UnitedHealth Group CEO comes under bipartisan pressure at Senate hearing on cyber attack

UnitedHealth Group CEO Andrew Witty took fire from both sides of the aisle Wednesday during his testimony before the Senate Finance Committee regarding the cyberattack on Change Healthcare, a subsidiary of his company.

Senate Finance Chairman Ron Wyden (D-Ore.) made it clear from the beginning that he blamed Witty’s leadership for the cyber attack, which caused widespread disruption in the healthcare industry.

“The failures of CEOs like Mr. Witty, who months later can’t figure out how many people had their data stolen, validate the FBI’s warning,” Wyden said in his opening remarks, referring to how the FBI warned that care Healthcare providers are the main target of ransomware.

During the hearing, Witty confirmed that it was his decision to pay the hackers a ransom, stating that the company paid $22 million.

Here are the questions committee members pressed Witty on during more than two hours of testimony.

Multi-factor authentication

The server that was hacked did not require multi-factor authentication (MFA) for access, despite UnitedHealth Group’s (UHG) apparent company-wide policy for this exact security measure.

When asked by Sen. Thom Tillis (RN.C.) whether UHG management had been alerted to the server’s lack of MFA, Witty said he was not aware the issue had been raised.

“I think it’s clear that if United had stronger defenses like multi-factor authentication, then this could have been very different,” Sen. Bob Casey (D-Pa.) said when questioning Witty.

Witty has committed to requiring MFA across the enterprise and implementing the same standards used for federal agencies over the next six months. He emphasized that the increased use of MFA was one layer of the company’s response to the attack.

“That’s one element, but it’s just one element of the defense,” Witty said. “For example, we have now implemented, in addition to the normal corporate scanning of our technology environment, we have brought in external third parties to double or triple scan our systems.”

Growing a lot

UHG is the largest healthcare conglomerate in the US. The company acquired Change Healthcare in 2022 after the federal government unsuccessfully sued to stop the sale due to antitrust concerns.

The company’s enormous control over the US healthcare sector, and its relationship to the fallout resulting from February’s cyber attack, have not escaped the scrutiny of lawmakers.

Senator Elizabeth Warren (D-Mass.) noted how UHG has “bought every link in the health care chain,” owning “the largest insurer in the country, the largest claims processor in the country, the third largest pharmacy benefits manager from the country”.

“Now you are in a position to raise prices, pressure competitors, hide prescriptions and pressure doctors to put profits before patients. UnitedHealth has a monopoly on steroids,” Warren said.

Warren also criticized the company for trying to buy medical practices that nearly went out of business due to the cyberattack that disrupted payments, accusing UHG of using the data breach as an opportunity to grow further.

Witty declined to respond to Warren’s criticism, citing UHG’s “longstanding practice of not commenting on matters like this or things like mergers and acquisitions.”

Who was impacted

UHG said in April that a “substantial proportion” of Americans’ personal information was compromised in the attack. Witty told the committee Wednesday that consumers likely won’t know if they were impacted for some time.

“It will be several months before sufficient information is available to identify and notify affected customers and individuals, in part because the files contained in this data were compromised in the attack,” Witty said.

The company is offering free credit monitoring and identity theft protection for two years to affected customers, although it must first determine who is affected, which will apparently take some time.

Tillis cautioned that he did not want any burden of protecting private information to be transferred to consumers by UHG.

“I got a warning, you know, about possibly being involved in a data breach and it was interesting to say, ‘We’re going to help you with your problem.’ And I’m thinking, ‘No, I’m going to help you with your problem.’ But you’re not going to make it difficult for consumers and we’ll be watching.”

“It has to be your problem to solve,” he added.

Medical Loans

Throughout the hearing, Witty routinely referred to the interest-free loans his company is making available to healthcare providers as a key part of alleviating the financial pressure they have been placed under.

“We’ve advanced more than $6.5 billion in accelerated payments and interest-free, no-fee loans to thousands of providers. The majority of these funds went to non-UHC health plan applications, and about 34 percent of the loans went to safety-net hospitals and federally qualified health centers. We will provide this assistance for as long as necessary for supplier complaints and payments to flow [to] pre-incident levels,” Witty said in his opening comments.

Sen. Marsha Blackburn (R-Tenn.) noted that some hospitals have opened lines of credit to continue operating and asked Witty if her company would reimburse them for those debts. He did not directly address this issue.

Under questioning from Sen. Bob Menendez (D-N.J.), Witty clarified that the loans did not come with the condition that hospitals not work with UHG’s competitors and declared providers would have up to 45 days to repay the loan after they had determined their operations returned to normal.

Expected timeline

What many lawmakers wanted to know Wednesday was when the healthcare sector could expect to get back on track.

Sen. James Lankford (R-Okla.) asked Witty directly when patients and providers would be “onboarded” to the payments and services they have struggled to access since the attack.

“Hopefully it will happen in the next month or six weeks,” Witty responded.

Senator Catherine Cortez Masto (D-Nev.) specifically asked when “the Change Healthcare network’s real-time eligibility and benefits verification functions will be up to date and accurate.”

Witty didn’t have an answer for Cortez Masto on this front.

According to the American Hospital Association, in March, 94% of hospitals reported being financially affected by the cyber attack.