UnitedHealth CEO Andrew Witty testifies about cyberattack | CBS News

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

personel personnel management the FBI called that a treasure Trove of Counter Intelligence information for for for foreign intelligence sources United Health Group has not revealed how many patients private medical records were stolen how many providers went without reimbursement and how many seniors were unable to pick up their prescriptions as a result of the hack the failures of CEOs like Mr witty who months in can't figure out how many people have had their data stolen validates the FBI warning in the wake of this hack United essentially disconnected change from the rest of the Health Care System it took weeks for change to get back online leaving Health Care Providers all across the country certainly in my home state of Oregon in a state of financial bedum doctors and hospitals went weeks delivering services but without getting paid insurance companies couldn't reimburse providers even today key functions supporting plans and providers including sending receipts for services that have been paid and the ability to reimburse patients for their outof pocket costs are not back up and running the small providers particularly Mental Health Providers have been left holding the bag stuffing envelopes with paper claims and unable to get straight answers on how long this outage is going to last and patients are bearing the brunt of it prescriptions went unfilled patients were stuck at the hospital longer than needed and Americans are still in the dark about how much of their sensitive information was stolen the credit monitoring service change is now offering is cold comfort to all of these frustrated patients across the land the change Healthcare hack is considered by many to be the biggest cyber security disruption to Healthcare in American history it is in my view exhibit a that the country needs tough cyber security standards and they're needed to protect critical infrastructure and patients across the country the health and human services department doesn't require Health Care Providers payers or Health Care Clearing Houses like change to meet minimum cyber security standards unlike Industries regulated by other federal agencies meeting a baseline of essential cyber security standards is a must but it is meaningless without strong enforcement Health and Human Services has not conducted a proactive cyber security audit in seven years as it stands if a company doesn't comply with the relatively meager cyber security regulations the finds amount to nothing more than a slap on the wrist in my view federal agencies need to Fast Track new cyber security rules for Americans private medical records and the Congress needs to Watchdog this every day to make sure that what is getting done is the essentials of protecting patient data finally the change hack is a dire warning about the consequences of two big to fail Mega corporations gobbling up larger and larger shares of the Health Care System it is a long past time to do a comprehensive scrub of United Health uh anti-competitive practices which likely prolonged The Fallout from the hack for example change healthc Care's exclusive contracts prevented more than one-third of providers from switching Clearing Houses even though changes systems were down for weeks accountability for change healthc Care's failure starts at the top before this hearing I asked the company which members of its board have cyber security expertise United uh uhg pointed to the NCAA president Charlie Baker who signed some technology related legislation years ago when he was governor of Massachusetts he certainly seems to be an expert on basketball but uhg needs an actual cyber security expert on its board Mr witty owes Americans an explanation for how a company of uhg size and importance failed to have multiactor authentication on a server providing open door access to protected health information why its recovery plans were so woefully inadequate and how long it's going to take to finally secure all of its systems I hope that today's hearing can mark the beginning of a bipartisan effort here in the finance committee that's what we've done on pbms and a variety of other important issues I encourage all the members of the committee on both sides of the aisle to focus on the subject in hand that is because this is so important it's so vital and there's much to discuss sener kpo thank you Mr chairman and I appreciate you holding this hearing today and thank you Mr Woody for being here with us on February 21 2024 United Health Group learned that its subsidiary change healthc care was the victim of a Cyber attack launched by a suspected nation state Associated cyber security threat Act in response change the nation's largest healthc care Clearing House which processes $ 1.5 trillion in medical claims annually disconnected all of its systems to prevent the Hackers from obtaining additional data The Fallout from this unprecedented attack has affected the entire healthc care sector by crippling changes functionality the hackers left providers unable to verify patients insurance coverage so submit claims and receive payments exchange clinical records generate cost estimates and bills or process prior authorization requests in the immediate aftermath of the attack many providers had to rely on reserves to cover the resulting revenue losses an American Hospital Association survey found that more than 90% of hospitals were financially impacted by the Cyber attack with more than 70% reporting that the out AG had directly affected their ability to care for patients more than two weeks after the Cyber attack was announced the Department of Health and Human Services released a public statement and guidance related to the incident on March 9th the centers for Medicare and Medicaid services made accelerated and advanced payments available to impacted Medicare providers the administration's delay exacerbated an already uncertain landscape leaving providers and patients with reasonable concerns about access to Essential Medical Services and life-saving drugs while the February hack on change was by far the most