm

you have been aware of a data breach for over 60 days and when do you intend to bring united health group and with that requirement? >> thank you for the question. at the beginning of this was being able to access the data as we could understand what they can exfiltrate and we didn't have that until the middle of march. we've been working diligently with the third-party use to understand that and we are working with regulative authority. >> we are still trying to grasp the full consequences of the cyber attack in the data that was compromised in the process. as the data that was stolen harms to individual patients continue to fire into the future. do we await the findings of the investigation that united health and by hhs can be a meaningful accountability and harder lesson to lead across the industry and with that i yield back the

11:24 pm

gentlelady from arizona thank you for being here. you've had a long day. i have two, but you're on the hot seat i guess. i have a couple questions. first, does united healthcare and change healthcare have its own cybersecurity employees? >> yes, yes they do, madame vice vicechair, yes. >> and what vendors did you use when this breach happened? >> in terms of the response to the breach a number of different vendors but most notably palo alto systems and a company called bishop fox but many others included the significant technology company but from the

11:25 pm

cybersecurity advisory capacity and testing capacity, those groups and i might add also that we've now asked to become a permanent advisor to the company in fact to the board of directors to make sure at the top of the company we have the very most elite cybersecurity advice available. >> were they working while the breach happened? one of your vendors while it happened or was that after the fact? >> they were brought in after. >> i was just curious who the vendors were that were supposed to be doing cybersecurity for the company so that people would know and are they doing a good job or not. >> i don't have those numbers for you today. >> okay. and i think you said you reviewed your decisions on cybersecurity. have you come up with any analysis of how you are going to change things besides?

11:26 pm

>> thank you for the question. first of all we brought into the organization supplemental screening capabilities with third-party organizations making sure that we have secondary level screenings going on in the organization in addition to our own capabilities and we are also reviewing any lessons learned from this attack which will obviously not only be implement would with united but other partners in the system. >> and did your insurance cover the cost of the ransom where? >> we are self-assured in this situation. >> i have a switching subject of it. i've gotten letters on this and this is where i'm asking does aarp get a paid percentage on

11:27 pm

your united healthcare medicare advantage plan do they get a cut of it? >> i do not have the details of that arrangement i do not want to give you an incorrect answer on that. >> i'm getting all kinds of letters about it. then my last, it's not a question it's just a comment this was a few years ago but when i was helping my mother's lineup for medicare, it was very difficult and she ended up using the medicare advantage plan but i have to say the listings that the insurance companies have for

11:28 pm

the doctors were not very accurate, like who was covered so for instance i remember like it was listed as a primary care doctor and when i called them to make sure they were still taking patients, they were a cancer specialist or something so i would encourage not just your insurance companies but all the insurance companies that it is extremely confusing for me let alone my mother, my mother wouldn't be able to do it i don't think at all and if there is any way you can fix that, i would greatly appreciate it. >> that liability to make sure when they walk into the reception of the facility they know that they are going to be accepted and that is not good enough. we would love to see that improved and we are working hard ourselves but it's something we have to do with partnerships and we would like to work with policymakers as well because it is a national challenge.

11:29 pm

>> i appreciate you coming here. i know this is a problem but it's not just your company that's been breached. i will probably get a letter maybe every three months that someone has hacked into my information and to give a years worth of credit that's not going to help me very much but it's not just your problem, it's a problem nationwide, worldwide and i don't know how we are going to address it but we've got to. >> the gentleman from california for five minutes. >> thank you mr. chairman. the description underscored the need across the healthcare system to invest and maintain cybersecurity practice. in 2021 we saw this near my home in san diego the compromised data and lost more than

11:30 pm

$100 million of revenue. to reflect that we are in a economy of private actors and in many cases performing public functions and here's the healthcare system i don't advocate a public healthcare system but i do think we have to look out for the people that learn the healthcare system much as when equity facts and a breach in the lending area we have to pay attention to that and how people get their news and whether that's distorted through private actors. so this is an important hearing and i know you are in the middle of your investigation but i hope at the end i wouldn't intend to drag you back here for another day of this fun but i would like to have the information help us with national standards that we might use to make sure that and i hope you will commit to doing that for us.

