UnitedHealth CEO Faces Grilling from Congress over Change Healthcare Hack

Matt McClain/The Washington Post
UnitedHealth Group CEO Andrew Witty before lawmakers Wednesday.

Congressional leaders unloaded blistering criticism at UnitedHealth Group in a pair of hearings Wednesday, saying the health-care conglomerate’s handling of a cyberattack had damaged the U.S. health system, threatened the financial stability of hospitals and doctors and put tens of millions of patients’ data at risk.

UnitedHealth’s handling of the situation will probably be “a case study in crisis mismanagement for decades to come,” said Rep. Cathy McMorris Rodgers (R-Wash.), chair of the House Energy and Commerce Committee.

Facing both chambers of Congress, UnitedHealth CEO Andrew Witty repeatedly apologized for the hack of subsidiary Change Healthcare, vowed that he and the company will not rest “until we fix this,” and said the company was offering no-interest loans to affected hospitals and doctors and free credit monitoring to affected patients.

Witty said the personal information of about one-third of Americans might be affected by the Change Healthcare hack, which was detected Feb. 21, and that the company was still reviewing the extent of the stolen data.

Witty’s apologies were rejected by lawmakers, who criticized UnitedHealth’s inadequate cybersecurity protocols, asked whether the scope of its operations put Americans at risk and in some cases called for the $450 billion conglomerate to be broken up. Witty admitted that hackers accessed Change Healthcare’s systems through a portal that was not protected by multifactor authentication, a security feature that requires additional information to log in – a point lawmakers repeatedly hammered.

“The Change hack is a dire warning about the consequences of too-big-to-fail megacorporations gobbling up larger and larger shares of the health-care system,” said Sen. Ron Wyden (D-Ore.), the Senate Finance Committee chairman.

Wyden also criticized UnitedHealth’s inadequate cybersecurity protocols, saying the hack “could have been stopped with cybersecurity 101.” He dismissed the credit monitoring offered by UnitedHealth as “the ‘thoughts and prayers’ of data breaches,” Wyden said.

Sen. Thom Tillis (R-N.C.) brandished a copy of “Hacking for Dummies,” questioning how UnitedHealth’s auditors could have missed the lack of multifactor authentication. “This is some basic stuff that was missed,” he said.

Witty committed that UnitedHealth would impose multifactor authentication on its systems across the company within six months. He said the company has advanced more than $6.5 billion in no-interest loans to practices affected by the cyberattack. Witty also confirmed that UnitedHealth, at his direction, paid a $22 million ransom to the hackers in bitcoin – an admission blasted by lawmakers who said it rewarded criminals while failing to keep patient information from being leaked to dark corners of the internet.

Witty faced bipartisan pressure from senators, including Sen. Marsha Blackburn (R-Tenn.), who said the UnitedHealth CEO was painting a “rosy picture” of progress that was “wildly different” from the situation facing providers on the ground in her state, who are still struggling to get paid. She described one provider that had submitted all of its claims but was still waiting on weeks of revenue.

“It is like you all can’t figure this out,” Blackburn added. “When can Tennessee providers and hospitals expect you all to clear the backlog, to catch up and be back to normal?”

Sen. Bill Cassidy (R-La.) suggested UnitedHealth was “almost a too-big-to-fail insurer,” while Sen. Elizabeth Warren (D-Mass.) called it “a monopoly on steroids” that should be broken up. UnitedHealth brought in $371.6 billion in revenue last year, the fourth-highest among all publicly traded U.S. companies.

Witty countered that his company was not too large, noting UnitedHealth does not own hospitals in the United States nor drug manufacturers. He also took issue with estimates that UnitedHealth employs 90,000 physicians, saying the vast majority were contracted or affiliated. “They choose to work with us,” he said.

At times, Witty tried to shift blame to Change Healthcare’s use of outdated technology. “We were in the process of upgrading the technology we’d acquired,” Witty said, adding he was “incredibly frustrated” that the server that was compromised was not protected by multifactor authentication. UnitedHealth’s Optum unit closed the acquisition of Change Healthcare in October 2022.

That didn’t satisfy Sen. John Barrasso (R-Wyo.), who said he was confused about why Change Healthcare did not deploy multifactor authentication when small, decades-old hospitals in Wyoming use that protection. He dismissed Witty’s arguments that the cybersecurity challenges predated UnitedHealth’s acquisition of Change Healthcare, framing it as “an excuse.”

“I’m unsatisfied,” Barrasso said in a brief interview after he left the hearing.