disruptive Cyber attack on the healthc care industry to date it was certainly not the first according to a report by the Federal Bureau of Investigation the health care sector experienced more ransomware attacks than any other critical infrastructure sector in 2020 23 in addition to the processing and revenue issues experienced by providers patients private identification and Health Care information was obtained by malicious actors during the breach unfortunately personal Healthcare data has become increasingly attractive to cyber criminals who seek to use that information for blackmail or identity theft for patients the emotional and financial effects of leaked private information can have a devastating impact for years although many have changed its functions have now resumed trust in the security of its platforms needs to be rebuilt we owe it to American patients and to our Frontline Health Care Providers from Health Systems to clinicians and Community pharmacies to ensure that this does not and cannot happen again today's hearing offers a valuable opportunity to learn from United experience so we can better protect against and quickly react to Future cyber attacks gaining a deeper understanding of how the hacker infiltrated change will help identify and address gaps in our existing cyber structure cyber security infrastructure evaluating steps taken by United in response to the attack from disconnecting its platforms to notifying law enforcement will offer lessons on how to build a more resilient and collaborative Healthcare system moving forward we must also assess the response of the federal government which plays a critical role in those efforts HHS has a responsibility to serve as a central hub for coordination convening insights from other branches of government and the private sector to deploy timely information about active threats as well as best practices to deter intrusions and resources should an attack occur thank you Mr Woody again for being here to discuss building a more secure resilient and responsive Health Care system and thank you Mr chairman thank you Senator kpo Andrew witty is the chief executive officer of the United Health Group prior to that he was the Executive Vice President of the United Health and CEO of opum from 2008 to 2017 Mr wittyy was CEO and a director of galaxo Smith Klein Mr witty we appreciate your being here uh I believe you're going to take five minutes or so to share your testimony and we've got a lot of member interest and you're going to get questions and I'm going to do everything I can to keep them on this extraordinarily important topic Mr witty thank you and good morning chairman weyden ranking member kpo and members of the committee thank you for the opportunity to testify here today my name is Andrew witty I serve as Chief Executive Officer of United Health Group our mission is to help people live healthier lives and help make the health system work better for everyone we pursue this Mission through our two distinct businesses United Health Care which provides a full range of benefits and opum which brings together care delivery pharmacy services and technology and data to advance patient centered care change Health Care is now part of optim it enables information claims and payments to flow quickly and accurately between Physicians pharmacists health plans and governments I appreciate the com the committee's interest in the recent Cyber attack on change Healthcare as a result of this malicious Cyber attack patients and providers have experienced disruptions and people are worried about their private Health Data to all those impacted let me be very clear I'm deeply deeply sorry our response to this attack has been grounded in three principles to secure the systems to ensure patient access to care and medication and to assist providers with their financial needs with we have deployed the full resources of United Health Group in this effort I want to assure the American public we will not rest I will not rest until we fix this cyber experts continue to investigate the incident and why we will learn more and our understanding may change here's what I can share today cyber criminals entered a change Health Care portal exfiltrated data and on February the 21st deployed ransomware the portal they accessed was not protected by multiactor authentication our response was Swift and forceful to contain infection we immediately severed connectivity and secured the perimeter of the attack to prevent malware from spreading it worked there is no evidence of spread Beyond change Healthcare within hours of the ransomware launch we contacted the FBI we continue to share information with them so that these criminals can be brought to Justice as we've responded to this attack including dealing with the demand for ransom my overarching priority has been to do everything possible to protect people's personal health information the decision to pay a ransom was mine this was one of the hardest decisions I've ever had to make and I wouldn't wish it on anyone as you know we found files in the exfiltrated data containing protected health information and personally identifiable information which could cover a substantial proportion of people in America so far we have not seen evidence that materials such as doctor's charts or full medical histories were exfiltrated it will take several months before enough information will be available to identify and notify impacted customers and individuals partly because the files containing in that data were compromised in the attack rather than waiting to complete this review we're providing free CR credit monitoring and identity theft protections for 2 years along with a dedicated call center staffed by clinicians to provide support services anyone concerned that their data may have been impacted should visit change cyers support.com for more information meanwhile we continue to make substantial progress in restoring change Health Care Services first the team built a new technology environment in just a matter of weeks second we prioritized our restoration effort on Services most vital to ensure an access to Care Pharmacy Services claims and payments to Providers and third