UHG says it's rebuilding Change Healthcare with cloud-based security
Credit: U.S. House Committee on Energy & Commerce
UnitedHealth Group CEO Andrew Witty testified on May 1 before both the House and Senate about the seismic February 21 cyberattack of UHG subsidiary Change Healthcare, which was infiltrated by the ALPHV ransomware gang.
He acknowledged that the absence of multifactor authentication on a legacy server provided the cybercriminals with their successful attack vector.
And, though the company's forensic investigation will continue for the foreseeable future, Witty admitted that personally identifiable information and protected health information for about one-third of Americans was stolen, in his estimation.
"I want to say again to all those impacted, I am deeply sorry," Witty told the House Oversight and Investigations Subcommittee as he spent the better part of two hours answering angry committee members' financial, operational and technical questions.
"We are working tirelessly to uncover and understand every detail we can, which we will use to make our cyber defenses stronger than ever," he said.
Apologies and assurances
In his Congressional testimony, Witty said that UnitedHealth chose to pay a $22 million Bitcoin ransom because Change Healthcare's compromised outdated systems had crippled operations – for itself and so many of its customers.
His testimony offered a glimpse into the technical side of the attack and, and UHG's incident response.
"From the moment I learned of the intrusion, I felt a profound sense of responsibility to do everything we could to preserve access to care and support our customers and clients," Witty said during his opening testimony.
"Our response and reaction to this attack has been grounded in three principles: to secure the systems; to ensure patient access to care and medication and to assist providers with their financial needs."
Several members of Congress used their time to ask how the company intends to help patients, providers and government employees exposed and continuing to suffer financial strain in the outage.
Others – including legislators who are healthcare providers by trade, and one independent pharmacist – asked about prior authorizations, pharmacy benefit management, extending medical claims-filing deadlines due to the clearinghouse outage and other constituent complaints about how UHG makes decisions that affect access and patient care.
Many of the representatives brought up UHG's $370 billion in revenues last year when they asked about the financial strain on patients and providers caused by the attack and subsequent outage.
Unable to process claim payments, the American Medical Association said that, based on its recent survey, conducted on March 26 through April 3, small medical practices will close because of the Change cyberattack.
Witty acknowledged that smaller providers are experiencing the longest recovery, and that they are the ones receiving the majority of interest-free, no-fee loans. UHG has provided $6.5 billion in accelerated payments as of April 26, the company reported.
Providers "did not stop their work" after the attack when they saw cash flow cease, Congresswoman Diana DeGette, D-Colo., noted, and asked Witty about an initial loan term that allowed Optum, the entity of UHG that operates Change, to take back funds without notice.
"We immediately realized [the terms] were not appropriate," he answered. "I fully accept that was a misstep."
Concerns over future claims denials
During the hearing, Rep. Dr. Kim Schrier, D-Wash., also asked questions about the 2022 merger, which the U.S. Department of Justice had tried to block.
While efforts to address the situation, and advance payments are appreciated, she said, "The reality is that this massive far-reaching attack has disproportionately impacted small, independent practices that were already struggling to stay afloat."
Though other payers have "done nothing to help," she said the loans have been insufficient, describing the "devastated" experience of Balance Physical Therapy of Issaquah, Washington. The owners of the practice employing six physical therapists had to mortgage their home to pay rent and payroll," Schrier said. "And now that money has run out."
In UHG's first round of loans, Balance was paid $70, she said, holding up a paper to enter as an exhibit.
Schrier then said that UHG should have enough claims experience information to understand what practices billed in the prior month and prior year, "and should be able to do better than that."
She asked if UHG would help repay the value of that mortgaged home since he said he "wouldn't rest" until UHG made things right.
"Madam Congressman, absolutely," he said.
Part of the reason some providers did not receive support, and may still lack support, is that UHG does not have "visibility of non-United flows," Witty explained.
"Because we were trying to help quickly, we undershot, and in this case we massively undershot."
She also said that she heard that the loan conditions were very suspect, such as a clause that the recipient could not use a UHG competitor, and some clinics and hospitals in her district decided not to take them.
And, given United's reputation of buying up provider practices "that are in trouble," she asked what guarantee could Witty give the committee that United will not "damage these practices by not reimbursing sufficiently, putting these unfair terms on, and then going and just buying up the practices."
"All of those terms are gone now," and the payvider would "never want to act opportunistically from the back of this," Witty assured.
Previously, the UHG CEO had said that the healthcare is holding regular briefing calls for providers that need support getting reconnected to the payment service that has resumed, and then said provider and patient constituents in any district should contact UHG at 866-262-5342. (There is also a UHG resource page.)
