Disrupted the payment and claims process for providers. He apologized for the chaos resulting from the cyber attack. This is about two hours and 15 minutes. In 20 [inaudible conversations] [inaudible conversations] finance committee will come to order. This morning the finance committee examined the change healthcare hack that nearly brought our countrys Healthcare System to a standstill six weeks ago. Joining the committee is andrew witty, the ceo of Unitedhealth Group, which owns change healthcare. Ill put things in perspective. Last year, uhg generated 324 billion in revenue, making it the 5th Largest Company in the country. Overall, the company touches 152 million individuals across all lines of business, insurance, physician practice, home health, and pharmacy. With its profits, uhg has purchased dozens of other Health Care Companies and is the largest purchaser of physician practices. This corporation is a health care leviathan. I believe the bigger the company, the bigger the responsibility to protect its systems from hackers. Uhg was a big target long before it was hacked. The fbi says that the Health Care Industry is the number one target of ransomware. Its obvious why. Change healthcare processes roughly 15 billion Health Care Transactions annually, and a third of americans patient records pass through its digital doors. Change specializes in moving patient data from Doctors Office to Doctors Office, or to and from your Insurance Company. That means medical bills that are chock full of sensitive diagnoses, treatments, and medical histories that reveal everything from to abortions to Mental Health disorders to diagnosis of cancer to sexually transmitted infections. Military personnel are included in this data. Leaving this sensitive patient information vulnerable to hackers, whether criminals or a foreign government, is a clear National Security threat. I dont think its a stretch the impact here rivals the 2015 hack of government Personnel Data from the office of personnel management, which the fbi called a treasure trove of counterintelligence information for foreign intelligence services. Uhg has not revealed how many patients private medical records were stolen, how many providers went without reimbursement, and how many seniors were unable to pick up their prescriptions as a result of the hack. The failures of ceos like mr. Witty, who months in cant figure out how many people have had their data stolen,n, validae the fbis warning. In the wake of the hack, united essentially disconnected change from the rest of the health care system. It took weeks for change to get back online, leaving Health Care Providers in a state of financial bedlam. Doctors and hospitals went weeks delivering services but without getting paid. Insurance companies couldnt reimburse providers. Even today, key functions supporting plans and providers, including sending receiptss for services that have been paid and the ability to reimburse patients for their out of pocket costs, are not back up and running. Small providers, particularly Mental Health providers, have been left holding thero bag, stuffing envelopes with paper claims, and unable to get straight answers on how long the outage will last. And patients are bearing the brunt of it. Prescriptions went unfilled, patients were stuck at the hospital longer than needed, and americans are still in the dark about how much of their Sensitive Information was stolen. The creditmonitoring Service United offered these patients is cold comfort. The change healthcare hack is considered by many to be the biggest cybersecurity disruption to health care in American History. It is exhibit a for my case that tough cybersecurity standards are necessary to protect Critical Infrastructure, and patients, in this country. Hhs does not require Health Care Providers, payers or Health Care Clearinghouses like change to meet minimum cybersecurity standards, unlikeet industries regulated by other federal agencies. Meeting a baseline of essential cybersecurity standards is a must, but is meaningless without equally strong enforcement. Hhs has not conducted a proactive cybersecurity audit in seven years. As it stands, if a company does not comply with existing cybersecurity regulations, the fines amount to nothing more than a slap on the wrist. Federal agencies need to fast track new cybersecurity rules p for americans private medical records and Congress Needs to watchdog this every day to make sure Everything Possible is done to protect patient data. Finally, the change hack is a dire warning about the consequences of too big to fail megacorporations gobbling up larger and larger shares of the health care system. It is long past time to do aa comprehensive scrub of uhgs anticompetitive practices, which likely prolonged the fallout from this hack. For example, change healthcares exclusive contracts prevented more than one third of providers from switching clearinghouses, even though changes systems were down for weeks. Accountability for change healthcares failure starts at the top. Before this hearing, i asked the company which members of its board have cybersecurity expertise. Uhg pointed to ncaa president charlie baker, who signed some technologyrelated legislation into law years ago when he was governor of massachusetts. Mr. Baker is certainly an expert on basketball, but uhg needs an