11:31 pm

>> thank you for your comment and request and we are very happy to share with you as appropriate the lessons learned from this and i would like to reassure you about the scale of the commitment we invest about $300 million that's not the technology that's cybersecurity. the groups which i would really encourage some of the focus that you describe policy reflection on some of the small and midsize organization across the country we just don't have that so to agree with of the observation if you could help i would ask that you would. >> this is sort of a lessons learned i think that it could affect the whole healthcare system. it's critical everyone begin to work too hard in the data systems to quickly recover from

11:32 pm

breaches while keeping the protected health information safe so again recognizing that you're in the middle of this you now no specific improvements to the protocol for cybersecurity to prevent and respond to ransom where and other attacks and what systems now require the multifactor authentication and what different protections for the robust systems today? >> maybe just pick a couple of examples so certainly enforcement of the actual services but also having an enhanced screening capability to make sure they are constantly on. number two as we've rebuilt we've redesigned it for those environments in which they were

11:33 pm

never envisioned and to make it easy to navigate and focus on how we make sure the complete compliance with the policy we have on things. in addition to that we've brought screening organizations to give a check on making sure any abnormal activity could be as much as possible. >> when you think your going to how do you get your customers to be confident in that? >> that's been very much a focus of the work that we've done and it's why we've rebuilt changed e essentially in a new environment not to try to resuscitate the old system because it would have been very difficult and may be impossible to reconnect with the system that had been attacked with malware because of the risk of contagion or something like that so we've endeavored to

11:34 pm

build new platforms and we've had those platforms tested by all the best cybersecurity companies in the country including to prove they could withstand the highest levels of assault and we share that information with the key partners in the system. >> last question what lessons do you have for us about what they can take away working with healthcare systems to support them to make sure they don't go through this again? >> the department of health and human services. >> we had a regular ongoing relationship and they've been extraordinarily forward leaning. i think the areas where we could all work together are things like communication providers and a question that came up earlier we could work together to figure out how to communicate through the system and i think making

11:35 pm

sure that would be my top recommendation. thank you mr. chairman for chair indulging in that question. >> thank you for being here. i was a doctor before so some of my comments will be tainted by that. so, you couldn't investigate change healthcare before you purchased them to find out they had an insufficient a cyber program and they were not in compliance with federal government recommendations. you couldn't find that out? >> during the acquisition phase as you may know it was quiet for a long process. that wouldn't be regarded in terms of the engagement so you have a ton of closed walls between the two companies until after the transaction. >> you buy a new house you want

11:36 pm

to know if the sewer line is bad before you buy it, right? i believe the consolidation of healthcare is not a good thing. it led to the increased cost. it doesn't matter the industry, less competition, it doesn't encourage better quality service to product just doesn't. my understanding is with his's s have deadlines like 60 or 90 days to file claims for reimbursem*nt is that correct? i've heard it's just a few million dollars in claims through changes since the attack it takes a lot longer they

11:37 pm

didn't feel like they had the ability to change clearinghouses and my understanding is it might be helpful to have a filing deadline suspended or extended from whatever their plan is. in your case have you communicated with any providers to express similar concerns and do you intend to extend for united healthcare claims? >> yes we have waived those deadlines. >> it would be reasonable to extend them six months or something. you may or may not want to comment on this, should other health plans extend the dissipate until we can be confident that this is fixed? >> thank you for the question. it wouldn't be appropriate to talk about what they should or shouldn't do. what we've tried to do is offer

11:38 pm

every support and service for the folks that have been impacted and that is what we've been doing. >> my recommendation to all the health plans affected by this to extend the deadlines because when you start denying claims for that, whoever does that is probably going to be sitting in your chair. i'm just recommending that to everyone out there listening to this hearing because providers that have been financially assisted are because of the breach and then they file their claims late and i can see a circ*mstance where there and there's going to be a call back and what you've described what happened with united healthcare, but when it does happen, at some level in congress we will have a hearing on why that is and consider giving people more time to file their claims if they've

