This is two hours and 15 minutes. I ask all of her guests to please take their seats. The chair recognizes himself for five minutes of an opening statement. Todays hearing is about what is likely the most consequential cyber attack and healthcare history. How could Something Like this happen . How did consolidation and Health Insurance industry reach such a state that a single ransom or attack on one company crippled the flow of payments and claims for months. Change healthcare unitedhealth club subsidiary for the Cyber Security attack. Roughly 50 of claims a passthrough or touch changes clearinghouse providers have this much of the medical claims process the market share it makes them a large target for bad actors. Its even more sounding when you consider the attack itself reportedly compromise without multi factor authentication. I am concerned about patients who have been affected. Many patients were left left out of pocket for medication the pharmacy cannot process their claims or copay coupons. With that copay assistance. People walk away from diabetes medicine, antipsychotics adhd medication. One specific example is a patient having to pay 1100 for medication the pharmacy is not able to process or copay assistance card due to the cyber attack. Contractually obligated to pay for these medications. To either walk away page large sums of money for their medications or even having to borrow money from friends providers work initial phase they were provided deep uncertainty how to float on interrupted. There was minimal all shrinking bringing expenses for the provider such as switching clearinghouse theirs and managing prior authorization. It is perfectly troublesome because of doctors to keep their practices open. By shutting down its clearinghouse effectively stopping all payments on claims make it more difficult to continue providing service. One suburban philadelphia physician who run a 6 milliondollar practice was offered only 3300 bite unitedhealth emergency loan program. She might have to sell her practice. How many millions of dollars of interest loan has united made from holding onto money that would have had to pay to providers for patients how many millions of surgeries, treatments and prescriptions were delayed or worse yet, were either canceled or did not take their medicine. I understand the substantial task united is facing while dealing cyber attackers are the bad guys look for an explanation why united did not have a backup plan. And if they did have one, it obviously failed resulting federal government had to step in and try to help. Additionally we do not know how many patients had their Health Information breach last week conceded personal Healthcare Information and data of a substantial portion of americans has been stolen. At this hearing i hope we can get an understanding of just how Many Americans fall within the united step edition of substantial portion. Even though united paid the ransom, we now have reports cyber criminals are releasing patient information, billing records and other personal and sometimes very private held by health group onto the dark web. Despite having paid the ransom. I have a sweet deal of these . The shed light on these issues to the understand the full picture. I can assure this clearly watching close am always willing to hold the followup earrings if needed. That being said i yield back that Ranking Member of the subcommittee for her five minute opening statement. Cyber attacks have become an unfortunate part of our daily lives. Companies know they need to be prepared. We are so interconnected online now. Communication, energy grids, Online Platforms and Health Claims clearinghouse is like change healthcare. They are all targets. Ransom workgroups and other actors are constantly probing corporate Government Systems for vulnerability. There are reports of major data breaches almost every week. Sometimes due to malfeasance. Sometimes by a sophisticated cyber hackers. Despite all the cautionary warnings, the largest Health Insurance country in was caught unprepared. Change healthcare it was just part of the maga health conglomerate United Healthcare, did not have basic Cyber Security protection in place. Because of that it suffered a ransom were attacked and once unable to recover its systems and reasonable period of time leading to serious harm to doctors, pharmacies and patients across america. Even with limited information that has been made public it is clear they were multiple system failures. First United Healthcare was not using multifactor authentication on a Remote Desktop application. Multi factor authentication is a very basic yet Effective Security measure every day americans have implemented on their mobile devices, Bank Accounts and email logins. In fact the department of health and Human Services is recommended the practice in 2022 through its publication Cyber Security practices for medium and large Healthcare Organizations specifically called out importance of authentic vacation in a june 2023 newsletter. And that advisory hhs noted multifactor authentication other processes stronger password work necessary promoted access. United healthcare ignored that advice. Second, it appears hackers roam through change Healthcare Systems for a week without being detected. Their