Hearing on Change Healthcare cyberattack yields more questions for UHG

April 17, 2024 - Lawmakers had many questions for UnitedHealth Group (UHG), the parent of Change Healthcare, at a March 16 House subcommittee hearing about the cyberattack that halted claims payments and disrupted operations across the US healthcare sector.

However, no UHG representatives were present at the hearing, leaving many questions unanswered and sparking new ones about the impacts of consolidation of technology vendors in healthcare and the sector’s overall resilience.

Rep. Frank Pallone (D-N.J.) and other lawmakers noted their disappointment in UHG’s absence at this particular hearing.

“They have a critical perspective and insights into the existing vulnerabilities of our healthcare system,” Pallone said. “They could also answer some lingering questions we continue to hear from providers as their response to the attack continues.”

Without UHG present, the experts who testified at the hearing spoke to the state of healthcare cybersecurity as a whole and made several recommendations for improving government and private sector efforts to bolster security across the sector. Specifics about UHG’s response and recovery efforts were largely left unanswered.

Experts Underscore Impact of Health Tech Vendor Consolidation

READ MORE: Change Healthcare cyberattack fallout continues

Although UHG representatives did not make an appearance, the experts who did testify were able to explain to lawmakers the profound impact that the Change Healthcare cyberattack has had on hospitals and physician practices nationwide.

John Riggi, national advisor for cybersecurity and risk at the AHA, testified that the widespread financial impacts caused by the Change Healthcare cyberattack are not only a threat to the solvency of the nation’s provider network but also to patients, who won’t receive care if providers cannot keep their doors open.

“The widespread impact on the healthcare sector was not completely surprising,” Riggi added. “That's because Change Healthcare is the predominant source of more than 100 critical functions that keep the healthcare sector operating. The company processes 15 billion healthcare transactions annually and touches one in every three patient records.”

Riggi reasoned that the consolidation of Change, Optum, and UHG also created a “consolidation of risk” that made the entire US healthcare system vulnerable.

Dr. Adam Bruggeman, M.D., an orthopedic surgeon at Texas Spine Center, highlighted his firsthand experience in the aftermath of the Change Healthcare cyberattack and its impact on physician practices. Like Riggi, Bruggeman also emphasized the risks of consolidation.

READ MORE: How Health First navigated incident response for Change Healthcare cyberattack

“My concern that cyber threats will drive further consolidation is not just hypothetical. We are seeing this play out as a direct result of the February attack. For practices whose cash flow was completely cut off and whose cash reserves were spent dry, the financial relief offered by CMS and Optum, the parent company of Change Healthcare and a subsidiary of UnitedHealth Group, was slow to arrive, it was complicated, and it was insufficient,” Bruggeman noted.

Bruggeman also alluded to reports that Optum was leveraging the financial emergency caused by the cyberattack as justification for accelerating its acquisition of physician practices.

Bruggeman urged Congress to examine whether “growing consolidation within the US healthcare market truly serves the best interests of patient care.”

Recommendations to lawmakers

“I don't want this committee to be back here in five or ten years after more patients’ healthcare is disrupted by known criminal actors finding vulnerabilities in the cybersecurity of our healthcare system,” said Rep. Cathy McMorris Rodgers (R-Wash.).

“To prevent that, I look forward to hearing from our witnesses about what healthcare can learn from other sectors. Are there more federal authorities HHS needs? What is the best balance to get better adoption of existing cyber security practices?”

READ MORE: Physicians report widespread financial turmoil due to Change Healthcare cyberattack

Greg Garcia, executive director of the Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG), responded to lawmakers’ questions with several recommendations for bolstering healthcare cybersecurity.

First, Garcia emphasized the sector’s need to perform a health infrastructure mapping and risk assessment to provide visibility into critical services, such as Change Healthcare, in order to understand the impact of a cyberattack on these services.

What’s more, Garcia recommended that the government use the results of that risk mapping to evaluate merger and acquisition proposals against their potential for increased cyber risk, and that the sector hold third-party service providers to a higher standard of secure by design and secure by default.  

To Scott MacLean, board chair at the College of Healthcare Information Management Executives (CHIME) and SVP and CIO of MedStar Health, funding for healthcare cybersecurity remains a missing piece to improving the sector’s performance.

“Cybersecurity is a shared responsibility. However, without additional federal assistance, the healthcare and public health sector is limited in what we can do,” MacLean testified.

CHIME urged the government to prioritize funding for under-resourced healthcare organizations, as well as general funding for the implementation of the HHS Cybersecurity Performance Goals (CPGs).

The AHA’s recommendations to Congress included the consideration of policies that would alleviate administrative requirements imposed by payers in order to ease the burden on providers. The AHA also asked Congress to urge the HHS Office for Civil Rights (OCR) to ease its breach notification requirements related to the Change Healthcare cyberattack.

Questions for UHG remain unanswered

One day before the hearing, Representatives from the House Committee on Energy and Commerce sent a letter to UHG CEO Andrew Witty inquiring about the efforts UHG is taking to restore system functionality and support providers.

The letter asked Witty for information about how many transactions were impacted by the cyberattack, how and when the incident was detected, and whether any information has been compromised. More than 25 questions were posed to UHG in this letter alone. Lawmakers requested a response by April 29.

Although UHG representatives were not at the hearing, the company released its first quarter earnings report on the same day, shedding light on the impacts that the cyberattack has had on UHG.

First quarter earnings from operations revealed $872 million in “unfavorable cyberattack effects,” and total cyberattack impacts in the first quarter amounted to $0.74 per share.

However, UHG’s 2024 Q1 revenues grew nearly $8 billion year-over-year to $99.8 billion.  

“The core story at UnitedHealth Group remains our colleagues delivering improved experiences for the people we serve and driving balanced growth even while swiftly and effectively addressing the attack on Change Healthcare,” Witty said in the report.

Lawmakers at the hearing mentioned that UHG will soon testify at a different hearing, though they did not specify when.