May 2, 2024 - Health

UnitedHealth CEO's testimony on cyberattack leaves Congress wanting

A photo of UnitedHealth Group CEO Andrew Witty.

UnitedHealth Group CEO Andrew Witty testifies to the Senate Finance Committee. Photo: Al Drago/Bloomberg via Getty Images

Congress hauled UnitedHealth Group's CEO to the Hill on Wednesday seeking more clarity about the cyberattack at subsidiary Change Healthcare that threw much of the health care system into turmoil.

  • What they got was an apology and some notable non-answers.

Why it matters: UnitedHealth is a $371 billion behemoth that could face more regulation or even calls to divest some of its businesses in the fallout from the hack.

  • And a pair of hearings in the Senate and House underscored how much remains unknown more than two months after the attack — including whether UnitedHealth will make hospitals and other providers whole for expenses incurred while processing of medical claims was disrupted.

Between the lines: The political consequences for UnitedHealth could eclipse financial damage from the cyberattack, which so far has made a minimal dent on the company's balance sheet.

  • The company, which reported $22 billion in profits last year, said the attack cost it roughly $870 million in this year's first quarter. It estimates costs for the year could reach $1.6 billion.
  • Its share price has fallen roughly 7% since the attack. It ticked up during CEO Andrew Witty's testimony but ended the day where it started.

Zoom in: Among the questions that Witty couldn't answer was why the company failed to stop and contain the attack.

  • The company this week disclosed that hackers gained entry through a remote portal that didn't have multifactor authentication, a basic cybersecurity safeguard. And other measures meant to block intruders from maneuvering through its system failed.
  • "I'm as frustrated as anybody about that act," Witty said.

Witty was also unable to tell lawmakers how many Americans' data were breached. The company has said it is likely a "substantial proportion" of Americans, but it could take months to make a full accounting.

  • "Ten weeks is way too long for millions of Americans to not know that their records may be available to criminals on the dark web," said Sen. Maggie Hassan (D-N.H.), who is pushing for more notification to people potentially affected.
  • Senate Finance chair Ron Wyden (D-Ore.) said it's a "national security priority" to figure out how many stolen records were from active duty military.

And Witty didn't directly answer when asked if the company will pay providers for expenses incurred as a result of the attack. Witty instead noted the company has provided $6.5 billion in no-interest loans.

  • "We're happy to engage with providers to discuss that," Witty replied when asked by Wyden if the company would offer "meaningful compensation" for the disruption.

The big picture: While concerns about the cyberattack cut across party lines, the prospects for any legislative response are unclear.

  • Some lawmakers broached the possibility of new health care cybersecurity requirements they acknowledge could be unpopular with industry, while others — including some Republicans — questioned if UnitedHealth has gotten too big.
  • Witty sought to strike a conciliatory tone, saying he was "deeply sorry" for the attack. He expressed openness toward some sort of minimum cybersecurity standards for the industry.
  • "We're supportive of a direction of travel which moves towards minimum standards," Witty said. "I think today there is a blend of guidance, some standards and others and I think there needs to be clarity within that."

The bottom line: There's still much to learn about the most disruptive health care cyberattack ever — and how to prevent a similar one in the future.

  • "There's a lot we don't know, there's a lot that the American people don't know," Wyden said as the Senate hearing wrapped up. "We don't even know what data was stolen. And I'm not convinced that we are going to find that out anytime soon."
Go deeper