11:39 pm

been impacted by this. also someone brought this up earlier, but i've heard from providers that the provider assistant option from united is providing access to bank account information that goes beyond what is necessary to say that under the terms of the agreement united can simply change the terms and conditions by providing notice. that to me sounds like potentially an entity that wants to buy out clinics. you've already answered that question. it hasn't happened but i would highly recommend anyone out there that's thinking about buying out clinics based on the fact they can't file their claims would reconsider. because again they may be sitting in a congressional congressionalhearing explaininge doing that and so, have you read the report on medicare advantage plans that's been published in the last year or two? do you know are you aware of

11:40 pm

that? >> i'm not specific about the one you're referring to. >> being denied 14% of the time roughly by any plans that would be paid for by a traditional medicare and if your team has not read the report that talks about the claim denials compared to traditional medicare i would suggest that you do because when you hear from providers out there, the number one name that comes up happens to be your company. cms has dealt with of this into some of it doesn't go far enough. >> the gentlelady from washington for her five minutes of questions.

11:41 pm

>> thank you, mr. chairman, and thank you mr. ranking member. first, thank you for your comments we are definitely on the same wavelength and hearing the same story. i know that you've been through a lot of questioning today and i want to get right to the point. as this change has just been devastating and i am extremely concerned that we are seeing the start of the impact of the cyber attack model only have providers been shortchanged reimbursem*nt claims and has location data been leaked possibly to a foreign adversary and not only were patients at least temporarily unable to access their medication, but i even received reports from utilities in my district that they were unable to build and process payments because change was also

11:42 pm

there clearinghouse so the affects are really far-reaching and frankly the consequences of united health group and change health group as a merger in 2022 that they tried to block on the basis that it would give united control over half of the health insurance claims. i think we all sympathize with this and appreciate the efforts you've taken to get through this but the reality is that this map of the far-reaching attack has disproportionately impacted small independent practices that were struggling to stay afloat and they've done nothing to help. it's in their interest to hold onto that money. i'm going to give you an example. balanced physical therapy

11:43 pm

employees just fix physical therapists. it's devastated them to the point where the owners had to mortgage their home in order to pay rent and make payroll and now that money has run out. your company reported $371 million in revenue last year. do you want to guess how much balanced physical therapy was paid in the first round? >> no but i'm very keen. >> it's good you didn't answer yes. seventy. this is after you're kind of revenue it seems you have enough information to know what clinics build in the prior months or even in that month the prior year that you should be able to do better than that and i know you've said that you won't rest until you get this right and so i guess one question is to make

11:44 pm

this right. the physiotherapy clinic we are talking about i'm sure would be eligible for a very substantial levels that would cover the kind of challenges they have and that would be available to them and just three, no cost and not need to be repaid until well after. >> thank you for saying that. i want to jump to that part about the loans because another thing that i'm hearing in my

11:45 pm

district is that some of the loan the conditions were, that many people, many clinics even hospitals decided not to take these loans because there were clauses saying you couldn't use any of your competitors, you could be asked to pay off the loan immediately and this could actually be used to in a predatory way almost to put these clinics out of business because they do have a reputation for buying out clinics that are in trouble and i would like to hear whether you will guarantee that you will not damage these practices by not reimbursing sufficiently including these unfair terms and then going and just buying up the practice. >> absolutely i can reassure you of that. the terms you are referring to were unfortunately included in various parts of the process. we realized quickly that was a misstep and mistake and we got rid of all of those terms.