Witty’s contrite tone from the outset contrasted with the full-throated defense he offered two weeks ago, when he told financial analysts it was “important for the country that we own Change Healthcare.” He also said UnitedHealth resolved the hack “more quickly than I think would ever have been imaginable” if Change Healthcare had been a stand-alone company.

The hack and UnitedHealth’s aggressive growth by buying up such companies as Change Healthcare took center stage at Wednesday’s hearings by the Senate Finance Committee and the House Energy and Commerce Committee. Witty’s appearance marked the first time in 15 years that a UnitedHealth chief executive has testified on Capitol Hill.

After detecting the hack in February, UnitedHealth shut down Change Healthcare’s networks, cutting off pharmacies, hospitals and health-care providers nationally from the system on which they relied to submit claims and get paid. Patients experienced delays in care and couldn’t use coupons on which they rely to afford prescription medications.

For many, this was the moment they discovered the existence of Change Healthcare, a kind of superhighway for the traffic of medical claims. Before UnitedHealth took it over in 2022, the smaller firm handled half of all U.S. medical claims, according to the Justice Department, which tried to block the $13 billion merger.

Witty was on the defensive as lawmakers, including McMorris Rodgers, pressed him on why so many Americans’ private health information was at risk if, as he said recently, UnitedHealth was a “comparatively small part” of the health system. Witty characterized Change Healthcare as a relatively small company that played an important role by “processing about 40 percent of claims” flowing through the entire health system.

The abrupt outage at Change Healthcare left pharmacists, doctors and hospitals scrambling to find another electronic clearinghouse that could route their claims to insurers. While many were able to switch to rival clearinghouses, some said that technical requirements or contractual agreements with Change Healthcare prevented them from doing so, further delaying their ability to submit medical claims. Federal officials took steps to help tide over stricken providers and facilities.

As of late March and early April, nearly 80 percent of physician practices surveyed by the American Medical Association said they were still feeling the effects of the cyberattack. Christine Meyer, a doctor who owns a primary-care practice outside Philadelphia, expressed outrage in a LinkedIn post Monday at the notion that the Change Healthcare outage has been resolved.

“We are not ‘post’ anything,” Meyer wrote, adding that a loan from Optum – the United subsidiary that owns Change Healthcare – has helped but that “our full losses will not be recouped.”

Pressed by Sen. Bob Casey (D-Pa.) about Meyer’s case, Witty apologized for a “delay in getting the right level of loan capacity” to Meyer’s practice, and confirmed that “we have no intention of asking for loan repayment until she determines her business is back to normal.”

In prepared testimony, Witty revealed that cybercriminals first accessed Change Healthcare’s systems on Feb. 12 by using compromised credentials. Nine days later, the hackers deployed ransomware, and UnitedHealth realized its systems had been compromised.

“This was one of the hardest decisions I’ve ever had to make,” Witty said of paying the ransom. “And I wouldn’t wish it on anyone.”

Only a few lawmakers offered sympathy to Witty during his testimony. “You were a victim of a crime,” Sen. Ron Johnson (R-Wis.) told Witty, saying cyberattacks are plentiful and that UnitedHealth did not seek out the attention.

Sen. Mike Crapo (R-Idaho), the top Republican on the finance panel and a longtime recipient of UnitedHealth-linked funds, also framed Witty’s testimony as “a valuable opportunity to learn from United’s experience.”

But for the rest of the day – which stretched across two hearing rooms and more than seven hours, and involved 40 lawmakers – Witty received little relief. About a dozen protesters from People’s Action, an advocacy organization that has battled with health insurers over their practice of claims denials, attended the Senate hearing and swarmed Witty once it ended.

“Andrew Witty, you can’t hide. We can see your greedy side,” the protesters chanted. In interviews, protesters shared stories of UnitedHealth denying payment for essential medical procedures.

Rep. Buddy Carter (R-Ga.) – a longtime pharmacist and the final lawmaker to question Witty – ended the day by displaying a chart of UnitedHealth’s sprawling operations, saying its consolidation posed a risk to the health system. “Let me assure you that I’m going to continue to work to bust this up,” Carter said, gesturing to the chart.

Richard J. Pollack, CEO of the American Hospital Association, said in a statement that Wednesday’s hearings “rightly exposed the size and scope of UnitedHealth Group” and its impact on delivering health care. “We believe this examination is long overdue,” he said.

Matt McClain/The Washington Post
UnitedHealth Group CEO Andrew Witty appears Wednesday before the a House committee, which asked pointed questions about a cyberattack on a company subsidiary.