UnitedHealth Group drew the ire of federal lawmakers during the first hearing on the fallout surrounding the unprecedented cyberattack on Change Healthcare in late February.
Individuals representing the American Hospital Association, private cybersecurity groups and providers testified before members of the House Energy and Commerce Committee on April 16 to discuss the healthcare industry's response to the attack and how the federal government should act.
"It has been reported that UnitedHealth has exploited this crisis in order to acquire health practices that are in urgent need of revenue just to keep their doors open," Rep. John Joyce, MD, said during the hearing. "While patients and physicians are still struggling, UnitedHealth's day-to-day operations have continued. This underscores that while Change Healthcare was a target of this ransomware attack, ultimately the patients and the physicians were and continue to be the real victims."
No individuals representing UnitedHealth Group or its subsidiaries attended the hearing, but lawmakers said the company had previously briefed the committee; the Senate Finance Committee is planning a hearing with CEO Andrew Witty on April 30. Rep. Annie Kuster suggested that UnitedHealth be subpoenaed to testify.
"The attack shows how UnitedHealth's anti-competitive practices present a national security risk because its operations now extend through every point of our healthcare system," Rep. Anna Eshoo of California said. "This really deserves a strong response by the Congress — the outrageousness of this."
Optum first reported "enterprisewide connectivity" issues on Feb. 21, which quickly led to widespread claims processing delays for hospitals, insurers, pharmacies and medical groups nationwide. UnitedHealth said Change was hit by BlackCat ransomware group, which claims to have stolen 6 terabytes of data, including medical records and Social Security numbers.
In March, the cybercriminal organization received $22 million in bitcoins, though UnitedHealth Group has not addressed whether the company paid the ransom. On April 15, ransomware group RansomHub posted files on its dark web leak site comprising personal and protected health information on patients whose data was taken in the hack. The files also include contracts and agreements between Change and its clients, marking the first time hackers have posted data from the attack.
The AHA found that about 94% of hospitals have felt a financial impact from the attack, and more than half have reported a "significant or serious" impact. Seventy-four percent of hospitals have reported a direct effect on patient care. Optum introduced a temporary funding assistance program for providers struggling with cash flow after the attack. To date, the company has provided more than $6 billion in advance payments to providers.
During the House committee hearing, experts stressed the need for more long-term federal cybersecurity investments within the healthcare sector, a mapping of the nation's healthcare infrastructure, and a more comprehensive federal incident response plan for similar attacks in the future. Experts agreed that President Joe Biden's proposed $7.3 trillion budget — which includes an $800 million investment in hospital cybersecurity protections — is "woefully insufficient," though a good place to start.
Both Republican and Democratic lawmakers pointed to the hack as an example of what they said are the harms caused by vertical integration and industry consolidation. Those testifying recommended that future reviews of healthcare mergers and acquisitions by federal regulators involve cybersecurity considerations. UnitedHealth purchased Change in 2022 following a failed antitrust challenge by the Justice Department.
"The FTC has failed the American people by allowing vertical integration to happen, and it needs to be busted up," Rep. Buddy Carter said.
"We have got to do a better job here," Rep. Larry Bucshon, MD, said. "I do think that vertical integration in our healthcare system, [which is] supposed to save money, is actually going the other direction."
In March, HHS launched an investigation into UnitedHealth and Change over the cyberattack within the context of HIPAA compliance. Unrelated to the attack, the Justice Department has also begun an antitrust investigation into UnitedHealth, The Wall Street Journal reported Feb. 27.
UnitedHealth Group posted a $1.4 billion net loss in the first quarter of 2024 following the sale of its Brazil operations and the cyberattack. Despite the losses, the company beat investor expectations and shares rose 5.2% to almost $469, the WSJ reported.
"Without UnitedHealth Group owning Change Healthcare, this attack likely would still have happened," Mr. Witty told investors April 16. "It would have left Change Healthcare, I think, extremely challenged to come back. Because it is a part of UnitedHealth Group, we've been able to bring it back. We're going to bring it back much stronger than it was before."
UnitedHealth estimates a full-year business disruption between $0.30 to $0.40 per share. In total, the attack had an $872 million impact on the company in the first quarter, which is expected to rise up to $1.6 billion for the full year.