11:46 pm

all of the terms are gone now and it is an incredibly simple process. also to the second point, we would never want to act opportunistically from the back of the sand where we've had agreements to acquire clinics we have pre-existing cash flows before the attacks and a very good suggestion came up this morning from the senate finance committee which we will institute which is to put a firewall between everybody who knows about the visibility to these loans and the people that are involved in potentially working via clinics who want to join the organization to make sure the risk identified. >> the gentleman from pennsylvania for five minutes of questions. >> thank you for allowing me to waive and thank you to the

11:47 pm

witness for appearing. that change health care attack caused massive disruptions in patient care and resulted in severe burdens for providers, pharmacies, hospitals trying to deal with a full impact of the hack on their daily operations. as we see increased consolidation and healthcare, i worry that incidents such as this will be increasingly more. we've already seen consolidations drive up prices and decrease access to patient care and now patients and physicians are encountering yet another cost and i might add another very significant cost to the fallout from the cybersecurity attack. aside from the data business that is the new topic of the conversation today, your company is the largest for-profit domestic health insurance company and you also employee nearly 100,000 physicians in the u.s., making you the largest

11:48 pm

employer of physicians in the country. to better understand your reach into my home state in pennsylvania, do you have the total number of employee physicians in the commonwealth in pennsylvania? >> i'm sorry, i do not have that number. >> would you provide that? knowing the scope of united healthcare has become, what impact did the attack have on other entities and subsidiaries aside from change? >> thank you for the question. there was no direct impact so there was no contagion of the attack. the change environment because of the way that we shut down all connectivity which meant it didn't spread to any part of the united or any other organization which was working with the change before the attack. >> so most of the impact was on as i mentioned physicians, hospitals and patients. are you able to provide a breakdown of the total number of

11:49 pm

patients, doctors, pharmacies and hospitals that have had the transaction impacted either today or in a follow-up writing? >> i think in the future we ought to be able to estimate that for you. >> we look forward to receiving that. one of the largest impacts on medical care every day is the use of utilization tools like prior authorization in light of the cyber attack for which the services please explain the rationale for some but not for other services. >> thank you for that question. in line with the suggested recommendations from cms, we suspended medicare advantage during april.

11:50 pm

>> those are for the employers to make the decision and similarly state is to make the decision on medicaid. >> it's my understanding the requirements have now resumed is that correct? >> on the 15th of april, correct. >> do you intend to pursue reimbursem*nt for providers who provided services during that suspension that would have normally been required to have prior authorization and may have been denied? >> know we will not. >> you will not provide reimbursem*nt? you will require or not provide? >> we will reimburse we will not deny. >> in other words would it be prior all three views were have you completely waived the medicare advantage prior authorization policy? >> we waived for that period. >> i think we realize that some of the questions you answered for us today do provided that information that is so important moving forward, but the utilization that has been suspended needs to be carefully

11:51 pm

reviewed because the prior authorization, whether it is with a medicare advantage or an employee or contract has an impact it delays care, it delays the ability for patients to seek that out. we could also ask to follow-up and review how that prior authorization has affected patient outcomes and i think that is something you should be able to provide for us. >> i would be very happy to do that and let me go further than that to say we have certainly more than been low open minded to work with yourself and others on ideas of how we can further improve ensuring both best quality safest care delivered alongside avoidance of waste, which is the historic -- >> and i'm glad you brought that into the conversation i think that is what i really want a direct answer, to see how that prior authorization and how it's

11:52 pm

been suspended, seeing that impact on patient care. there are many physicians that serve on energy and commerce like myself and there are many healthcare providers. i'm sitting between two of them today and those are answers we would all like to see. again mr. chairman thank you for allowing me today and i yield. >> now recognizing doctor miller meeks for her five minutes of questions. >> thank you mr. chairman allowing me onto the oversight committee in the thank you sir for testifying today. according to data from the american medical association, 80% of practices reported lost practices and 85% stated they had to allocate additional staff time to complete additional administrative requirements, and we already have that burden on the small business. neither doctors nor the nonphysician staff will receive any additional compensation for the time of mitigating the fallout of the change attack just like we are not compensated

11:53 pm

for the hours of claims. in iowa doctors were very hesitant to take advanced payment of dollars without confirmation that the claimed submissions will be paid at the rate submitted and are concerned they will be required to pay back more than what ultimately would be approved once the processing is completed. the survey also found 55% of doctors said they had to use personal funds to cover the expenses and notably the overall effect of the change attacks have been most acutely felt by the practices with fewer physicians. what has been the uptake on the advanced payment program among small physician practices and what do you plan to do to offer more advanced payments with a particular focus on small providers?

