What We Learned: Change Healthcare Cyber Attack
Americans deserve to have their sensitive health information protected. Energy and Commerce Republicans have been actively working since the February 21st cyberattack on Change Healthcare to understand how it happened, how it can be prevented in the future, and how to help Americans continue to access care.
THE PROBLEM
Change Healthcare is one of the largest health payment processing companies in the world. It acts as a clearing house for 15 billion medical claims each year—accounting for nearly 40 percent of all claims.
The cyberattack that occurred in February knocked Change Healthcare—a subsidiary of the behemoth global health company UnitedHealth—offline, which created a backlog of unpaid claims. This has left doctors’ offices and hospitals with serious cashflow problems—threatening patients’ access to care.
It has since come to light that millions of Americans may have had their sensitive health information leaked onto the dark web, despite UnitedHealth paying a ransom to the cyber attackers.
E&C ACTION
From the outset, Members on Energy and Commerce have been working with the administration and Change Healthcare to help providers—particularly smaller and rural practices—maneuver through the new, complicated process of getting reimbursed, so they could keep their doors open and focus on caring for patients.
Energy and Commerce Republicans were briefed by the Administration for Strategic Preparedness and Response, the Centers for Medicare and Medicaid Services, and Change Healthcare in the weeks following the attack. Following the briefings, bipartisan Energy and Commerce leaders wrote to UnitedHealth seeking answers about the attack. The Subcommittee on Health convened a hearing on May 17th to explore cybersecurity vulnerabilities in the health care sector and discuss possible solutions to address them.
This week, the Oversight and Investigations Subcommittee called UnitedHealth CEO Sir Andrew Witty to explain to the American people what happened in the lead up to and during the attack, how the company is responding, and how it plans to prevent such an attack from happening again.
WHAT WE LEARNED
1. The attack occurred because UnitedHealth wasn’t using multifactor authentication [MFA], which is an industry standard practice, to secure one of their most critical systems.
We're continuing to investigate as to exactly why MFA was not on that particular service. It clearly was not. I can tell you I'm as frustrated as you are about having discovered that and as we've gone back and figured out how this situation occurred.
Change Healthcare came into the organization toward the end of 2022 after the timing of the declarations you just described.
Change Healthcare was a relatively older company with older technologies, which we had been working to upgrade since the acquisition. For some reason, which we continue to investigate, this particular server did not have MFA on it.
2. It’s estimated that a third of Americans had their sensitive health information leaked to the dark web as a result of the attack.
Oversight Subcommittee Chair Morgan Griffith:
"Substantial proportion of the American population." What does that mean? How much are we talking? 20 percent? We talking 50 percent? We're talking 70? Tell us.
Mt. Witty:
Chairman, we continue to investigate the amount of data involved here. We do think it's going to be substantial. Because we haven't completed the process, I'm hesitant to be overly precise on that and and be wrong in the future. I wouldn't like to mislead anybody in that regard.
Chair Griffith:
Well, and I wouldn't want you to mislead us either. But when you say "substantially," at least give me some kind of a range. You can be on the bottom to high. I don't mind giving you a range. Are we talking 20 to 50?
Mr. Witty:
I think maybe a third or somewhere of that level.
3. This might not be the end of the leaks. Despite UnitedHealth paying a ransom to the criminals, it cannot guarantee that more of Americans’ sensitive information will not be leaked.
How were the hackers communicating with UnitedHealth to get the ransom? Did you communicate ever directly with the hackers?
Mt. Witty:
I did not. No.
Chair Rodgers:
How much did you pay in ransom? And how was it paid it? In dollars? Bitcoin or other cryptocurrency?
Mr. Witty:
$22 million in Bitcoin.
Chair Rodgers:
What was the date that you paid the ransom?
Mr. Witty:
I'm sorry. I don't have that to mind. But I can certainly get back to you with that.
Chair Rodgers:
Can you affirmatively say that the hackers you paid did not make copies of protected or personal data and then, at a later date, uphold it onto the internet
or the dark web.
Mr. Witty:
I cannot affirmatively say that. No.
4. UnitedHealth has resources to help individuals and providers.
Is there a generally available website or telephone number that a practice can call right now, if they're continuing to have a problem?
Mr. Witty:
Yes. And thank you very much for the question.
So [https://support.changehealthcare.com/] is the best website for anybody to access, whether it being a provider or an individual.
But, also I would very much like to note the 1-800 number that's available for individuals to call if they have any questions at all about data or anything like that.
So, it's 1 (866) 262-5342. That service line is available and makes available very quickly is a very simple process. If anybody wants things like credit protection, identity theft protection, those services are all available to be enrolled on just through a simple phone call.
CLICK HERE to watch the full hearing.
Check out some of the news coverage from the hearing:
UnitedHealth’s handling of the situation will probably be “a case study in crisis mismanagement for decades to come,” said Rep. Cathy McMorris Rodgers (R-Wash.), chair of the House Energy and Commerce Committee.
Witty fielded heated questions from Senators on the House Energy and Commerce Committee about the company's failure to prevent the breach and contain its fallout.
Pressed for details on the data compromised, Witty said "maybe a third" of Americans' protected health information and personally identifiable information was stolen.
Members of the House Energy and Commerce Committee asked Witty why the nation's largest health care insurer did not have the basic cybersecurity safeguard in place before the attack.
"Change Healthcare was a relatively older company with older technologies, which we had been working to upgrade since the acquisition," Witty said. "But for some reason, which we continue to investigate, this particular server did not have MFA on it."
Rep. Gary Palmer (R., Ala.), in an afternoon hearing held by the House Energy and Commerce Committee’s subcommittee on Oversight and Investigations, pressed Witty on how many government employees with security clearance were included in the breach. That kind of theft would be a national-security risk, he said.
Still, Rep. Earl L. “Buddy” Carter, R-Ga., railed against the company’s use of vertical integration, in which it has acquired physician practices, pharmacy benefit managers and other players in the health care system.
“Let me assure you that I’m going to continue to work to bust this up,” Carter said.“This vertical integration that exists in health care in general has got to end.”
Several members also took the opportunity to chide United Healthcare’s use of prior authorization, which Witty said resumed for its Medicare Advantage plans April 15.
The company should “carefully review how that prior authorization” has affected patient outcomes, said Rep. John Joyce, R-Pa.