while these efforts were underway we worked quickly to provide financial assistance to providers who need it we have advanced more than $6.5 billion dollar in accelerated payments and no interest no fee loans to thousands of providers most of the These funds offer claims for non UHC health plans and about 34% of the loans have gone to safety net hospitals and federally qualified Health Centers we will provide this assistance for as long as it takes to get providers claims and payments flowing at prein pre-incident levels and if there are providers in your States who need help please put us in touch with them fighting cyber crime is an enormous task and one that requires us all industry law enforcement and policy makers to come together I look forward to answering your questions today thank you Mr witty let me begin with this this hack could have been stopped with cyber security 101 and I'm talking specifically about multifactor authentication MFA when your bank app asks ask you to enter a code sent by text or email that's MFA it secures your account even if your password is learned yet your testimony reveals this first server that was hacked didn't have multiactor authentication so question one I'd like a yes or no answer to Mr witty prior to the hack did you or any of your senior manager man agement know that uhg was not requiring MFA companywide yes or no uh Mr chairman thank you for the question our policy is to have MFA for externally faceing systems so if the answer is yes then that makes my point that on your watch it was a cyber security failure and then that's what cause the harm to patients the health care sector and your investors I don't believe there are any excuses for that so my second question is will you commit within six months at the latest to require multifactor authentication companywide and meet the tough MFA standards that are required of federal agencies again a yes or no answer uh Mr chairman yes I'm happy to commit to that in fact I can confirm to you that as of today um across the whole of uhg all of our external facing systems have got multifactor authentication enable we we will take that as a yes it shouldn't have taken the worst Cyber attack ever in the health care sector for an agreement to do this bare minimum now second with respect to National Security people claiming to be involved with this hack have asserted publicly that they stole data on US government employees including active duty US military service members my colleagues remember the 2015 hack of OPM government personel data which obviously posed very serious counterintelligence concerns and I am very concerned as I said my opening statement about the National Security implications of this hack as well are you in a position this morning to say whether the hackers stole data pertaining to US government employees uh Mr chairman thank you for the question um like you I'm extremely concerned about any uh patients information but particularly in this in the context you just described uh so far uh through the process of working through the data what we've been able to identify is indeed a substantial portion of people across the country's data could be implicated here we do believe there will be members of the Armed Forces or and the veterans Associated when can you give us in writing the number of military personnel affected and your best assessment of who they are can I have that quickly I I give you my absolute commitment that is a week top priority it will take longer than a week but as fast as we possibly can we will get this is a national security priority two weeks I expect it we will absolutely prioritize that sir all right let's talk about why things are taking so long and particularly how hard providers are being hit because they're paying the price for the fail failures that have been made on your watch how much longer will a provider who sent in a claim for services delivered in February have to wait in order to be paid Mr chairman thank you for the question our our belief at this point is that claims flow across the entire country is essentially back to normal certainly from a United Health group's perspective we are paying claim claims as soon as they arrive we're aware that other companies may not be paying providers are telling me it's going to take until at least June to clear the backlog can you do that earlier uh we can move absolutely faster than that and in the meantime we are providing financial support expect to have that cleared uh we believe CL we we believe the system is broadly back to normal now if there are any providers in in state who you'd like to refer us to we can make sure that they are particular practically every provider I bump into is waiting to be paid those payments from United certainly have been made we are caught up um and we continue to advance significant interest loans for Comm will you commit to waving deadlines for timely filings and appeals for claims until everything's back in order uh yes so we have already waved those will you commit to paying meaningful compensation to each provider and plan whose business operations you disrupted so we're happy to engage with providers to discuss that please send that to me in writing how the compensation system would work let me mention one other area very quickly I've been following your very comments and consistently your views seem to minimize the impact of your involvement you say that United healthare payments processing accounts for only 6% of payments in the Health Care System my view is that's basically hiding the ball in 2022 the Department of Justice said the change retains records of at least 21 million individuals going back to 2012 so how many people have actually been impacted where did you find those files and what medical information was stolen I need answers to those three questions how many have been impacted where did you find the files what medical information stolen Mr chairman thank you for the question as as I've said that is very much a top priority for us to get to the bottom of we're working our way through that as of this point we have not identified anything like uh uh medical records or uh Medical histories what we have seen