'Too big to fail': Consolidation concerns loom over hearing on Change Healthcare cyberattack

The scale of UnitedHealth Group's sprawling empire was under the microscope Wednesday as CEO Andrew Witty testified before two congressional panels about the cyberattack on Change Healthcare that's had ripple effects across healthcare.

Witty opened his testimony before the Senate Finance Committee with a personal apology, acknowledging the massive disruption the incident caused and the challenges that many are still feeling across the country. He said that Change's servers were breached due to compromised credentials on a server that lacked the additional protection of multifactor authentication, a basic security measure.

Change Healthcare was brought into the fold at UnitedHealth Group in late 2022 after the Department of Justice failed to block the deal in a court challenge. Witty said that in the process of integrating Change into Optum over the past year and a half, the company was working to complete a massive upgrade to all of its systems.

Witty said that Change's aging technology meant that much of its data was stored in physical data centers rather on the cloud, which made it more vulnerable. The hackers accessed one server that did not have basic two-factor authentication enabled, he said, but it's unclear what led to that significant oversight.

"I am as frustrated as anybody about that fact," he said.

He said during the House Energy & Commerce Committee Subcomittee on Oversight and Investigations hearing on Wednesday afternoon that UnitedHealth Group at the corporate level has a policy that requires multifactor authentication for its externally facing systems, and that it's aggressively testing updated measures to ensure that any additional vulnerabilities are rapidly addressed.

Witty said that every time there is a successful breach or a near miss, standards are raised to fend off future attacks. However, the cybercriminals conducting these hacks are very sophisticated, and they're also raising standards simultaneously.

During the morning hearing, multiple senators described UnitedHealth as "too big to fail," as the company noted on its first-quarter earnings call last month that while it experienced a significant loss in part due to the cyberattack in the first quarter, it did not expect the incident to have a material impact on its full 2024 finances.

Sen. Elizabeth Warren, D-Massachusetts, raised concern that the company could use the aftermath of the cyberattack to grow its reach. Optum filed for an emergency exemption in early March, allowing it to accelerate the controversial acquisition of an Oregon medical group that was slammed financially following the cyberattack.

She also noted that the company is "picking at the bones" of Steward Health Care by scooping up its physician group amid financial struggles at the system.

The DOJ is reportedly investigating UnitedHealth on antitrust grounds, with a particular focus on its Optum unit, where Change resides. Warren called on regulators to step in and "break up the monopoly" that UnitedHealth has become.

"UnitedHealth will stop at nothing to grow bigger, bigger and bigger," she said.

Witty told the House committee members later in the day that the Oregon acquisition is the only one it's made since the cyberattack, alongside contracts with two independent physician associations. Any valuation of future acquisition targets will not be based on the post-cyberattack environment, he said, as the company does not intend to take advantage of the ongoing disruption.

In the House hearing, Energy and Commerce Committee Chair Cathy McMorris Rodgers, R-Washington, said UnitedHealth is the "poster child" for increasing consolidation in the industry, especially as it continues to integrate physicians into its Optum Health arm.

"Americans don’t want to be told consolidation is a good thing," Rodgers said.

Consolidation concerns also came to the fore as legislators slammed UnitedHealth for allowing a huge vulnerability to go unnoticed during Change's integration process. Thom Tillis, R-North Carolina, brought a copy of "Hacking for Dummies" to the hearing to highlight the basic functionality of multifactor authentication.

"It doesn't include the nature of the breach that you all developed, but this is some basic stuff that was missed," Tillis said. "So shame on internal audit, external audit and your systems folks tasked with redundancy … they're not doing their jobs."

Committee Chair Ron Wyden, D-Oregon, also hammered Witty about the company's failure to identify the risks posed by the server that was breached between his colleagues' questioning.

Witty said that the company conducted a significant rebuild of Change's technologies following the attack to ensure that its systems would be safe as clients began to reconnect. Part of that effort included investing in moving far more of its data to cloud-based storage, Witty said.

He added that the company fends off an attempted intrusion every 70 seconds.

"We are under attack consistently," he said. "We are doing everything we can to be as prepared as possible, but we recognize the pressure of the attacks that come in."

He said that UnitedHealth is enhancing its cybersecurity oversight by bringing a member of Mandiant, a leading cybersecurity firm that is assisting with the investigation into the attack, on to its board.

"They have been extremely helpful in understanding this attack," he said. "We have the very best advice at the top of the company."

Legislators also pushed Witty for additional details on the extent of the breach's impact. So far, the company has not disclosed how many people specifically were impacted but said that preliminary data analysis suggests a "substantial proportion" of U.S. patients had data compromised.

Witty said the analysis will likely take several more weeks before any notifications can begin and that the company is working closely with regulators to ensure that process is conducted appropriately. He said the UnitedHealth team is in contact with the Centers for Medicare & Medicaid Services almost daily.

At the House hearing, Witty did offer some additional color on how many people where affected. While he cautioned that there is still plenty of data analysis ahead, he estimated that "maybe a third or somewhere near that level" of Americans have had their data accessed.

This estimate could change—and could change significantly—as the data analysis is completed, Witty emphasized.

While the notification process is not yet underway, Witty reiterated that people can proactively reach out now to secure free credit monitoring and identity theft protection from UnitedHealth. The company has set up a call center at 1-866-262-5342 where people can access these services.

Providers still feeling the pain

While Witty echoed an announcement from UnitedHealth issued last week that said claims flow is largely back to normal following the cyberattack, multiple provider groups said that doesn't necessarily reflect what front-line teams are feeling.

The American Medical Association said that a physician survey (PDF) conducted between April 19 and April 24 found that 90% are still losing revenue thanks to unpaid claims because of the cyberattack.

In addition, 80% said they're losing revenue because they can't submit claims and 63% said they're losing revenue because they can't charge patients for copayments or other out-of-pocket costs.

In an op-ed posted Wednesday, AMA President Jesse Ehrenfeld, M.D., wrote that the ongoing fallout from the cyberattack "is yet another cautionary tale of the dangers of unchecked consolidation across health care."

He wrote that the AMA has been consistent in its opposition to large-scale mergers, including UnitedHealth Group's acquisition of Change Healthcare.

"Because some patient information stolen during the cyberattack has already appeared on the dark web, the AMA continues to urge UHG to keep patients and physicians fully informed and updated on the situation, while also providing both the financial assistance and administrative flexibilities that practices need to continue serving patients," he wrote. "Over the long term, however, the focus must remain on correcting the issues triggered by high levels of concentration within our health care system."

The American Hospital Association also said that its members are continuing to feel the disruption. In a statement issued after the Senate hearing, AHA President Rick Pollack joined the chorus of critics calling attention to consolidation.

"The hearings also rightly exposed the size and scope of UnitedHealth Group, the parent company of Change Healthcare, and how that has affected—and could further affect—the delivery of health care for our nation," Pollack said. "We believe this examination is long overdue."

AHA urged legislators to "hold UnitedHealth Group to public comments" it made where it said it would handle notifying impacted people, taking on the administrative work on behalf of providers and other organizations.

Witty did reiterate those promises during the hearing in discussion about the notification process.

The Federation of American Hospitals, meanwhile, said that payers failed to step up when providers needed their assistance the most.

"No matter what is said today in front of lawmakers about the Change Healthcare cyberattack, the fact is most insurers failed to meet the moment to adequately help patients and their caregivers through the devastating crisis," CEO Chip Kahn said in a statement.

"We urge Congress to use today’s hearings to hold insurers accountable, make sure premium dollars are spent on patient care, and support caregivers as they meet the added expense and work through paperwork and new IT burdens resulting from this cyberattack," he said.