11:54 pm

>> first of all, let me reassure you we have remained focused on ensuring the providers that we know are the ones that often times have the most difficult technical challenge and mets to switching and the like which is why we've made every effort we can to outreach through the program and oversimplify that loan program and eliminate the terms and conditions at the beginning. i can tell you about 142,000 tax id numbers have taken advantage of that program. i can't tell you how many providers are underneath because it varies, but 142,000 that is about a third of all of the providers that were associated with change healthcare before the attacks, some a very substantial uptake and a very large fraction of those are small providers. we were essentially approving

11:55 pm

loans in a matter of hours. .. there are only two platforms on the market. this committee has been very concerned about consolidation inhealthcare marketplace. they are both owned by fortune top 10 country companies big data is big business as a country have a significant interest in avoiding one or two points of failure in healthcare delivery system. how has united changed help a compass that goal? works thank you very much for the question. i would make the point change

11:56 pm

and its business is no different in terms of its footprint of the day before the attack compared to the day before we acquired them. this risk united has a financial capacity to resolve this issue. i do believe existed when change was a small independent business. a public company this attack occurred in the early days as a problem i had in the state governor is a state center and a physician provider in a rural community. what pbn optimum beam when does when it comes to step therapy

11:57 pm

they do well. the ultimate risk and cost having to revert back to less extensive medication you've finally gotten compliance from the medication and a patient leading to increased hospitalization. increased er visits back to the same medication that an insurance company changed pbm change when a doctor and he prescribed a medication for which they were successful. we work with us and what you're doing on step therapy drug substitutions changing formulas which is a tremendous problem is a great cost to the healthcare system. being made by insurance but executives rather than providers request within pbm i therapeutic committee advice. i also recognize the situations you describe do occur. i'm very happy to commit to us working for ways we ought to be

11:58 pm

able to do better. the judgment yields back sorry i don't reckon it's a gentle lady from florida for five minutes of questioning. >> leave it to a gator to beat a dog. [laughter] sorry, that's college football stuff we have a rivalry going. thank you, mr. chairman for holding this very important hearing. as it would eat? okay just want to make sure he said that rate for appearing before us here today. the april 2024 wall street article my colleague represented duncan submitted for the record some have taken loans from the company, united health to help ongoing revenue shortfall say they have felt pressured by unitedhealth to make upbeat public statements about the support. do you know if anyone at united health or change healthcare communicated to smaller providers seeking financial assistance they should make positive or upbeat public

11:59 pm

statements about the company? >> my understanding is people from that company spoke to folks who received loans and asked if they would help spread the word because we are very keen to get other small providers aware of the program. we knew that was an issue. my understanding is following the newspaper article folks listen to whatever was there the information associated. i'm not convinced that accurately represents a situation. >> specifically to what you were saying there had been some encouragement going on do you know specifically who or what department would communicate that? >> i do not. >> could you find out and submit back to us for the record? >> i'm sure he could find that precut you aware if unitedhealth made receiving financial loan on a provider making a positive public statement about unitedhealth? >> i've never heard anything like that. that should not happen i will be very disappointed if that ever

12:00 am

happened. that's not part of any approval criteria. >> is there any formal investigation or looking into it you will do to ensure that is not the case? >> i will aptly undertake to double check that. >> could you give us a timeline of when you will report back to us on that? >> i will double check that next week. >> okay. did you know or authors anyone at unitedhealth or its affiliate to encourage smaller providers seeking a loan assistance to making positive statements about the company were talking about smaller. quick something really additional to what of already said he. >> all right. i was trying to gauge the bigger guys versus the little guys. let me see, can you confirm if this public reporting is true. speaking about you did not think it was accurate. talk about that particular article. another cyber criminal group splintered off from black cat