is claims information you don't have the logs that would show what data walked out the door because we have been working to get that and we haven't seen it Senator kpo thank you Mr chairman and Mr witty the FBI has repeatedly warned that the health care sector is particularly attractive to cyber criminal criminals as your testimony notes United alone experiences an attempted cyber intrusion once every 70 seconds however Nationwide cyber security preparedness and response guidelines for healthc care sectors appear to be disjointed without disclosing proprietary or security related details how do you intend to revise United's cyber security protocols to incorporate the lessons that you've learned from this experience Senator kper thank you very much for the question first and foremost let me reiterate how seriously we take this and how diligently we are work working to make this right both technically and also to make sure we understand the patient information implications to your question of how we're responding to this first and foremost let me reiterate we have an enforced policy across the organization to have multiactor authentication on all of our external systems which is in place well can I interrupt for just a second I think part of my question is and you were about to get to that but I want to be sure that you you're responsive to this is it as simple as fixing the multiactor system it's multi-layered sir so that is one Element um but it is only one element of the defense making sure so for example we now have implemented in addition to our normal corporate wide scanning of our technology environment we've now brought external third parties to do double or treble scanning across our systems as a further protection layer we've also uh made the decision to strengthen our oversight of cyber security at the company uh by bringing uh to our board on a uh every meeting basis Mandan which is the leading cyber security advisory service in America they have been extremely helpful in understanding this attack and they have become a a board advisor to ensure that we have the very best advice at the top of the company would you agree that U this type and maybe even a stronger approach than this type needs to become standard across our healthc care industry everything from government to the private sector and and uh frankly the entire aspect of our health care System uh sen gra I I would agree with that and um what we saw in change Healthcare which was a company which just came into our group a little over a year and a half ago was a company which was an older company had older Legacy Technologies but I think is very typical of many small to mediumsized organizations in in our Healthcare environment and therefore uh in evitably uh there is going to be a lot of work to be done to upgrade those standards but I do agree with your assertion well thank you and I'd like to move on to uh restoration and protection of of patient information your testimony indicates both Pharmacy services and medical claims are now flowing at near normal levels is that accurate that's I believe yes and while this is welcome news the effects of the Cyber attack continue from ongoing Revenue backlogs to unfolding details about about exposed patient health and identity information which functions remain offline and when do you expect 100% of changes systems to be restored uh thank you very much for the question so all of our core systems are now up and fully functional so that means Pharmacy processing claims payments the systems which are not available are really ancillary support functions so not not determinative of the main claims activity or the payments which is where the disruption has been caused I'd also just like to emphasize that as soon as the attack took place we encouraged uh providers to divert their their volumes to other competitors to change of which there are several uh and many of them continue to operate through those channels which is another way in which normal service was resumed have you heard reservations from providers about reconnecting to change and if so how are you working to address those concerns uh Mr chairman yes I think that's a natural and good concern for people to have after a data after an attack like this you want to be reassured that the system is safe to reconnect to that's why we disconnected so quickly in the beginning so that we didn't infect anybody else and the reason why it's taken longer than you might expect to recover is we've literally built this platform back from scratch so that we can reassure people that there are not elements of the old attacked environment within the new technology at the new uh technical environment that we've created and we're sharing all of those details with clients and customers as they reconnect and I'm pleased to say they are reconnecting uh substantially all right thank you and finally would you share an update on your understanding of the magnitude and the type of patient information that may have been obtained by the hackers and uh when do you expect to begin the process of contacting impacted individuals thank you for your question we're working closely with The Regulators on that last point of timing how to how to and when to start communicating we want to try and avoid peac Mill communication and it's our top priority to get this done just as fast as possible thank you thank thank my colleague just on this multiactor authentication we know that we heard from your people that you had a policy but you all weren't carrying it out and that's why we had the problem Senator Blackburn thank you Mr chairman and thank you for being with us I'm from Tennessee we have been absolutely inundated with phone calls since this came back people are trying to get some clarity around your statement about a substantial portion of people in America being um affected by this because right now it looks like anybody that is doing business with you and I will tell you this the reality that hospitals and providers are facing is wildly different from the rosy picture that you have painted you you have made a statement recently that payment processing by change healthc care is at approximately 80 86% of