A hugely disruptive cyberattack in February exposed clear technology flaws at a UnitedHealth Group subsidiary, lawmakers said Wednesday, and raised difficult questions about whether the Minnetonka-based health care giant has become too big.
Andrew Witty, the UnitedHealth chief executive, offered an apology during testimony before the Senate Finance Committee as he disclosed that hackers accessed a portal at the company's Change Healthcare unit that lacked multifactor authentication protections.
The breach exposed a significant failure to comply with "cybersecurity 101," said the committee chair, Sen. Ron Wyden, D-Ore. There was bipartisan criticism of what one senator called a "monopoly on steroids," with some senators also questioning why UnitedHealth Group couldn't restore its systems more quickly.
The hack has caused nationwide havoc for health providers and by Witty's own admission could involve the personal information of up to 1 of every 3 Americans.
Witty said he was frustrated by the technology problems, as well, adding that UnitedHealth was still in the process of upgrading security and systems after acquiring Change Healthcare in October 2022. While the CEO said the company's size has enabled a strong response to the hack, Wyden promised further investigation both of the cyberattack and broader questions surrounding the company.
"The Change hack is a dire warning about the consequences of 'too big to fail' mega-corporations gobbling up larger and larger shares of the health care system," Wyden said. "It is long past time to do a comprehensive scrub of UHG's anti-competitive practices, which likely prolonged the fallout from this hack."
UnitedHealth Group is Minnesota's largest company by revenue and the fourth-largest firm in the United States by the same measure. The company's UnitedHealthcare division is the nation's largest health insurer. It also owns a fast-growing health services division called Optum that employs or is affiliated with about 90,000 physicians. Last year, it had about $22 billion in profits.
The company's size was a recurring theme in the lawmakers' questioning.
"Your revenues are bigger than some countries' GDP," said Sen. Marsha Blackburn, R-Tenn. "How in heaven's name did you not have the necessary redundancies, so that you did not experience this attack and find yourself so vulnerable?"
Sen. Bill Cassidy, R-Louisiana, asked if UnitedHealth Group's dominance in health care markets created "a special vulnerability." The company might have had the "deep pockets to address this," Cassidy said, but its scale also meant the hack had a "ripple effect that was outsized."
"For us, we would have to ask: Is the dominant role of United too dominant, because it's into everything — and messing up United messes up everybody?" Cassidy asked.
Witty replied that Change Healthcare's business was just as large before UnitedHealth group acquired the company in 2022. He also reminded critics of the areas of health care where the company isn't a major player.
"Despite our size, for example, we have no hospitals in America, we do not own any drug manufacturers," Witty said. "We employ less than 10,000 physicians. ... We contract and affiliate with a further 80,000 physicians who voluntarily choose to work alongside our Optum colleagues."
Yet Sen. Elizabeth Warren, D-Mass., insisted: "UnitedHealth is a monopoly on steroids."
The cyberattack has been a blow to the nation's health care system because, to contain the threat, UnitedHealth Group had to shut down Change Healthcare systems used widely to process payment claims for U.S. health care providers. Those systems are now getting back to normal, Witty said, but senators grilled the CEO for not yet being able to specify how many and which patients have had their data compromised.
A substantial proportion of Americans may have been impacted, the company says, and Witty said it will take more time to understand exactly who has been affected, including members of the U.S. armed forces. In response to a question during a separate House hearing Wednesday, Witty suggested it could be one-third of all U.S. residents.
The federal government in March said the Change Healthcare system processes 15 billion health care transactions annually and is involved in one in every three patient records.
"To all those impacted, let me be clear: I'm deeply, deeply sorry ...," Witty said. "We will not rest — I will not rest — until we fix this."
UnitedHealth last week offered credit monitoring and identity theft protection for two years, but it amounts to "cold comfort," Wyden said.
"This corporation is a health care leviathan," he said. "I believe the bigger the company, the bigger the responsibility to protect its systems from hackers. ... Americans are still in the dark about how much of their sensitive information was stolen."
Witty told the committee that on Feb. 12 criminals used compromised credentials to access the Citrix portal at Change Healthcare. This portal was used for remote access of desktops, the CEO said, and lacked multifactor authentication, called MFA for short.
It's company policy, Witty said, to have MFA on all externally facing systems. He told Wyden that all those systems are now protected in this way.
Sen. John Barrasso, R-Wyo., said he didn't understand the oversight by such a large company, considering how even a small, financially struggling hospital he knows in his home state has been able to implement MFA technology. He asked Witty: "Did you lack the financial resources to implement a multifactoral authentication system? I'm just not sure why you haven't had this in place yet."
The slow timeline for restoring services after the cyberattack shows a clear lack of system redundancy within Change Healthcare, said Sen. Thom Tillis, R-N.C. While holding up a copy of the book "Hacking for Dummies," Tillis told Witty: "This was some basic stuff that was missed."
Witty acknowledged that "it's very frustrating that there wasn't a quick redundancy switchover."
Wyden said comments Wednesday from committee members showed bipartisan support for further investigation.
"We've just heard excuse after excuse from Mr. Witty," he said. "The fact is, that first server that was hacked did not have multifactor authentication and Mr. Witty's head of cybersecurity knew about it."
During the House committee hearing, Witty said the company paid a $22 million ransom via cryptocurrency after the cyberattack.
"As chief executive officer, the decision to pay a ransom was mine," he said. "This was one of the hardest decisions I've ever had to make. And I wouldn't wish it on anyone."
To help thousands of health care providers with cash flow problems, UnitedHealth Group has advanced more than $6.5 billion, Witty said, in accelerated payments and no-interest, no-fee loans. About one-third of these loans, he said, have gone to safety net hospitals and federally qualified health centers that help high-risk patients and communities.
Health care providers were critical of the company's initial financial assistance officers, including just $90 per week for one Roseville clinic. The company then rolled out a second program to provide more help.
"While some of our early estimates of providers' potential gaps did not address their full need given our lack of visibility into their claims flow, we quickly adjusted," Witty told the House committee.
Minnesota health care providers, meanwhile, suggested that Witty's testimony glossed over ongoing technology problems.
"While the financial clearinghouse functions Change provided have been restored, there are literally dozens of other applications, from patient billing to insurance coverage confirmation, to authorizations for critically important medical procedures that remain impaired," Bob Hume of the Minnesota Hospital Association said in a statement to the Star Tribune. "This is having a real impact on patient access to care."
Note: An earlier version of this story wrongly identified the home state of Republican U.S. Sen. Bill Cassidy. He represents Louisiana.