Senate and House lawmakers May 1 grilled UnitedHealth Group CEO Andrew Witty about the continued fallout from the Feb. 22 cyberattack on Change Healthcare — the most significant and consequential cyberattack on the U.S. health care system in American history. 

Members of the Senate Committee on Finance and House Energy and Commerce Subcommittee on Oversight and Investigations pressed Witty for answers about what the company is doing to support hospitals and providers still feeling impacts from the attack; whether the company would waive timely filing deadlines for claims; and why a Change Healthcare Citrix portal that was hacked did not have multi-factor authentication; among other areas. 
 
In a statement shared with the media May 1, AHA President and CEO Rick Pollack said, “The AHA welcomed the bipartisan scrutiny of the Change Healthcare cyberattack. Today’s hearings highlighted the real-world impact the most significant cyberattack to face the health care sector has had on so many patients, hospitals and health systems and other care providers nationwide. 
 
“At these hearings, lawmakers made clear that cybersecurity is a shared responsibility for all parts of the health care sector. We completely agree. To protect the health care infrastructure we all depend on, it’s absolutely critical that third-party entities like Change Healthcare share in that responsibility. 

“The hearings also rightly exposed the size and scope of UnitedHealth Group, the parent company of Change Healthcare, and how that has affected—and could further affect—the delivery of health care for our nation. We believe this examination is long overdue.” 

Prior to the hearings, the AHA April 29 sent letters to the Senate Committee on Finance and House Energy and Commerce Subcommittee on Oversight and Investigations providing an update regarding outstanding issues continuing to impact patients and hospitals following the Change Healthcare incident, as well as additional actions for Congress and the Administration to consider related to the cybersecurity of the health care sector. 
 
The AHA said patients and providers are continuing to experience financial and operational impacts as providers will need to work through the backlog of claims, reprocess denials received during this time, reconcile payments to accounts, and bill patients, among other tasks. 
 
“It is unclear what other impacts may emerge over the coming weeks and months, and we urge Congress and the Administration to continue oversight of the aftermath of the attack,” AHA wrote to the committees. 

Meanwhile, lawmakers also raised concerns about the size and scope of UnitedHealth Group and its reach throughout the entire health care system. 
 
“The Change hack is a dire warning about the consequences of ‘too big to fail’ mega-corporations gobbling up larger and larger shares of the health care system,” Senate Finance Committee Chair Ron Wyden, D-Ore., said. “It is long past time to do a comprehensive scrub of UHG's anti-competitive practices, which likely prolonged the fallout from this hack.” 

Rep. Morgan Griffith, R-Va., who chairs the Energy and Commerce Subcommittee on Oversight and Investigations, said consolidation in the health insurance industry has reached such a state “that a single ransomware attack on one company can cripple the flow of payments and claims for months.” 
 
During the hearings, lawmakers also discussed the issue of cybersecurity standards and requirements for the health care sector. To make meaningful progress in the war on cybercrime, the AHA continues to urge Congress and the Administration to focus on the entire health care sector and not just hospitals. The AHA supports the voluntary consensus-based cybersecurity practices, such as those announced in January by the Department of Health and Human Services, but it opposes insufficiently funded proposals for mandatory cybersecurity requirements that levy significant penalties on hospitals. 
 
“It is well-documented that the vast majority of the cybersecurity risk in the health care sector is from vulnerabilities in third-party technology, not hospitals’ primary systems,” AHA wrote April 29. “Enforcing hospital adoption of these practices would have done nothing to prevent the Change Healthcare cyberattack or most other cyberattacks on the sector to date. Instead, Congress and other policymakers should focus their efforts on ensuring all health care stakeholders adopt appropriate cyber hygiene practices with a particular priority on third-party technologies.”

Related News Articles

Headline
New guidance released yesterday by the Cybersecurity and Infrastructure Security Agency, National Security Agency and FBI informs health care and other…
Headline
A joint advisory released Nov. 20 by the Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency and international partners warns of…
Headline
The Department of Justice Nov. 18 announced criminal charges against Evgenii Ptitsyn, a Russian national, for allegedly administering the sale, distribution…
Headline
A United Nations Security Council meeting the week of Nov. 4 discussed ransomware and the severe impacts that cyberattacks can have on hospitals and health…
Headline
AHA President and CEO Rick Pollack was recently a guest on Pinkston's "To the Point" podcast to discuss the future of U.S. health care, touching on a range of…
Headline
The Cybersecurity and Infrastructure Security Agency, FBI and other federal agencies have created a webpage with the latest cyberthreat updates and information…