Our country is experiencing a massive shift in technology. Our daily activities often revolve around computers and smartphones.
Our Information Technology (IT) infrastructure grows daily. But so do the threats of cyberattacks.
This week, the Energy & Commerce Subcommittee on Oversight & Investigations, which I chair, held a hearing focused on the fallout from the February 2024 cyberattack on Change Healthcare.
Change Healthcare (Change), a UnitedHealth subsidiary that was acquired by them in 2022, operates the largest Electronic Data Interchange clearinghouse in the nation, transmitting more than 15 billion transactions every year.
When the hack was discovered, UnitedHealth shut down its Change Healthcare networks. This action had profound consequences for providers and patients.
According to the American Hospital Association, 94 percent of hospitals reported being financially impacted by the cyberattack. Hospitals, clinics, medical practices and pharmacies across the country were prevented from getting paid and could not submit claims. Stopping all payments on claims made it difficult for providers and patients. An unknown number of patients had their care delayed.
These consequences were widely discussed on a bipartisan basis during the hearing, which featured UnitedHealth CEO, Sir Andrew Witty.
Patients reeled from this cutoff, prompting them to either walk away, pay large sums of money out of pocket for their medications or borrow money. I am sure some had to use credit cards with high interest rates.
NBC News reported patients not being able to afford their medication without copay assistance cards, such as patients at the Marion Family Pharmacy in Marion, Virginia.
One individual was forced to pay $1,100 for medication because the Marion pharmacy was unable to process her copay assistance card.
When I raised this issue to Mr. Witty, I asked how were this lady and other people similarly situated going to be made whole for their loss. He seemed empathetic.
But it was clear to me that UnitedHealth did not have a plan on how to take care of patients who had been harmed.
He had no answer as to how much paperwork would be requested from a patient in order to be fully reimbursed. It is not just the $1,100. It’s the interest on that money that UnitedHealth got to keep and receive interest on while the patient was possibly paying interest to a lender.
There is also the possibility of increased medical attention needed for patients that were denied medicine or services because their insurance could not be processed.
I hope in the coming weeks UnitedHealth will formulate a plan for making patients whole.
Another problem is how does UnitedHealth take care of healthcare providers.
Providers were kept in the dark when claims were not being processed and sparked fears of closures. Congresswoman Schrier (D-WA) told Witty a private practitioner in her district had to mortgage their home to make office rent and payroll.
UnitedHealth “helped” them out by giving them a $70 first-round loan. Big help!
It is true the hackers were the bad guys, but as I said in my opening statement, UnitedHealth’s Change did not have Multi Factor Authentication (MFA), which is a standard cyber protection tool. The criminals exploited this weakness allowing them access into the system.
Mr. Witty attributed the technology failure to Change’s outdated system.
As the largest health care conglomerate in the United States, this response was concerning.
Over 50 percent of U.S. medical claims are processed through Change’s EDI clearinghouse. UnitedHealth Group’s vast network encompasses Optum, Optum Rx pharmacies, urgent care centers, United Healthcare Medicare and Retirement plans, including AARP Medicare plans, 10,000 doctors and other subsidiaries.
Given UnitedHealth’s sweeping consolidation of medical companies, the company stands as a prime target for bad actors.
It begs the question whether one company should be able to control a market share of this magnitude in the healthcare arena.
I do not claim to know the answer, but the question must be asked.
UnitedHealth had an obligation to protect their customers. They failed! And they failed to have a secure backup plan.
Small medical practices and hospitals are hurting. But the most vulnerable to this incident were the people showing up at their healthcare provider needing care and at their pharmacy needing to get their medicine.
UnitedHealth has a big mess to clean up. Going forward, my Subcommittee will examine their actions and then we can determine if UnitedHealth is truly committed to rectifying their mistake.
If you have questions, concerns, or comments, feel free to contact my office. You can call my Abingdon office at 276-525-1405 or my Christiansburg office at 540-381-5671. To reach my office via email, please visit my website at https://morgangriffith.house.gov.