essential network Cyber Security monitoring features that mightve picked up and flagged unusual user activity. That apparently did not happen here. Third, whatever user credentials dhec had access to it appeared to allow them to roam across the entire change Healthcare System unimpeded. And fourth in dhec were able to deploy at reservoir attack within the change Healthcare Network suggesting a lack of adequate controlled user permission that could have prevented software from holding their system valuable health data ransom. And fifth, there appears to be a lack of continuity the testimony states rebuilding your network it is unclear why there is not a reliable backup or continuity plan in place that need for Network Reconstruction dramatically reduce the amount of time for transaction to begin moving again. At each of these points failed whether its too properly invest in cybersecurity or lack of adequate oversight and accountability within the company it is an open question. The bottom line is there were multiple opportunities to prevent and mitigate this attack Unitedhealth Group failed that every single one. In case any other companys prickly Health Companies are sleep at the wheel when it comes to cybersecurity, this is yet another wakeup call. Cyber threats are pervasive and worsening. Ransom her attacks can hold the hostage most sensitive personal data ransom or groups to grow and carry out more attacks. There are no longer exceptional events. They are a constant and must be properly prepared. There there are lessons to be learned i want to make clear this crisis is not over yet by any means. There are pharmacies and providers that have not been able to reconnect Healthcare Systems there is a massive amount of personal Health Information alpha that needs to be accounted for. And in addition to the questions you will receive today there are numerous questions outstanding from this committee in a bipartisan letter that we will present to you and i look forward to the answers to those questions in a prompt manner i want to thank chairman for putting on this important hearing and i yield back too. A gentle lady yields back i recognize a chairwoman of the full committee for her five minutes of questions. Thank you for agreeing to testify before us today. I was disappointed your organization declined more original to testify on the cyber attack on change healthcare. One of your Subsidiary Companies we had invited you to testify in front of the Health Subcommittee but appreciate your cooperation in being here today. Most americans have likely never heard of change healthcare despite how crucial its a functioning is to ensure access to care. Change acts as a clearinghouse for 15 billion medical claims each year. That means more than 50 or right at 50 of all claims passed through change that covers everything from routine checkups of primary care physicians, to lifesaving cancer treatments with specialists. Things that way until recent weeks took for granted in 2020 to your Company Acquired change healthcare as a part of the growing into every corner Healthcare System. Under the United HealthGroup Umbrella recites Health Insurance company with more 40 million covered lives across commercial markets. Pbm managed one or 59 billion in drug spending last year. Provider group that owns roughly one and every 12 doctors in the United States. A bank that makes payday loans to providers. That is just a few of the ventures under your purview. I say this to emphasize the massive responsibility that comes with your position. With the family of fort being crushed by inflation you think they are forking over more than 20000 per year for Health InsuranceSenior Citizen scenes the aarp brand under medicare products at taxpayer federals tens of billions in subsidies to your company there is a reasonable expectation they will get a baseline level of value for their hard earned money. I will set the bar higher. You have a responsibility to protect the data, the people who put their trust in you. Or more bluntly in this case you failed. On february 21st of this year change healthcare announced it was hit with a cyber attack. Severely disrupting the healthcare ecosystem for providers, payers and patients that have been more than two months since the cyber attack and according to your own Companies Websites change has yet to fully restore services. Many negative impacts for Healthcare System persists. Criminal hackers gain access to change healthcare through compromise credentials so they were remotely accessing the Company Portal nine days before the Company Announced publicly the ransom were attacked. This portal did not have multifactor authentication enabled basic protection about Cyber Attacks allow the cyber criminals to unlock the door and break into your system. Multi factor authentication would be a basic expectation for a company handling the breath of Sensitive Information that change healthcare it does. Its been reported your company paid a ransom we have grave concerns the precedents you created by rewarding more criminals i would understand it would be a difficult decision to weigh that against protecting americans data. But here is the problem. It did not stop the data leak. Americans are personal and private information is on the dark web. This is