pre-incident levels this morning you said that it was back to normal and I will tell you this there is a backlog that many of our providers in hospitals have from nine weeks of not being able to get in and and make these claims we have um and here's a good for instance for you a small independent private act Hospital in West Tennessee and they have diligently submitted all of their claims and they are burdened with the backlog of Medicare claims that is equivalent to 30 days of Revenue and they're waiting for these things to be transmitted to Medicare and this is all because of the missteps that you all have had now every day they call to get an update every single day they're calling and they get the runaround every single day repeatedly it is like you all can't figure this out and the absence of medical care electronic remittance is compounding the problem and it's requiring that manual payment processing and of course this goes into labor cost you've got error rates so when can Tennessee providers and hospitals expect you all to clear the backlog to catch up and be back to normal Senator thank you very much for the question and I'm very sorry to hear the experience in your state of those hospitals uh we we will reach out to your office to find out the names of those hospitals we will get connected with them take every hospital every provider so we we have hospitals that are pulling on a line of credit are you going to pay that interest uh are you going to reimburse that uh we are offering interest free loans directly ourselves and be more no I said are you going to pay these interest cost okay let me move on with you because one of the surprises and the chairman just mentioned this is the lack of redundancies that you all had built into the system now your revenues are bigger than some Count's GDP and how in Heaven's name did you not have the necessary redundancies so that you did not experience this attack and find yourself so vulnerable uh thank you for the question uh first and foremost um change Healthcare had only recently become part of United Health Group we were in the process of upgrading and modernizing their technology the attack itself had the effect of uh locking up the various backup systems which had been developed inside change before it was acquired that's really the root cause of why it's taken so long to bring it back and as I uh and I emphasize that we have work to rebuild a brand new technical environment so that we know that it is modern and it's not infected from the attack well there may be excuses but was there not a thought process put in place on the front end as you were going through this of how you would protect yourself from vulnerabilities uh so change Healthcare came into the organization just about a year and a half ago I'm fully aware of that we're in the Pro we were in the process of upgrading their technology when this attack all right there again um for whatever reason short sidedness and not having a plan to incorporate is is let's move on optim uh because it's widely acknowledged that optum's temporary assistance program fails to adequately address the financial setbacks that are caused by this now we've got one Tennessee provider that disclosed receiving a one-time payment of $8,000 significantly below their usual daily revenue of $20,000 and these providers have resorted to tapping into personal savings retirement funds seeking loans from Banks and so are you going to cover all of those cost that they have had to incur in order to keep the doors open because you did not have an appropriate backup plan as important as this question is briefly because we got a lot of members interested answer so Senator thank you for the question very happy to engage with those providers um we we'll reach out look forward to the engagement thank you Senator Blackburn Senator Mendez uh Mr witty your uh company's slow progress in restoring services and advancing loans to Providers caused operational disruptions with consequences for providers pharmacies and patients Across the Nation for weeks hospitals and providers had to deal with low Loan offers and onerous terms from the company in some cases less than 1% of their typical weekly billing all while patients suffered your company is the nation's largest private Health insurer and the largest physician employer in the country earning billions in profits every quarter it's unacceptable that it took so long to help provide during a crisis of your creating now I'm concerned about what's going to happen on the back end so do you commit to not exploiting the destabilized provider markets that you created to further acquire other subsidiaries that simp simple yes or no would be great uh Senator absolutely we will not take advantage of that and we have not um I'd also like to reassure you uh we understand that in that in the effort to go quickly in terms of setting up our Loan program we didn't get all of the terms and conditions right we fixed that very early and we've now been able to advance $65 billion dollar let's let's talk about that United Healthcare as you have just said distributed claims have distributed 6 and a half billion in financial support to Providers but you're dealing with an enormous backlog of claims estimated to be easily over4 billion with some estimates putting the total impacted services at many multiples of that in other words your accelerated or Advanced payments were a tiny fraction of the total amount of services affected it's my understanding that United healthc Care and its subsidiaries know to the penny what the average provider bills in an average day week or month is yet providers in my state and across the country were struggling to keep their doors open as they waited for these payments what reasonable explanation could you have for taking so long to get these accelerated payments out the door uh Senator thank you again for the question um unfortunately United does not know uh the flows to folks from other payers than United which is part of the reason why our initial approach did not uh was not as effective as we'd have liked to have been we put in place a mechanism which uh for the vast majority of providers gives them authorization