This is about two hours and 15 minutes. [inaudible conversations] [inaudible conversations] the finance committee will finance committee will come cto order. K we examined the change healthcare act that nearly brought the Healthcare System to a stand till. Joining us is mr. Andrew woody. He willcall uhg and own change healthcare. Lets put i things in prospective. They generated 324 billion in making it the fifthbillion in largest in the country. Touchedos 152 individuals across all lines of business. Insurance, home health, and pharmacy. With its profits uhg purchased dozensth of Healthcare Companies and the largest purchaser of practices. I this corporation is a healthcare i believe the bigger the company the bigger the responsibilityty to protect systems from hackers uhg was a bigd. Target long before it was hacked. The fbi said the Healthcare Industry is the number one target of er one ransomware. Y 15 billion transactions annuallh are done and third of american patient records pass through its digital doors. An change specializes in moving patient data from Doctors Office to Doctors Office or to and from your Insurance Company. Thatur means medical bills chald full of sincive diagnosis, treatments, medical histories that reveal everything from abortion to Mental Health disorders to diagnosis of cancer tod sexually transmitted innex. Military personnel are included in the data. Leaving this sensitivein information vulnerable to hackers whethers, criminal or Foreign Government is a member of the Senate Select committee on ill tell against a clear threat. I dont think its a stretch the etimpact here rivals the 2515 hk of Government Data from the office of perp nel management. The fbi called that a treasure attorneyclient privilege of Counter Intelligence information for foreign intelligence sources. United health group has not revealed how many patients private medical records were stolen, how many providers went without reimbursement and how many seniors were unable to pick up their prescriptions as a result of the hack. The failures of ceos like mr. Whitey who months in cant figure out how many people had their data stolen validates the fbi warnings in the wake of the cohack united disconnected chane from the rest of the healthcare from the rest of the healthcare it took weeks to put providers in my home state of oregon doctors and hospitals went weeks without getting pay. They couldnt reimburse provider s providers including recepts for services and ability to reimburse patients are not backup and running. Mental Health Providers are unable to get straight answers on how long this outage willhe last. Americans are in the dark about how much information was stolen. The Credit Monitoring Service is offering comfort to all of these flustered patients. The healthcare hack is considered to be the biggest disruption to healthcare in American History. It is in my view exhibit a the country needs tough Cyber Security standards. They need to meet minimum Cyber Security standards unlike the industries regulated. Meeting al baseline of Cyber Security is a must. Ssits meaningless without strog enforcement. Health and Human Services hasnt conducted a pro active Cyber Security audited in happen years if a company doesnt comply with the regulations this amounts to nothing but a slap on the wrist. Rithey need to fast track rules for americans private records and congress needtions to watchdog this to make sure whats getting done is the essential of protecting da. The change hack is a warning about the consequences of twof big to fail mega corporations gobbling up larger shares of the Healthcare System. Its long pastime to do a scrub of the United Health of ikanticompetitive practices that prolonged the fallout from the hack. For example change healthcare contract prevented onethird of providers from switching clearinghouses even though the systems were down for weeks. The accountability starts at the top of before the hearing i asked the company which members have Cyber Security expertise. Iduhg pointed to Charlie Baker o sign Technology Related legislationgo yearless ago in ti governor of massachusetts uhg used an expert we owe the people an explanation how they didnt protwofo Party Authentication oa service. E the plans were adequate and how long it will take to finally secure systems. I hope todays hearing can sa make i encourage you to focus on the subject in hand. Its so important and vital. Thank you mr. Chair. I appreciate you holding this hearing today. On february 21, 2024 United Health group learned they were the victim of a cyber attack launched by a nation state Cyber Security threat actor. In response change, the nations largest clearinghouse that processes 1. 