Is “Sorry” Good Enough? Insights from UHG’s Change Healthcare Testimony

On Wednesday, May 1, Andrew Witty, CEO of United Health Group (UHG), appeared before two congressional committees to discuss the recent Change Healthcare Breach. Mr. Witty expressed deep regret for the significant disruption the incident caused throughout the healthcare sector.

During his testimony, he provided insight into how the attack happened, evaluated United Health Group’s response—highlighting both strengths and areas for improvement—and shared lessons learned from the incident.

Throughout the long day, lawmakers focused on several recurring themes in their questioning, exploring United Health Group’s response, strategies to prevent future cyber attacks, enhancing the resilience of the health sector, and the crucial partnerships needed to address vulnerabilities within America’s current healthcare framework.

The extensive and rigorous questioning touched on a wide range of issues inherent in healthcare cybersecurity. Mr. Witty found himself under intense scrutiny as legislators sought to understand how a corporation as large and financially robust as UHG could suffer such a breach.

While some members of Congress grilled him on these points, others acknowledged that UHG was the victim of a criminal act, and they aimed to unravel the complex factors that not only led to the breach but also impeded a swift resolution.

UHG’s response to the cyber attack

In his written testimony, Mr. Witty outlined three principles United Health Group implemented in response to the breach:

1) Securing the systems

2) Ensuring uninterrupted patient access to care and medications

3) Supporting healthcare providers with their financial needs

He emphasized his commitment to the American public, stating, “The people of United Health Group and I will tirelessly work until we rectify this situation.”

He also noted that UHG blocks over 450,000 intrusion attempts annually, underscoring the persistent cybersecurity threats faced by healthcare organizations. However, he acknowledged that the focus would inevitably be on the single intrusion that succeeded, rather than the many that were thwarted.

During the testimony, it was revealed that the initial breach resulted from compromised credentials on an internet-facing Citrix server that lacked multi-factor authentication (MFA). This revelation prompted several congressional members to express their astonishment and frustration over such a fundamental lapse in security measures.

Mr. Witty reiterated that MFA is standard policy across all remote servers at UHG and expressed uncertainty about why it was not implemented in this instance. When questioned about accountability for this lapse, he affirmed that while the security and IT teams are generally responsible for deploying MFA, he ultimately holds responsibility for the organization’s security protocols.

The ransom payment

Mr. Witty’s testimony also confirmed that United Health Group paid $22 million in bitcoin as ransom. He described this decision as one of the most challenging he’s faced, acknowledging the potential for such payments to encourage further cyber attacks. Nevertheless, he emphasized his obligation to protect patient information from exposure at all costs.

UHG is still actively investigating to ascertain the full scope of the potentially compromised data.

In response to the breach, UHG is offering two years of credit monitoring and identity theft protection to anyone who feels they may have been impacted by the event. Mr. Witty was less forthcoming about the number of impacted individuals, the timing of the notifications, and the reasons for not reporting the breach to the Office for Civil Rights (OCR) within the mandated 60-day period.

He stated that UHG was moving as swiftly as possible and maintaining full cooperation with both the OCR and the FBI. Furthermore, he affirmed UHG’s commitment to notify patients as soon as they are legally able to do so.

Impact on patients and providers

Mr. Witty acknowledged the significant negative impact the Change Healthcare incident had on patients and providers, admitting that United Health Group’s initial response was imperfect. Specifically, he noted that the initial loan assistance program for providers was poorly executed, leading to reluctance among providers to request necessary funds.

In response, UHG has revised its approach, now offering no-interest, no-fee loans that can be disbursed in a matter of hours. Mr. Witty emphasized that repayment is only required 45 days after providers have fully resumed their normal claims processing operations.

Additionally, he acknowledged ongoing challenges with some providers who are unable to process claims, attributing this partly to the outdated legacy systems within Change Healthcare, but expressed his commitment to working with these organizations until they had these issues corrected.

Reviewing the recovery process

Considerable time was dedicated to examining why United Health Group’s recovery process was prolonged, with several congress members raising concerns about the absence of a restoration from backups.

Mr. Witty explained that their backups had been encrypted as well, rendering them unusable for recovery purposes. He further detailed that Change Healthcare’s infrastructure included both on-premise and cloud-based servers, with the cloud servers proving significantly easier to restore.

Faced with the unavailability of backups and the necessity to ensure provider confidence in reconnecting to the system, UHG opted to rebuild from scratch. Although this approach was time-consuming, Mr. Witty affirmed it was the most prudent course of action to ensure system integrity and security.

Concerns were also raised about the size and scale of United Health Group, which ranks as the 11th largest company globally and the 5th largest in the United States. Senator Bill Cassidy (LA) broached the subject of UHG’s immense size potentially making it a “too big to fail” entity within the healthcare industry. He highlighted the inherent risks associated with this industry dominance, noting that 5% of the U.S. GDP flows through UHG’s network daily.

Mr. Witty responded by emphasizing that the scale of the Change Healthcare clearinghouse has remained constant since its acquisition by UHG. He reassured the committee that UHG has acquired only one healthcare organization since the incident, and that acquisition was already underway before the breach occurred. Mr. Witty argued that UHG’s size was beneficial, suggesting that organizations are “lucky that UHG is big.”

This perspective was countered by Senator Ron Wyden (OR) who simply stated, “Many feel this is not true.”

Improving healthcare cybersecurity protections

As lawmakers intensively questioned Mr. Witty about the breach, the urgent need to fortify our healthcare system emerged as a bipartisan issue

Senator Tom Carper (DE) emphasized that securing the sector is a collective responsibility, asserting that the government must act to protect citizens in ways they cannot protect themselves. He also sought Mr. Witty’s input on how the government could enhance sector protection.

Mr. Witty responded by expressing the need for minimum cybersecurity standards and the integration of redundancy systems. He also urged the government to alleviate the relentless pressure of attack velocity that healthcare organizations face.

Echoing the need for comprehensive action, Senator Mark Warner (VA) highlighted the importance of including the entire supply chain in cybersecurity efforts, emphasizing that all organizations, even those not directly involved in patient care, play crucial roles.

The Change Healthcare incident underscored the significant impact posed by third-party attacks can have on the sector.

The need for action and reflection

While some might feel saturated with information about the Change Healthcare incident, it is likely that this will not be Mr. Witty’s final appearance on Capitol Hill.

Both United Health Group and Congress have committed to reflecting on the “lessons learned” from this breach to enhance cybersecurity across the healthcare sector. Opinions vary widely; some view UHG as diligently assisting affected organizations and as a victim itself, while others criticize it for failing to maintain fundamental security measures consistently.

Regardless, the incident continues to unfold, and there remains much to examine. It is imperative that our healthcare sector and national policymakers act swiftly to tackle the discussed vulnerabilities and enforce meaningful improvements.

For more detailed insight into the recent legislative landscape around healthcare cybersecurity, download our 2024 Horizon Report.