on interest free loans within hours of application and that remains open and available for providers who need it it seems to me almost incredible to believe that you do not know uh a company that is so long established and and and you don't know the flow of what a daily weekly monthly amount is to a certain provider that's hard to believe so sir we we understand the flow when we are the payer but often times we're not the payer and those would be the situations and as as I'm sure you aware we have been making loans to underwrite the cash flow consequences for other payers not just United it seems to me that you wasted a lot of time trying to pull a fast one by imposing honorous loan terms on providers can you commit to not demanding loan repayments until the claims backlog is cleared um sir we we've uh streamlined all of our terms and conditions and yes we've already told providers that there is no need to repay these interest free loans until 45 days after they have concluded they are back to Norm do any of the loan terms prohibit Health Providers from working with any of United or optims competitors no now following the breach you offer to do breach notifications for covered entities like hospitals and provider groups that are still grappling with severe and ongoing disruptions to daily operations now this commitment is an important step in the right direction as providers should not be bound by the burden of providing hipper required breach notifications but no prudent Medical Group can rely on vague promises containing no specifics with respect to timing or implementation providers currently face mounting concerns about their own regulatory exposure should United not fulfill these promises further as more patients become aware of the possible disclosures of their sensitive information they will turn to their providers for information and assurances neither of which can currently be provided so when can providers expect concrete details on breach notifications in writing from United Health Group uh this sir this is our top priority we want to get this done as fast as possible and we're working with The Regulators to ensure that we can get that communication as quickly as possible okay so can you give us a time frame is that a week is it a month I I think it will be in the next several weeks and what sort of documentation will United Health Group require of covered entities and will agreements include information about limitation or waiver of liability uh that's something we're working through with The Regulators so that we can be very clear to those providers I'd like I'd like you to respond to the committee when you get to that conclusion thank you Mr thank you Senator Mendez Senator grassley's next welcome to the committee last month I wrote to Health and Human Services secretary Basera regarding protecting critical infrastructure within the healthc care sector in that letter I highlighted the need for a strong relationship between public and private Partners to ensure the safety of us critical infrastructure systems I also inquired about Legacy information technology system cyber attacks on our Health Care system not only have severe impact on our economy but put lives at risk so my first question is what's United Health group's relationship with HHS and other government agencies as it relates to cyber security of the health care industry how have HHS and cyber security and information security agency worked with your company in the aftermath of the cyber security failure Senator grassy thank you for the question um we've had a close engagement uh I would say daily engagement with particularly CMS within HHS uh CMS have been extremely engaged and supportive through this particularly in terms of how we've worked to um support providers and to prioritize recovery of the system and the FBI has been our Prime um partner in terms of of law enforcement and response to the attack uh itself um does United Health Group use Legacy it systems that need to be updated if so what's been done to update uh so change Healthcare is a a good example of a company that came into our organization with older Technologies a 40y old company with many different technology Generations within it uh as we always do with new companies like that we strive to upgrade them to the standards of United Health Group uh which I believe are consistently higher than the companies that we brought into the organization I think you touched on it but let me ask specifically has United Health Group taken every available action to immediately remove memory safety risk in its it and software sir I just could you just repeat that please I couldn't hear the second part of the question he ask you to repeat it what repeat it your question oh refuse to answer it no he just said he couldn't understand well so you he just asked you to repeat question has United help group taken every available action to immediately remove memory safety risk in its it and software I'm I'm not sure I completely understand the question around memory safety risk uh I can assure you that since the attack why don't you do this answer that question and writing absolutely happy to do sir uh my understanding is that change Health Care touches one in three medical records in the United States I'd like to better understand how change healthc care stores and manages patient data how does change healthc care manage and store patient data where is the data stored is it stored by Third parties and at what point through processing coding and storing is patient data ever sent overseas uh so so change Healthcare uh stores data both on premises in data centers and also to a limited extent in the cloud uh as we've rebuilt the technology environment uh we we have moved much more into the cloud which we believe creates a much more secure future environment according to the FBI there were 249 ransomware attacks against the healthc care industry in 20 2023 has United healthc Care group experienced another Cyber attack since February 21 I'd have to come back to you on that we have we are under attack consistently I'd like to make sure I'm accurate in how I respond that question and I'll be happy to come back to