Senate and House lawmakers May 1 grilled UnitedHealth Group CEO Andrew Witty about the continued fallout from the Feb. 22 cyberattack on Change Healthcare — the most significant and consequential cyberattack on the U.S. health care system in American history. 

Members of the Senate Committee on Finance and House Energy and Commerce Subcommittee on Oversight and Investigations pressed Witty for answers about what the company is doing to support hospitals and providers still feeling impacts from the attack; whether the company would waive timely filing deadlines for claims; and why a Change Healthcare Citrix portal that was hacked did not have multi-factor authentication; among other areas. 
 
In a statement shared with the media May 1, AHA President and CEO Rick Pollack said, “The AHA welcomed the bipartisan scrutiny of the Change Healthcare cyberattack. Today’s hearings highlighted the real-world impact the most significant cyberattack to face the health care sector has had on so many patients, hospitals and health systems and other care providers nationwide. 
 
“At these hearings, lawmakers made clear that cybersecurity is a shared responsibility for all parts of the health care sector. We completely agree. To protect the health care infrastructure we all depend on, it’s absolutely critical that third-party entities like Change Healthcare share in that responsibility. 

“The hearings also rightly exposed the size and scope of UnitedHealth Group, the parent company of Change Healthcare, and how that has affected—and could further affect—the delivery of health care for our nation. We believe this examination is long overdue.” 

Prior to the hearings, the AHA April 29 sent letters to the Senate Committee on Finance and House Energy and Commerce Subcommittee on Oversight and Investigations providing an update regarding outstanding issues continuing to impact patients and hospitals following the Change Healthcare incident, as well as additional actions for Congress and the Administration to consider related to the cybersecurity of the health care sector. 
 
The AHA said patients and providers are continuing to experience financial and operational impacts as providers will need to work through the backlog of claims, reprocess denials received during this time, reconcile payments to accounts, and bill patients, among other tasks. 
 
“It is unclear what other impacts may emerge over the coming weeks and months, and we urge Congress and the Administration to continue oversight of the aftermath of the attack,” AHA wrote to the committees. 

Meanwhile, lawmakers also raised concerns about the size and scope of UnitedHealth Group and its reach throughout the entire health care system. 
 
“The Change hack is a dire warning about the consequences of ‘too big to fail’ mega-corporations gobbling up larger and larger shares of the health care system,” Senate Finance Committee Chair Ron Wyden, D-Ore., said. “It is long past time to do a comprehensive scrub of UHG's anti-competitive practices, which likely prolonged the fallout from this hack.” 

Rep. Morgan Griffith, R-Va., who chairs the Energy and Commerce Subcommittee on Oversight and Investigations, said consolidation in the health insurance industry has reached such a state “that a single ransomware attack on one company can cripple the flow of payments and claims for months.” 
 
During the hearings, lawmakers also discussed the issue of cybersecurity standards and requirements for the health care sector. To make meaningful progress in the war on cybercrime, the AHA continues to urge Congress and the Administration to focus on the entire health care sector and not just hospitals. The AHA supports the voluntary consensus-based cybersecurity practices, such as those announced in January by the Department of Health and Human Services, but it opposes insufficiently funded proposals for mandatory cybersecurity requirements that levy significant penalties on hospitals. 
 
“It is well-documented that the vast majority of the cybersecurity risk in the health care sector is from vulnerabilities in third-party technology, not hospitals’ primary systems,” AHA wrote April 29. “Enforcing hospital adoption of these practices would have done nothing to prevent the Change Healthcare cyberattack or most other cyberattacks on the sector to date. Instead, Congress and other policymakers should focus their efforts on ensuring all health care stakeholders adopt appropriate cyber hygiene practices with a particular priority on third-party technologies.”

Related News Articles

Headline
The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) this week released an advisory about Qilin, formerly "Agenda…
Headline
Change Healthcare June 20 began notifying health care providers and other customers with patient data stolen following February’s cyberattack, the company…
Headline
The Centers for Medicare & Medicaid Services June 17 announced it will close its accelerated and advance payment program July 12 for Medicare providers and…
Headline
The health care sector should swiftly implement patches or mitigations to address 14 new cyber vulnerabilities identified by the Cybersecurity and…
Headline
The Departments of Health and Human Services, Labor, and the Treasury June 14 announced a 120-day extension for parties impacted by the cyberattack on Change…
Headline
Microsoft and Google will provide a range of free or discounted cybersecurity services to rural hospitals across the country to help them in their efforts to…