Later, he noted that 142,000 tax ID numbers have taken advantage of the no-fee loan program, and he stressed many times throughout the hearing that providers do not have to start paying back until they decide that their operations have returned to normal.
"We pledge to do everything in our power to fix their system or underwrite their cash flow, simple as that," he already promised in his opening testimony.
While much of the claims and payment system functionality has been restored, according to an April 29 letter from the American Hospitals Association to Senators Ron Wyden, D-Ore., chairman of the Finance Committee and Mike Crapo, R-Idaho, ranking member, health systems and hospitals are concerned about clawbacks.
"Reconnecting is not the only step to recovery," AHA said.
"The disruption and delay in claims submission will inevitably lead to many denials, especially as most payers did not waive certain administrative requirements impacted by the Change Healthcare outage."
Rebuilding legacy systems
A few House committee members asked basic questions about where defenses fell apart, compliance with HIPAA and whether the company had heeded federal agency warnings about the group targeted by International law enforcement, as ALPHV BlackCat has been in operation since November 2021.
Without true isolation of backups in the cloud, and a legacy server without MFA, Change Healthcare has left its parent company liable for a wake of damage that stretches coast to coast.
Ranking member Frank Pallone, D-N.J., said he wanted to know why UHG did not upgrade old systems or implement adequate backup in the year and a half since the acquisition was completed.
Only when the company was acquired did UHG get a look at the network, and since that time Change's systems were being updated, Witty explained.
"Change, this risk, pre-existed the acquisition of United," he said.
The particular ransomware attack made prime systems and backups inoperable.
"That's one of the lessons we have to learn from this in terms of how we build true isolation in backups, and maybe just emphasize the point about the importance of having those services in the cloud versus on older, on-premises data centers, which was the case in the legacy Change environment," he said.
Witty also told Rep. Dr. Mariannette Miller-Meeks, R-Idaho, who was invited to join the hearing, that the fault lay in the "small" company's deeply embedded legacy systems.
"I do believe the issue of risk actually existed when Change was quite a small independent business, or, in fact, a public company, but quite a small public company. It came into the organization and very unfortunately this attack occurred in the early days of us owning this business."
But the presence of older backups, and upgrades in process, doesn't excuse UHG for some observers.
"Unlike smaller organizations, these industry giants often have greater resources at their disposal, leaving no excuse for lax data security postures," Asaf Kochan, cofounder and president of Sentra, a New York City-based cloud-native data security platform, told Healthcare IT News via email.
"What was different is that United has the financial capacity to resolve this issue and I believe to rebuild Change into a much more modern, much safer platform," Witty said.
Rep. Brett Guthrie, R-Ky., also asked about Change's legacy equipment and if there are more outdated systems that could be compromised.
"We are relentlessly trying to extinguish that possibility. We are using third parties to make sure that occurs," he answered.
"In the reconstruction of Change – so, one of the reasons why it is taking longer than you may expect to bring back Change, is because we are building much of this platform from scratch with brand-new modern technologies, often cloud-based, with much greater built-in security capabilities than anything that pre-existed the attack."
When asked about implementing measures in the joint advisory of the Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation and U.S. Health and Human Services, Witty said that with the investigation, UHG is trying to figure out why all Change systems were not reviewed.
It's UHG policy to look at lessons learned with any breach or "any near miss," said Witty. "Every time we do root cause analysis."
Breach impact is broad, unclear
Witty said during the hearing that UHG is working with regulators on its willingness to take the responsibility to notify all individuals affected.
Rep. Gary Palmer, R-Ala., asked about the duration of the fallout from the cyberattack. He said his colleagues have done a good job of asking about the impacts, but he wanted to ask about thousands of government employees with "very high-security clearances" that may be included in the data.
He asked Witty to prioritize informing federal employees that their PII may have been exposed and gave his assurance.
"Some of our worst fears are coming true," said Paul Tonko, D-N.Y., with millions of Americans' health data at risk due to the data breach.
While HIPAA requires minimum data security standards, Palmer asked if Change is fully compliant with HIPAA, and had UHG analyzed Change's systems for HIPAA compliance.
Witty said they could only analyze the systems after purchase: "Given its size and complexity, that takes some time to do."
Tonko then asked why a breach notification with HHS had not been filed yet.
Witty answered that UHG didn't have access to what data was exfiltrated until the middle of March and they are still analyzing it.
"I'm extremely concerned that we are just seeing the start of the impact of this cyberattack," Schrier said.
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.