you that in writing okay do you feel like your company is prepared for another Cyber attack and this will be my last question Senator thank you for that question uh we are doing everything we can to be as prepared as possible but we recognize the pressure of the attacks that come in I believe that we are taking every uh every sensible precaution and we brought brought in multiple third-party expert organizations to supplement our own teams um where I hope we can also uh look for is ways in which we can start to reduce the attack pressure on the systems that we're all trying to manage thank you Senator Grassley uh Senator Cassidy is next um Mr Woody thank you for being here uh and thanks for the conversation you and I have had prior to this first let me acknowledge as I spoke I'm a doc as I spoke to doctors back home that the the kind of uh worst cases passed and many have said that it's resolved so let me credit you for the hard work you've done that does kind of present a different set of questions please um One you mentioned that United is waving prior authorization essentially but change handles lots of claims for other insurers um and as we know sometimes prior o is denied retrospectively retroactively um so surgery will be approved and then at a later point it's unapproved and the dollars are claw clawed back um some of the docs say we don't know the whether the shoe will drop in the future whether it's a Signa that that will have a problem with the prior off process Etc um to what degree has United worked with other insurers to address the uncertainty regarding prior authorization and to what degree would United uh hold harmless to Doc who is penalized if you will because of the the damage done to the prior system uh through this from another insurer Senator Cassie thank you very much for the question and i' very much appreciated the time you've spared to talk through some of these issues with me and I actually uh followed up after our last conversations on some of these from a United healthc Care perspective I'd like to confirm that when somebody applies for a prior authorization and it's granted we never go back to contradict it we never go back in time to change it if they've if they've already acquired that to your broader point we are very very supportive of efforts to modernize and enhance uh uh prior authorization in ways that can be much less burdensome on the system and much more effective in terms of ensuring patients get access to Safe yes but as regards the other insurers in this particular process if if change was an intermediary with Sigma I keep using them because they come to mind um and there's an issue of Prior o how will that be handled so the in that situation that would be a Signa responsibility as United reached out to Signa to try and kind of you know smooth it over kind of in this period in which changes the ability of change provide that a central function has been brought down so so thank you I I'm clearer with the question now um let me reassure you that we've made clear that where people have acted in good faith during any outage uh so for example uh a pharmaceutical was dispensed by a pharmacist without getting authorization they thought that was okay there was no system to check we are honoring all of that we even if it's through Signa we will cover that then let me ask you and this is a broader question and something for this committee to consider um in our conversations and I gather on an earnings call U you pointed out that um when ask about the breach the Cyber attack was paradoxically a validation of the size and scope of United's business practice I've been told Washington Post article that five % of US GDP flows through United every day now yes but if you read somebody by by Nicholas to leave he he would say that the fact that you're so big and so dominant presents a special vulnerability and that yes you have the Deep Pockets by which to address this but the very fact that you're so big means it had a wide ranging ripple effect that was outsized um and so I think for us we would have to ask uh is the dominant role of United to dominant because it's into everything and messing up United messes up everybody Senator thank you for the question I think it's really important to be clear that the change footprint and activity was exactly the same on the day it was attacked from before it was acquired by United Health Group it didn't change because of United Health Group yes but if we try but I don't want to limit our imagination to just change uh if 5% of our nation's GDP goes through United every day then is there something else that could be um incurred upon United that would have even farther reaching effects so as we look across the whole of united we continue to be as always focused on how we defend and protect the organization we look to how we can upgrade uh organizations that's not my point my point is is the size of United become a uh it's almost a too big to fail Ure uh be because if it fails it's going to bring down far more than it ordinarily would I don't believe it it is because actually despite our size for example we own no hospitals in America we do not we do not own any drug manufacturers but don't I know that yall own like some incredible percentage of physician practices now uh actually we employ less than 10,000 Physicians uh hospitals Across America employ 400,000 Physicians we contract and affiliate with a further 880,000 Physicians who voluntarily choose to work alongside our optim colleagues so we we're very proud of the Physicians who work for us uh but often times uh I think people confuse the Affiliated and contracted Physicians with the employed Physicians where we we employ less than 1% of doctors in America I'm out of time thank you are you Senator cidy this is an extraordinarily important issue that you're raising this is classic too big to fail kind of policy and I said a while back I believe that the bigger the healthc care company the bigger the responsibility ability to protect its systems from hackers and I think they're going to be Senators on both sides of the aisle who want to pursue what you're talking about and I look forward to working with you thank you