private health data you are responsible for protecting. I suspect that decision will be a case study in crisis of mismanagement for decades to come. I would be remiss if i did not know providers especially small providers and solar practitioners continue to provide uncompensated care and submitting claims cannot be processed it is been reported some are contemplating closing and others have forced to rely on volunteers to care for patients. Others have had to furlough staff so that employees can apply for other employment benefits. I would forward to hearing how this will be fixed as soon as possible. I will note in closing we are here today to learn more about what happened in the lead up to the attack what you are doing to fix it and prevent it from happening again. The American People the millions who rely upon changes, services of those whose information was leaked deserve answers. I yield back. A gentle lady yields a back record is the Ranking Member for five minutes of Opening Statements for. Resulted in a prolonged just to earlier this year. Cyber attacks cause serious harm to patients providers and pharmacies change healthcare platform reportedly involved with one of every three patients processing 15 billion transactions every year and as a result of this attack Healthcare Providers have suffered tremendous reimbursement patients have been out of pocket expenses or to delay treatment. Pharmacies have been unable to process claims. You have to change how consensus were taken offline on february 21st. Failed to provide clarity as to when it systems would be online again. In fact status updates the same language for over a week the disruption was i quote expected to last at least through the day. This frustrated the ability of providers and pharmacies to conduct their daytoday operations. Decide whether to use systems now over two months later the system is still not back to where it was. Its unacceptable it would not accept a bank or Internet Service being offline for weeks or months without a clear end in sight. Its wrong Healthcare Providers, pharmacies and patients continue to bear the brunt of the failure by corporation that earned three and 71 billion last year to either prevent or quickly remedy the situation. I am sure we would be hearing about the things unitedhealth has done since he Cyber Attacks help provide repairs. The bottom line is the Health Status security practice were woefully inadequate the company did not have a plan in place to quickly recover from such an attack and to minimize the damage to everyone impacted. Its true the Largest Healthcare Company in the country it feels like too little too late for all those who have been harmed. To make matters worse we still do not know the full extent of the damage from the cyber attack. Even if all the providers pharmacies remain hold the system returns to normal huge volumes of protected Healthcare Information or enhance of hackers. Unitedhealth announced last week that can affect the privacy and i quote of a substantial portion of people in america. As part of her working comprehensive federal Consumer Data Privacy and security legislation the committee has held numerous committees highlighting the importance of Companies Strong privacy and Data Security protections. Its extremely frustrating to have one of the Largest Companies in the world failing to meet its obligations under existing law that adequately protects them from the most sensitive personal information but we are talking about Sensitive Information about healthcare status, what medications we take what medical services we are provided. This never should have happened and it cannot happen again. Unitedhealth group must do the hard work of adopting strong Data Security practices that include protecting against such attacks and adopting plans that minimize the impact of social tax. Its going to take a lot of work to untangle this mess. The department of health and Human Services worked very hard throughout this crisis to minimize essential health program. Hhs work ahead examines what went wrong here and the harm caused by the staff potential release of protected data. Bottom line is a sweet learn more about what went wrong this committee should examine whether additional guard rail such as establishing several security requirements on medicare contractors whether they need to be in place to prevent this from happening again. This hearing is a good start want to thank the chair for holding it on the issues raising here that can close Opening Statements. Pursuant to Committee Rules all Opening Statements will remain part of the record. We ask you provide the Opening Statements to the clerk promptly. Want to thank our witness for being here today to testify before the subcommittee. Wise to practice squad on the senate side today followed by a round of questions. Our witness today sir Andrew Whitty chief executive officer of Unitedhealth Group. We appreciate you being here and look forward to hearing from you. You are aware the subcommittees holding an oversight hearing and doing so have a practicing cap testimony under oath she have any objection to testifying under oath . No i dont serve her. Seat no objection and hearing no objection we will proceed id also advise you pursuant to house rules you desire to be a