5 trillion inll medical claims annually disconnected all of its systems to prevent the hackers from obtaining additional data. The fallout from this attack has effected the entire sector. By crippling changes functionality theyer left providers unable to verify patientscl insurance coverage, submit claims. Generate cost estimates and process prior authorization requests. In the immediate aftermath of the attack many had to rely on reserves. American Hospital Association survey found that more than 90 of hospitals were impacted by0 the attack with more than 70 reporting the outage effected their ability to care. More than two weeks later the department of health and Human Services released guidance. On f march ninth they made accelerated and advance payments available to impacted providers. The administrations delay exacerbated a landscape with concerns about access to medical services and life saving drugs. The february hack on change was the most disruptive cyber attack ony the Healthcare Industry to stdate. It wasnt the first. According to a report by the fbi the Healthcare System experienced more attacks than any other sector in 2023. In t addition to the processing and revenue issues experienced byon providers and Healthcare Information was obtained by malicious actors. Unfortunately, data is increasinglyy, attractive to cyr criminals seeking to use that information f for brack mail or idy at no time think of the. They can have a devastating impact for years. Many of their functions have resumed trust in the platforms need toen be rebuilt. We owe it to american patients and Healthcare Providers from Health Systems to klinenitions and Community Pharmacies to insure this doesnt and cannot happento again. Todays hearing offers a valuable opportunity to learn from the uniteds experience to quickly react to sigh per attacks. Cyber structure notifying en phonement will offer lessons on a resilient system moving forward. Which ren we mess assess the response of the government playing a Critical Role in those efforts. Hhs hasdi a responsibility to convene insights from other branches oaf government and the private sector to deploy timely information abouts threats as well as best practices to stop intrusions and resources should an attack occur. Thank you for being here tocu discuss building a secure and responsive Healthcare System. Thank you mr. Chair. Thank you, senator. An draw is the chief executive officer of the United Health group. Of prior to that executive Vice President of United Health and fceo of optum. We appreciate you being here. I believe you will take 5iv minutes to share your testimony and interest and you will get can questions and do what i can. Mr. Whitey. Members of the committee. Thank you for the opportunity to testify heree today. Im the chief officer of the United Health group we want be to make the Health System work better for everyone. We pursue through the two businesses United Healthcare providing a full range of benefits and optum bringing together care delivery, Pharmacy Services and Patient Center cared. Change is part of optum. This allows information to flow between governments. I appreciate the Committee Interest in the cyber attack on change healthcare. People worried about their data. To all of those impacted, let me be clear, im deeply, deeply sorry. Our e our response so to secure systems. Provide acsises to care and medication and assist providers with their financial needs. We have deployed the full resources of United Health group. We will not rest, i will not rest, until we fix this. Cyber experts continue to invest date the incident. We will learn more and eunderstanding might change this is what i can share today. Cyber criminals interred a portal and exfull traited data and deployed ransomware. The portal was not protected. Our response was swift. We impleadly severed connectivity andpry vented malware from spreading. It worked. No evidence of spread beyond change healthcare. Within hours of the random ware launch we contacted the fbi. We keyboarded share information so theti criminals can be brougt to justice. As we responded to the attack including dealing with the for random we do with the everything prosessable to protect Peoples Person nal Health Information. The decision to pay a ran some was mine. The hardest decisions i every had toad make. I wouldnt wish it on anyone. As you know, we found files in the data with person nal identifiable inflammation covering a substantial proportion of people n america. So far, we have not seen evidence that materials like doctors charts ore medical history was exfull traited. It will take several months to identify and notify those impacted. Rather than waiting to prevent the review. We have offered monitoring and polyvied support services. Anyone concerned their data might have been impacted should visit change cyber support for more information. Meanwhile, we continue to make progress in restoring change healthcare services. First, the team build a new Technology Environment in a few weeks. Second prioritized restoration ndefforts on services most vital to insure access so care. Pharmacy services and claims. Third, while the efforts were underway. We worked to provide Financial Assistance tota providers who nd it. We have add advanced more than 6. 