And history across america . We will take you live do a house subcommittee hearing on Cyber Attacks that have affected Healthcare Systems and we will hear from the ceo of United Health group which experienced a cyber attack. It will now come to order in the chair recognizes himself for a fiveminute Opening Statement in todays hearing is about what likely is the most consequential cyber attack and healthcare history and how could Something Like this happen . How did consolidation in a Health Insurance industry reach such a state that a single Ransomware Attack on one company crippled the flow of payments and claims for months and it was subject to the Cyber Security attack and it operates the largest electronic data interchange clearinghouse in the nation with 50 of u. S. Medical claims passthrough or touch this making it an essential link between providers and insurers and a Single Company having this much medical claims Processing Market share makes them a large target for bad actors and its even more astounding when you consider the attack itself occurred using compromised credentials without multifactor authentication and this type is Standard Defense to prevent Cyber Attacks and i am concerned about patients who have been effect that in many patients were left having to pay large amounts of money out of pocket for the medications because the pharmacy couldnt process their claims or their copay coupons and the Family Pharmacy in virginia in my district said the biggest effect has been patients not being able to afford the medication without copay assistance cards and they said and i quote, we have people walking away from diabetes medicine, antipsychotics and adhd medications. In one specific example was a patient having to pay 1100 for medication since the pharmacy was unable to process her co pay and due to the cyber attack and united is contractually obligated to pay for these medications but patients are still paying premiums and forced to either walk away or pay large sums of money for the medications or even borrow money from friends, family or worse with cash advances off of their credit cards and providers were deeply affected by the cyber attack and they were left in the dark as to why united stopped processing claims and there was deep uncertainty about how to get the claims to flow uninterrupted and the program was minimal and restricted and they brought in many unrecognized expenses for the providers such as switching clearinghouses and manager in prior authorization and its troublesome because doctors are worried about keeping practices open and united, by shutting down its clearinghouse and effectively stopping all payments on claims making it more difficult to providing services. One philadelphia physician who runs a 6 million a year prior this was offered 3300 by the Emergency Loan Program from unitedhealth and she may have to sell her practice. How many millions of dollars of interest alone has united made from holding onto money that it would have had to pay to providers or for patients . How many millions of surgeries, treatments and prescriptions were delayed or, worse yet, canceled or they didnt take the medicine. I understand the substantial task united is facing and dealing with the fallout from this cyber attack and they are the bad guys but i do look for an explanation on why united didnt have a backup plan and if they did, it failed resulting in the federal government having to step in and try to help and additionally we dont know how many patients had their Health Information breached and they conceded a personal Healthcare Information and data of a substantial portion of americans has been stolen and at this hearing i hope we get an understanding of how Many Americans fall within uniteds definition of substantial proportion. Even though united paid the ransom, we now have reports that cyber criminals are releasing patient information, billing records and other personal private health data held by United Health group in spite of having paid the ransom. And that is what happens when you deal with these and i am hopeful this will shed light on the issue so we can understand the full picture and i can assure you this will be watching closely and i am always willing to hold follow up earrings if needed. That being said i do yield back and recognize the Ranking Member of the subcommittee for her Opening Statement. Thank you. Cyber attacks have become an unfortunate part of our daily lives and Companies Know they need to be prepared and we are so interconnected online and communication and energy grids and Online Platforms and Health Claims clearinghouses like change healthcare are all targets and ransomware groups and other threat actors are probing corporate and Government Systems for vulnerabilities and there are reports of major data breaches almost every week and sometimes due to malfeasance and sometimes by sophisticated cyber hackers. Despite all of the cautionary warnings, the largest Health Insurance company was caught unprepared and change healthcare, part of the mega health conglomerate unitedhealth didnt have basic Cyber Security protections in place and because of that it suffered a Ransomware Attack and unable to recover its systems in a reasonable period of time leading to serious harm to doctors, providers, pharmacies and patients across america. Even with the limited information that has been made public, it is clear there were multiple system failures and this is a very basic yet Effective Security measure that Everyday Americans have. The department of health and Human Services has recommended the practice since 2022 through its publication Cyber Security practices for medium and large Healthcare Organizations and specifically it called out the importance of multifactor authentication and a june 2023 newsletter. In that advisory hhs noted that multifactor authentication and other authentication processes are stronger than a single password necessary when an entity provided Remote Access. United healthcare ignored that advice. Second it appears that hackers roam through change Healthcare Systems without being protected detected. They mightve been picked up and that apparently didnt happen. Third, whatever user credentials the hackers had access to appeared to have allowed them to roam across the entire Healthcare System unimpeded. Also they were able to deploy an attack within the network suggesting a lack of adequate controls or user permissions that couldve prevented Malicious Software from holding their system and valuable healthcare data ransom. There also appears to be a lack of any continuity or contingency plan to address this crisis and as your testimony states, lots of time and resources were spent completely rebuilding the network, but it is unclear why there wasnt a reliable backup or continuity plan in place that wouldve prevented the need for a complete Network Reconstruction and dramatically reduce the amount of time for transactions to begin moving again. At each of these points, United Health group failed, whether it was a failure to properly invest in Cyber Security or a lack of adequate oversight and accountability within the company, it is an open question. At the bottom line is that there were multiple opportunities to prevent, detect, and mitigate this attack, and Unitedhealth Group failed at everyone. In case any other companies or Health Companies are asleep at the wheel when it comes to Cyber Security, this is another wake up call and Cyber Threats are pervasive and worsening. Ransomware tax can hold hostage the most sensitive of personal data and profits for paid ransoms only strengthening and encouraging ransomware groups to grow and carry out more attacks. They are no longer exceptional events and they are a constant thing and