UnitedHealth Group CEO Andrew Witty expressed that he was "deeply deeply sorry" about the impact that the late February cyberattack against Change Healthcare has had on patients and providers during May 1 congressional hearings.
Mr. Witty was probed for more than two hours by a Senate committee about both his and the company's hand in what some are calling the biggest cybersecurity disruption to healthcare in American history.
"Your company is the nation's largest private health insurer and the largest physician employer in the country, earning billions in profits every quarter," New Jersey Sen. Bob Menendez said. "It's unacceptable that it took so long to help providers during a crisis of your creating."
UnitedHealth acquired Change Healthcare in 2022.
Mr. Witty said that prior to the attack, UnitedHealth was in the process of upgrading Change Healthcare's older technology "to the standards of UnitedHealth Group."
UnitedHealth believes that the hacking group ALPHV, known as BlackCat, entered the Change Healthcare portal, which was not protected by multifactor authentication, around nine days before they were aware of any cyberattack activity and exfiltrated data. On February 21, the hackers deployed ransomware.
"I want to assure the American public, we will not rest, I will not rest, until we fix this," Mr. Witty said during the hearing. "To contain infection, we immediately severed connectivity and secured the perimeter of the attack to prevent malware from spreading. It worked. There is no evidence of spread beyond Change Healthcare."
While Mr. Witty confirmed that the UnitedHealth policy is to have multifactor authentication for externally facing systems and that as of May 1, all of the external facing systems have multifactor authentication enabled, Oregon Sen. Ron Wyden pointed out that on Mr. Witty's watch, a cybersecurity failure still occurred.
"I don't believe there are any excuses for that," Mr. Wyden said. "It shouldn't have taken the worst cyberattack ever in the healthcare sector for an agreement to do this bare minimum."
Mr. Witty was also asked about how the company is assisting providers while reimbursements are delayed. He noted that UnitedHealth has provided more than $6 billion in financial support to providers since the attacks. The providers do not have to repay the interest free loans until 45 days after they have confirmed that their operations are back to normal.
Louisiana Sen. Bill Cassidy, MD, also addressed the size of UnitedHealth during the hearing and suggested that the company was too big to fail, and if it did, the implications could be huge.
"Despite our size, we own no hospitals in America, we do not own any drug manufacturers," Mr. Witty said. "We employ less than 10,000 physicians. Hospitals across America employ 400,000 physicians. We contract and affiliate with a further 80,000 physicians who voluntarily choose to work alongside our Optum colleagues."
Issuing breach notifications on behalf of providers affected by the cyberattack is another top priority for UnitedHealth. Mr. Witty said the company is working with regulators to get those concrete details to providers in writing, which could still take several weeks.
Mr. Witty also declined to comment on questions from Sen. Elizabeth Warren regarding a Justice Department investigation into the company's billing practices.
Mr. Witty was further grilled for another two hours in the afternoon in a House subcommittee hearing.
At that hearing, Virginia Rep. Morgan Griffith homed in on an April 22 statement from UnitedHealth that said the data stolen by hackers likely covers a "substantial proportion of people in America."
Mr. Griffith asked Mr. Witty how many people that "substantial proportion" entailed.
Mr. Witty said because they haven't completed the investigation, "I'm hesitant to be overly precise on that and be wrong in the future. I wouldn't like to mislead anybody in that regard." Mr. Griffith further pressed, asking, "At least give me some kind of range."
"I think maybe a third or somewhere around there," Mr. Witty said.
Mr. Witty also confirmed during the hearing that the ransom paid to hackers was $22 million in Bitcoin. He said in his written testimony it was his decision to pay the ransom.