12:01 am

and is starting to release patient data from the february 21 incident, is that true? >> i am aware of a splinter group like that. which was making statements i would sit up until the last couple of weeks. i am not aware of them still making statements. >> okay and aside from black cap has there been any other cyber criminal that is threatened unitedhealth or asked you to pay a ransom related to the data from the february 21 attack? >> not further than what i've just said. >> okay, all right with that mrr questions. appreciate your testimony here today to yield to pick a gentle lady yields a not recognize the gentleman from georgia the resident pharmacist of the subcommittee or this committee for fragments of questioning. >> thank you and allow me to a bunch of this committee. our practice pharmacy independent retail pharmacy for over 40 years. i've had my own business for

12:02 am

over 32 years. one of the main focuses i have a set is my goal as a member of congress when i started 10 years ago it was to address the vertical integration that exists in healthcare specifically in drug pricing or the insurance company owns the pbm pig owns a group purchasing organization owns the pharmacy and owns a doctor. and your case you're the largest for-profit domestic help in the country as has been pointed out with over 10,000 physicians and owning your own pharmacy or the largest pbm's in the country. can you explain how your company can justify clear conflicts of interest? quick source of all, sir thank you for the question and the challenge. i appreciate that. we operate our organization with very clear firewalls between the organization. we are guided around a mission of trying to align and's incentives in the system to try to eliminate waste and abuse.

12:03 am

how we based care to individuals we know when that happens clinical outcomes and proof we believe the cost goes down for people involved in that process possessively focus on to the organization. as we look at the components of unitedhealth group we have a presence in many different areas and shoot very rightly say it we are not present in many other areas. >> how do you define anticompetitive practice? do you consider any of these to be anticompetitive? >> no i do not too. >> of pbm owns a pharmacy the anticompetitive? do you have plans to incentivize or require patients to use your pharmacy or -- over independent pharmacy? what's not to incentivize and we offer alternatives very quick to offer alternatives quester. >> mail order pharmacy. >> are you aware they're over

12:04 am

three and a pharmacy's independent retail pharmacies that went out of business last year? are you aware also and i'm sure he won't be. earlier this afternoon i had a call with a pharmacist from pennsylvania who told me 70 pharmacies have closed the first four months of this year in pennsylvania alone. seventy independent pharmacies. is reimbursem*nt the same for independent retail pharmacy as it is for your work pharmacy for your mail order pharmacy? is that yes or no. >> is a very different structures. >> is the reimbursem*nt the same? >> very different structures i don't think i can give you a direct answer today. >> if you would get me that information i would certainly appreciate it. are you aware and i'm sure you are federal trade commission after asking them since the time i got up here to look at the conflict of interest that they have launched an inquiry into the egregious practices of the

12:05 am

largest six pbm's and the impact they're having on independent retail pharmacies? >> i believe the pbm's offer strong service request so you aware of the study question what that is what i'm asking for. >> i'm aware of the study yes. have you been cooperating have you responded and complied with the request for information? >> we do not as a matter of practice and policy we do not comment on our engagement with those programs. >> but you will comply? you will cooperate with them question our cooks always aim to comply with any appropriate government body. >> will me ask you something. this cyber attack and certainly this is had an impact. i believe it was a member of your team at the carcass of a couple of weeks ago. and made the comment they responded quickly to the pharmacies and got them back up and running. i asked them to define quickly they said that was two weeks. two weeks going without medicine

12:06 am

is a very long time. i think we all agree with that. look, everyone you come at me, democrats, republicans, independents will want the same thing. we want accessible, affordable, quality healthcare. accessibility is been impacted by the what exists in the drug pricing and each healthcare in general. you can see with the chart right here you are the largest of all of them. that's fine, i get it i know it's a capitalistic society. but this to me as a direct conflict of interest. i want to ask you one other thing but since the start of the cyber attack how many medical practices and pharmacies have you acquired? >> we have acquired just a one medical practice in oregon for. >> just one since the start of the cyber attack? what's the correct phrase that was agreed the transaction agreed before the attack. >> so if we look at the records we are going to find out what you are saying it's you have not acquired any during the time of