5 billion in payments and no interest no fee loans to ntthousands of providers. Most of the funds are for claims for nonuhc health plans and 34 have gone to safety net hospitals and Health Centers. Ss we will do this for as long as it takes. If there are prodescribedders in your state that need hip put us in touch with them. Fighting this crime is a hugees task and requires policymakers to come together. I look forward to answer your questions today. Thank you, lets begin with this. This hack could have been stopped with Cyber Security 101. Im talking specifically about multifactor authentication. Mfa. When your bank app asks you to enter a code sent by text or email, thats mfa. Itit secures your account if yor password is learned. Yet your testimony revealed the first sever that was hacked didnt have multifactor authentication. So, question one, id like a yes or y no answer to it. Kidney of your Senior Management knowow uhg wasntry quiring mfa company wide . Thank you for the question. Our c policy is to have mfa for systems. So, if the answer is yes then that makes my point on your watch there was a Cyber Security failure abdomen then thats what caused the harm to patients healthcare sector in your investors. Hceci dont believe there are ay excuses. My second question is will you commit within six months to require multifactor Authentication Company wide ande meet the tough mfa standards arequired of federal agencies, again, yes or no answer. R yes, im happy to commit to that. As of today across the hall of uhg all systems have gone multifactor authentication. We will take that as a yes. It shouldnt have taken the worries cyber attack in the healthcare sector to do this bare minimum. Second, with respect to National Security. People claiming toct be involved with the hack and stole ca ta on u. S. Government employeesmp including active duty members. My colme regals remember the hak of opm government Personnel Data that posed very serious concerns. Im very concerned, as i said, about the National Security imindications as wwell. Can you say if the hackers stole datau. Pertaining to u. S. Government employees . Im concerned ability any patients information. In the context you just described so far through the process of working through the data. Washington we have been able to identify iss a substantial proportion that could be implicated here. We believe members of the armed forces when can you give us in writing the number of military personnel . I give you my commitment . A week . Two weeks . Two weeks i expect it. We will proprioritize that. All right, lets talk about why a things are taking so long and how hard providers are being hit. They are paying price for the failures that have been made on your watch. How much longer will they have to wait to be paid . Mr. Chairman. Flow across the entire coup try is back to normal. Certainly from a United Health group prospective. We are paying claims as soon as they arrive providers tell memp it will take until june to clear the backlog. Can we do that earlier. We can do it faster. When can you expect to have it cleared . We believe the system is back to no l r normal. Every provider i bump into is waiting to be paid. The payments from united have been made. We are caught up. Will you commit to waving deadlines for timely filings and appeals for claims until everest is back in order. We have waved those. Plan business operations. We are happy to engage. Please send that to me in writing how composition system would work. Letsns mention one other area ervery quickly. I have followed your comments andd consistency, your views minimize the impact of your involve. You say United Payments account for 6 payments in the Healthcare System. Thats basically hiding the ball. In 2022 the Department Said the change had records of 211 individuals going back to 2012. How many people have been impacted . Find the files. What medical information was stolen. I need answers to those three questions. How many impacted . Where did you find the files . What information was stolen. Thats top priority. We are working our way through hrthat. We have not i didntfied anything like medical records o. You cannot tell us what dataw walked out the door. Which have been working to get that. Thank you, mr. Chairman. The fbi warned the healthcare sectors attracted to cyber criminals. United experiences a cyber intrusion once every 70 seconds. Nationwide, side ber Security Preparedness appear to be disjointed. Without disclosing security related details, how do you intend to revise unites experience . Let me reiterate how serious we take it and diligent we are working to make it right technically and make sure we have to expand the patient implications. On your question how we responded. We have multifactor authentication on external systems e which is in place. Can i interrupt, part of my mquestion is. I want to make sure you are responsive. Ois it as system as fixing the multifactor system . Thats one element. Its only one element of the defense. Making sure we have implemented in addition to normal scan of technology and environment we brought third party to do scanning across the system as a protection lawyer. We made the decision to straighten oversight of Cyber Security at the company which bringing to the board on an everyev meeting basis which is leading Advisory Service thats been helpful and become a board make sure we have thee a board best. Would you agree, this stronger approach needs to be standard across the Healthcare Industry. Everything from government to private sector and frankly, the entire aspect of the Healthcare System. I would agree with that. What we saw at change healthcare which was a company that just came in the group was a company that had older Legacy Technology. Its typical of many small to medium sized organizes in the healthcare environment. Ther