actual cybersecurity expert on its board. Mr. Witty owes americans an explanation for how a company of uhgs size and importance failed to have multifactor authentication on a server providing open door access to protected Health Information, why its recovery plans were so woefully inadequate and how long it will take to finally secure all of its systems. Im hopeful that todays hearing can mark the beginning of the finance committees work to make meaningful improvements in americas cybersecurity on a bipartisan basis. I encourage all members to focus on the subject at hand. That is because this is so important, so vital theres much to discuss. Senator crapo. Thank you, mr. Chairman. Appreciate your holding this hearing today. And thank you, mr. Witty, for being here with us. On february 21, 2024, Unitedhealth Group learned that its subsidiary, change healthcare, was likely the victim of a cyberattack launched by a suspected nationstate associated Cyber Security threat actor. In response, change, the nations Largest Health care clearinghouse, which processes 1. 5 trillion in medical claims annually, disconnected all of its systems to prevent the hackers from obtaining additional data. The fallout from this unprecedented attack has affected the entire Health Care Sector. By crippling changes functionality, the hackers left providers unable to verify patients insurancece coverage, submit claims and receive payments, exchange clinical records, generate cost estimates and bills, or process prior authorization requests. In the immediate aftermath of the attack, many providers had to rely on reserves to cover the resulting revenue losses. An American HospitalAssociation Survey found that more than 90 of hospitals were financially impacted by the cyberattack, with more than 70 reporting that the outage had directly affected their ability to care for patients. More than two weeks after the cyberattack was announced, the department of health and Human Services released a publicc statement and guidance related to the incident. On march 9, the centers for medicare and Medicaid Services made accelerated and advanceme payments available to impacted medicare providers. The administrations delay exacerbated an already uncertain landscape, leaving providers and patients with reasonable concerns about access toto essential medical services and lifesaving drugs. While the february hack on oh change was by far the most disruptive cyberattack on the Health Care Industry to date, it was certainly not the first. According to a report by the federal bureau of investigation, the Health Care Sector experienced more Ransomware Attacks than any other Critical Infrastructure sector in 2023. In addition to the processing and revenue issues experienced by providers, patients private identification and Health Care Information was obtained by malicious actors during the breach. Unfortunately, personal Health Care Data has become d increasingly attractive to cyber criminals, who seek to use that information for blackmail or Identity Theft. For patients, the emotional and financial effects of leaked private information can have a devastating impact for years. Although many of changes functions have now resumed, trust in the security of its platforms needs to bee rebuilt. We owe it to american patientswe and to our Frontline Health f ce providers, from Health Systems to clinicians and community pharmacies, to ensure that this does not, and cannot, happen again. Todays hearing offers a valuable opportunity to learn from uniteds experience so we can better protect against, and quickly react to, future cyberattacks. Gaining a deeper understanding of how the hackers infiltrated change will help identify and address gaps in our existing Cybersecurity Infrastructure. Evaluating steps taken by united in response to the attack, from disconnecting its platforms to notifying Law Enforcement, will offer lessons on how to build a more resilient and Collaborative Health care system moving forward. We must also assess the response of the federal government, which plays a Critical Role inca these efforts. Hhs has a responsibility to serve as a central hub for coordination, convening insights from other branches of government and the private sector to deploy timely information about active threats, as well as best practices to deter intrusions and resources should an attack occur. Thank you, mr. Witty, for being here to discuss building a more secure, resilient and Responsive Health care system. Thank you, mr. Chairman. Thank you, senator crapo. Andrew witty as chief executive officer of the Unitedhealth Group. Prior to that he was executive Vice President of unitedhealth and ceo of optum. From 20082017 he was ceo and director of glaxo smith kline. Mr. Witty, we appreciate you being here. I believe youre going to take five minutes or so to share your testimony and weve got a lot of member interest and youll get questions and ill do everything i can to keep them on this extraordinary important topic. Mr. Witty. Thank you and goodbye, chairman wyden wyden, Ranking Member crapo and members of the committee. Thank you for the o opportunityo testify here today. My name is andrew witty. I service chief executive office of Unitedhealth Group. Our mission is to help people live healthy lives h and help me the Health System work better for everyone. We have