Reps question Change Healthcare CEO over cyberattack, hammer on effects of consolidation on smaller practices

Smaller and medium-sized physicians’ practices and other medical service providers were slammed financially when hackers launched a massive ransomware attack on Change Healthcare.

The CEO of its corporate parent said he wants to help them stay afloat.

On May 1, UnitedHealth Group CEO Andrew Witty testified in the House of Representatives Energy & Commerce Committee Oversight and Investigations Subcommittee hearing, "Examining the Change Healthcare Cyberattack." It was the second of his doubleheader of congressional testimony. Earlier in the day, he spoke about the Feb. 21 hack in a hearing of the Senate Finance Committee.

Based on more than two hours’ worth of questions from House Committee and Subcommittee members, it appears they, along with physicians and other health care providers, are suspicious about UnitedHealth Group’s connectivity and willingness to help.

Boosting cybersecurity

UnitedHealth Group has invested about $300 million in cybersecurity, Witty said, and smaller and medium-sized health care businesses around the country have nowhere near that much to spend on it.

Witty emphasized the updated website, call center at 1-866-262-5342, and interest-free, no-fee loan program meant to help physicians and other clinicians. The company has paid more than $6.5 billion in accelerated payments and the loans to about 142,000 tax identification numbers (TINs). An exact number of providers was not available because the number varies and they can move from TIN to TIN, but that does represent about one-third of all provider TINs associated with Change Healthcare before the attack, he said in questioning by Rep. Mariannette Miller-Meeks, MD (R-Iowa).

“So, very substantial uptake, very large fraction of those folks are small providers,” Witty said, with UnitedHealth Group “essentially auto-approving loans to small providers in matter of hours.”

That program remains open, and Witty acknowledged the company botched the first week or two of the loans. The lawmakers offered anecdotes of constituent physicians or other health care providers at first getting a few hundred or thousand dollars to sustain businesses that needed substantially more to maintain cash flow.

The company still is determining whose health or identifying information may be posted online. It may be up to one-third of the American population, Witty said. UnitedHealth Group will accept all responsibility for notifying people, he said.

Consolidation

A number of the lawmakers, including some of the physicians, asked about the cyberattack and hammered on the connections to continuing consolidation in health care.

Subcommittee Chair Rep. Morgan Griffith (R-Virginia) opened the hearing with that issue.

“How could something like this happen?” he said. “How did consolidation in the health insurance industry reach such a state that a single ransomware attack on one company can cripple the flow of payments and claims for months?”

“I firmly believe that consolidation in health care is not a good thing, OK?” said Rep. Larry Bucshon, MD (R-Indiana). “It's led to increased costs. We know that. Even though everybody says it will decrease costs, it does not.”

Rep. Kim Schrier, MD (D-Washington), said she was on the same wavelength as Bucshon regarding consolidation and its effects on patients and physicians.

“The reality is that this massive, far-reaching attack has disproportionately impacted small, independent practices that were already struggling to stay afloat and United's advanced payments have been appreciated, but insufficient, and other payers, as you've just heard, have done nothing to help. It is in their interest to hold on to that money,” she said. She offered the example of a small physical therapy practice in Washington where the owners had to mortgage their house to make rent and payroll, while UnitedHealth Group posted $371 billion in revenue in 2023.

Committee Chair Rep. Cathy McMorris Rodgers (R-Washington) called UnitedHealth the “poster child” of arrangements of insurers not trying to pay for patient care and maintaining ownership over doctors that are supposed to provide it. Rep. Buddy Carter (R-Georgia), a career pharmacist, displayed a literal poster that diagrammed UnitedHealth Group’s business interests sprawling across health care, and asked Witty about how his company can justify clear conflicts of interest.

“Thank you for the question and the challenge. I appreciate that,” Witty said. “We operate our organization with very clear firewalls between the organization and we are guided around a mission of trying to align incentives in the system to try and eliminate waste and abuse and to try and deliver value-based care to individuals. We know that when that happens, clinical outcomes improve and we believe the cost goes down for people involved in that process. That's what we focus on through the organization.”

Prior authorizations

UnitedHealth Group offered prior authorization flexibilities after the attack. Now physicians and other health care providers who took advantage of those now fear they could be subject to cumbersome audits or that UnitedHealth Group might second-guess some of the decisions users had to make while the systems were down, said Rep. Raul Ruiz, MD (D-California). He asked for assurance that UnitedHealth Group would not pursue unfair retroactive denials and clawbacks, and Witty agreed.

Rep. John Joyce, MD (R-Pennsylvania), asked why PA flexibilities for Medicare Advantage plans were not extended for other insurance, but Witty noted Medicaid decisions generally are left to states, and employers offering private insurance generally make their own rules regarding PA.

Positive comments

Rep. Kat Cammack (R-Florida) said providers who have taken loans to cover revenue shortfalls have said they felt pressured by UnitedHealth Group to make upbeat public statements about the support. Rather, Witty noted UnitedHealth Group staff asked providers who received loans to spread the word about the program, but upbeat public statements are not part of any approval criteria for the loans.

Law enforcement perspective

Apart from physicians, patients, pharmacists and other health-related effects, Rep. Michael Burgess, MD (R-Texas), encouraged Witty to continue working with law enforcement to find the culprits.

“I want to see someone arrested and marched into the center of town and shot for doing this,” Burgess said. Witty praised the efforts of the FBI and agreed with Burgess’ sentiment.

“I am completely aligned with you that I'd love to see these people brought to justice,” Witty said. “And I hope we're the last people they ever attack.”