12:07 am

the cyber progress we have acquired in or get into ipas to our network. as far as i'm aware those are the only additions that have occurred. i want to reassure you any valuations or assessments of those businesses are based on economics before the attack took place but we never try to take advantage. >> i hope and i have no other reason but to believe you're telling the truth. but at the same time you can tell obviously very passionate about this. i'm very passionate about healthcare in general but i didpractice for 40 years. i want to make sure patients have accessibility and pharmacists are most successful healthcare professionals in america but we are going out of business. >> and perhaps so please let me offer and i would genuinely like to have worked alongside pharmacist my whole career. i very much want to make the offer to work with you on how we can work together to strengthen retail pharmacy.

12:08 am

particularly in the smaller pharmacists. it is an area or often we are trying to move more investment support the small pharmacies. >> i appreciate your offer but let me assure you i'm going to continue and this vertical integration that exists in healthcare in general has got to end but thank you, mr. chairman i yield back remarks thank you appreciate you yielding back. we would love to discussion pbm's but that's not today's hearing we do appreciate your openness on that. saying there are no further members wishing to ask questions i would like to thank our witness again for being here. unanimous consent to insert in the record the documents included on the stop hearing list without objection that will be the order. pursuant to committee rules are my members have said 10 business days to submit additional questions for the record as the witnesses to submit his response within 10 business date of the

12:09 am

receipts of those questions. without objection the subcommittee is adjourned. [background noises] [background noises]

12:10 am

left right
Borrow Program


"To all those impacted, I am deeply, deeply sorry," said UnitedHealth Group CEO Andrew Witty on the impact of a cyber attack on one of its companies, Change Healthcare, in February 2024. Mr. Witty's apology came as he testified during a public hearing before the House Energy and Commerce Subcommittee on Oversight and Investigations. UnitedHealth Group is the largest health care insurance company in the U.S., and one of the largest companies in the world. He spoke on the lessons learned and cooperation with federal officials, as well as steps taken to improve cybersecurity and the help offered to the patients, providers, and organizations impacted by the cyber attack.

Sponsor: House Energy and Commerce Subcommittee on Oversight and Investigations

Us 23, Unitedhealth 20, United Healthcare 15, Pennsylvania 5, America 5, Dhec 5, Fbi 4, Pbm 3, United Health 3, Cms 2, U.s. 2, South Carolina 2, New York 2, Colorado 1, Andrew Whitty 1, Reckitt 1, Hipaa 1, Citrix 1, American Medical Association 1, Griffith 1
Scanned in
San Francisco, CA, USA
Comcast Cable
Virtual Ch. 110
Video Codec
Audio Cocec
Pixel width
Pixel height
sound, color


This material may be protected by copyright law (Title 17 U.S. Code).


info Stream Only

CSPAN3 Television Archive Television Archive News Search Service

Uploaded by TV Archive on

Terms of Service (last updated 12/31/2014)

UnitedHealth CEO Testifies on Cyber Attack & Impact to Patients' : CSPAN3 : June 7, 2024 9:54pm-12:10am EDT : Free Borrow & Streaming : Internet Archive (2024)
Top Articles
Latest Posts
Article information

Author: Laurine Ryan

Last Updated:

Views: 6057

Rating: 4.7 / 5 (57 voted)

Reviews: 80% of readers found this page helpful

Author information

Name: Laurine Ryan

Birthday: 1994-12-23

Address: Suite 751 871 Lissette Throughway, West Kittie, NH 41603

Phone: +2366831109631

Job: Sales Producer

Hobby: Creative writing, Motor sports, Do it yourself, Skateboarding, Coffee roasting, Calligraphy, Stand-up comedy

Introduction: My name is Laurine Ryan, I am a adorable, fair, graceful, spotless, gorgeous, homely, cooperative person who loves writing and wants to share my knowledge and understanding with you.