pursued this missionon o our to make distinct businesses, United Healthcare which provides a a full range of benefits, and optum which brings together care delivery, Pharmacy Services, and technology and data to advance patientcentered care. Change healthcare stop part of optum. It enables information claims and payments to flow quickly and accurately between physicians, pharmacists, health plans and governments. I appreciate the committees interest in the recent cyber attack on change healthcare. As result of this malicious iccyber attack, patients and providers expensed disruption and people are worried about their private health data. To all those impacted let me be very clear. I am deeply, deeply sorry. Our response to this the fact has been granted inhr three principles. So secure the systems, to ensure Patient Access to care and medication, and to assist providers with their financial need. We have deployed the full resources of Unitedhealth Groupu in this effort. I want to assure the American Public we will not rest, i will not rest, untilil we fix this. Cyber experts continue to investigate the incident, and why we will learn more and understanding may change is what i can share today. Cyber criminals entered change healthcare portal, axel traded data and of february 21, deployed ransomware. The portal to access was not protected by multifactor authentication. Our response was swift and forceful, tond contain infection we immediately severed connectivity and to prevented malware from spreading their work. Theres no evidence it spread beyond change healthcare. Within hours of the ransomware launched we contacted the fbi. We continue to share information with them so that these criminals could be brought to justice. As weve responded to this attack including can do with the demand for ransom, my overarching priority has been to do Everything Possible to protect peoples personal Health Information. The decision to pay a ransom was mine. This was one of the hardest decisions ive ever had to make, and i wouldnt wish on anyone. As you know we found files in the axel traded data contained in protecting Health Information and personally identifiable information which could cover substantial proportion of people in america. So far we have not seen evidence of a true such as doctors charge for full medical histories were axel traded. It will take several months before enough information will be available to identify and notify impacted customers and individuals partly because the files contained in the data were compromise intertec rather than wait to complete this review where providing free credit monitoring and Identity Theft protections for two years along with a dedicated staff by clinicians to support services. Anyone concerned that the data may have been impacted should visit change cyber support. Com for more information. Meanwhile, we continue to make substantial progress in restoring change healthcare services. First, the team built a new Technology Environment in just a matter of weeks. Second, we prioritize our restoration effort on services most violent to ensure access to care. Pharmacy services, claims and payments to providers. And third, while these efforts are underway we worked quickly to provide Financial Assistance to providers who need it. We have advanced more than 6. 5 billion inn accelerated payment, and no interest, noel e loans to thousands of providers. Most of these funds offer claims for nonuh60 health plans, and about 34 of the loans have got a safety net hospitals and federally qualified Health Centers. We will provide businesses and s long as it takes to get providers claims and payments flowing preaccident levels. And its our providers in your state who need help, please put us inn touch with them. Fighting cybercrime is an enormous task, and one thates requires us all, industry, Law Enforcement, and policymakers to come together. I look for drenching your questions today. That you mr. Witty. Let me begin with this. This hack it could have been stopped with cybersecurity 101. And im talking specifically about multifactor authentication, mfa. When your bank at asks you to enteren a code sent by text or email, thats mfa. It secures your account even if your password is learned. Yet, your testimony reveals this first server that was hacked didnt have multifactor authentication. So question one, i would like a yes or no answer to, mr. Witty. Prior to the hack did you or any of yourr Senior Management know that uhg was not requiring mfa companywide, yes or no . Mr. Chairman, think of for the question. Are policies to to mfa from externally facing systems. So if the answer is yes, then that makes myy point, that on your watch there was a cybersecurity failure. And then thats what caused the harm to patients healthcare sector and your investors. I dont believe there are any excuses for that. So my second question is,ec will you commit within six months at the latest to require multifactor authentication companywide and meet the top mfa standards that are required of the federal agencies . Again, a yes or no answer. Mr. Chairman, yes, im happy to commit to that. In fact, i can confirm to you that as of today across the whole of uhg all of our external facing systems have got multifactor authentication enabled. We will take that as yes. It shouldnt have taken the worst cyber att