must be properly prepared for. While there are lessons to be learned, i do want to make clear that this crisis isnt over yet by any means and there are pharmacies and providers that havent been able to reconnect to change Healthcare Systems and there is a mass amount of Health Information that needs to be accounted for. In addition to the questions you received today, there are numerous questions outstanding from this committee and a bipartisan letter we sent to you on april 15 so we look forward to the answers of those questions. I want to thank the chairman for putting on this important hearing. The gentlelady yield and we recognize for five minutes. Thank you for agreeing to testify before us today and i was disappointed your organization declined the original invitation to testify on this cyber attack on change healthcare and one of your Subsidiary Companies before we had invited you to testify before the Health Subcommittee but we appreciate your cooperation in being here today and most americans have likely never heard of change healthcare despite how crucial its functioning as to making sure they have access to care. It acts as a clearinghouse for 15 billion medical claims each year. It means more than 50 or right at 50 of all claims pass through change which covers everything from routine checkups with primary care physicians to lifesaving cancer treatments with specialists. Things until recently we took for granted in 2022 and they acquired this as part of the growing creep into every corner of our Healthcare System and under the Group Umbrella resides the Health Insurance company with more than 40 million covered lives across medicare and medicaid and commercial markets and a pbm that managed 159 billion in drug spending last year, a Provider Group that owns roughly 1 in every 12 doctors in the United States. A bank that makes payday loans to providers. That is it just a few of the providers and i do say this to emphasize the massive responsibility that comes with your position and with the family of four crushed by inflation, you would think that they are forking over more than 20,000 per year for their Health Insurance when a Senior Citizen sees the brand on your medicare product and when they funnel tens of billions of subsidies to your company, there is a reasonable expectation that they will get a baseline level of value for their hard earned money. I will set the bar higher. You have a responsibility to protect the data of the people who put their trust in you. More bluntly, in this case, you failed. On february 21 of this year, change healthcare announced it was hit with a cyber attack disrupting the healthcare ecosystems for providers, payers and patients and spent more than two months since this attack and according to your own companys website they have yet to fully restore services. Many negative impacts for the Healthcare System persist. As your written testimony lays out, criminal hackers gained access to this through compromised credentials so they were remotely accessing the companys portal nine days before your Company Announced publicly the Ransomware Attack and this didnt have multifactor authentication enabled which is a relatively basic protection against Cyber Attacks which allowed them to unlock the door to break into your systems and multifactor authentication would be a basic expectation for a company handling the amount of Sensitive Information that they do. And it has been reported that your company paid a ransom to cyber criminals and while i do have grave concerns with the precedent you created by rewarding the criminals, i would understand that it would be a difficult decision to weigh that against protecting the data of americans. Here is the problem. It didnt stop the data leak. Americans personal and private Health Information is on the dark web and it is private data you are responsible for protecting. I do suspect this decision will be a case study in crisis mismanagement for decades to come and i would be remiss if i didnt note that small providers and solo practitioners continued to provide uncompensated care as submitted claims cant be processed through payers and its been reported that some providers are contemplating closing and others forced on relying on volunteers to care for patients and others have had to furlough staff so employees can apply for unemployment. I do look forward to hearing how this will be fixed as soon as possible. I will note that we are here today to learn more about what happened and in that lead up during the attack and what you, mr. Witty, are doing to fix it and prevent it from happening again. The American People, the millions who rely on changes in services and those whose information was leaked deserve answers. We recognize the Ranking Member for his fiveminute Opening Statement. Thank you. We are here because the cyber attack on this resulted in a prolonged disruption to our Healthcare System earlier this year and the cyber attack has caused harm to patients, providers and pharmacies. The platform was clearly involved with one of every three patient records processing 15 billion transactions every year and as a result of this attack Healthcare Providers have suffered tremendous delays in reimbursement and patience have been forced to front outof pocket expenses for medicine for treatment because pharmacies have been unable to process claims. Now some were taken offline and very 21 and they failed to provide clarity as to when its systems would be online again and in fact the status updates repeated the same language for over a week that the disruption was expected to last at least through the day and this frustrated the ability of providers and pharmacies to conduct their daytoday operations and decide whether to use alternative systems and in the meantime now over two months later its not back to where it was and there is a backlog of claims that need to be submitted and processed and the delayed restoration and lack of communication from United Health group is unacceptable and we wouldnt accept a bank or Internet Service being offline for weeks or off line without a clear end in sight and its wrong that providers and pharmacists and patients continue to bear the brunt of the failure by a corporation that earned 371 billion last year to prevent or quick we remedy this. I am sure we will hear from mr. Witty about the things unitedhealth has done since the cyber attack but the bottom line is the status security practices were woefully inadequate and the company didnt have a plan in place to quickly recover from such an attack or minimize the damage to impact. While it is true the Largest Company in the country has dedicated resources to clean this mess up, it feels like too little too late for all those harmed and to make matters worse we still dont know the full extent of the damage of this attack and even if all the providers and pharmacies and patients were made whole in the system returns to normal, huge volumes of protected information appear to be in the hands of hackers as they announced this could affect the privacy of a substantial portion of people in america. As part of the work in the federal Consumer Data Privacy and consumer legislation they have held numerous hearings highlighting the importance of Companies Adopting strong privacy protections. So it is extremely frustrating to have one of the Largest Companies in the world failing to meet obligations under existing law to adequately protect some of the most sensitive personal information and talking about Sensitive Information like healthcare status or medications that we take or medical Services Provided. This never should have happened and shouldnt happen again and they must do the hard work of adopting strong Data Security practices that include p