let's see our next uh person in order of appearance would be Senator Warren thank you Mr chairman so Mr witty in 2023 United Health W raed in a whopping $22 billion in profits making you the most profitable health care company in the country in fact by Revenue United Health is the 11th largest company in the entire world now Mr witty United Health Group owns the country's largest insurer the country's largest claims processor the country's third largest Pharmacy benefit manager a huge Pharmacy chain it is the largest employer of Physicians Nationwide or controller uh with at least 90 ,000 Physicians as you just testified that's about one out of every 10 doctors in the country is that correct about your size uh so just not just to thank you Senator the the uh as far as the Physicians are concerned we employ just under 10,000 and the rest are control over about 90,000 I would say not controlled they they choose to work with us okay uh great uh because you not United Health has brought up EV bought up every Link in the healthc care chain you are now in a position to jack up prices squeeze competitors hide revenues and pressure doctors to put profits ahead of patients United Health is a monopoly on steroids the opportunities for price gouging are everywhere for example United Health is the biggest participant in Medicare Advantage the government program that pays private insurers to administer Medicare benefits with this web of subsidiaries United Health is well positioned to R in more taxpayer money by using a practice called upcoding to make enroles look sicker that is noticing that a patient has a cane and adding a diagnosis of vascular disease to the medical chart even if there's no clinical basis for the diagnosis and no treatment planned Mr witty according to a 2019 investigation by the HHS Inspector General United Health was Far and Away the most aggressive abuser of upcoding practices do you know how much according to the Inspector General United Health cheated taxpayers out of in 2017 uh Senator thank you for the question I'm not familiar with that particular piece the number is $3.7 billion and that's in just a single year and that's from only two upcoding practices you know that was 5 years ago now as we speak is United Health under investigation from the doj for among other things your billing practices uh Senator thank you for your question uh we have a long-standing practice of not commenting on matters such as that or things like merges and acquisition well I understand why you might not want to comment on it public reporting from The Wall Street Journal confirms that it is although your company has not disclosed this investigation in fact yesterday I sent the SEC a letter raising concerns about over a hundred million in stock sales that United Health Executives made in the days and weeks the hearing record if I can Mr chair objection s okay so United Health is huge and it boosts its multi-billion dollar profits with among other things illegal billing tax itics and that takes me to the data breach after the largest Cyber attack on the healthc care industry in American history quote put hundreds of thousands of healthc care providers at risk of collapse United Health is now using the crisis to expand its Monopoly even further for example in Oregon United Health tried to purchase a local physician practice but faced enormous public opposition after the data breach that we're talking about today these doctors couldn't get reimbursed for their services which pushes them to the financial breach so what did United Health do they filed an emergency petition with Regulators to allow them to acquire the Doctor's practice on an expedited basis Mr witty will this acquisition make United Health even bigger Senator thank you for your question I I'd just like to also put on the record that we uh as an Oran I had a very simple question will it make United Health this giant this 11th largest company in the entire world even bigger as new organizations join us the organization I hope becomes better as new Physicians examp better we've already talked about your business practices the question is bigger will it make United Health bigger as as we grow we become larger yes yeah okay so you know United Health is using its own data breach to snap up doctors practices that have been driven to the edge of bankruptcy by that same data breach it's no wonder that United Health told its shareholders that this data breach would have quote no material impact on the company's finances United Health will stop at nothing to grow bigger bigger and bigger as we speak United Health is trying to pick the bones of steuart healthcare in my home state of Massachusetts which was ruined by private equity and corporate greed it is time for Regulators to say no to these efforts to get bigger and to suck even more Health dollars away from patients and providers who need it for the sake of our patients our doctors and nurses and the American taxpayer it is time to break up the United Health monop colleague has expired next in order of appearance would be Senator Johnson uh thank you Mr chairman now for different perspective uh the largest financial entity in the world is the United States federal government but will spend close to7 trillion doll this year and kind of view the 535 members of of Congress is the board of directors so this board of directors has allowed this largest financial entity to incur 35 trillion dollar worth of debt uh the largest financial entity in the world gets hacked all of the time uh we last year according to GAO we had $236 billion dollar of improper payments through all these government programs run by the largest financial enity in the world so again I just want to put little little balance here I'll State the obvious United Health you were a victim of a crime correct that is correct sir um I'm actually sympathetic with people who are victims of crime I don't think you went out and sought to be hacked I mean what I was hoping this yearing be more about is you know you utilize your experience to figure out what went wrong so that other people watching this can try and correct it and as we sat down yeser I appreciate you taking the time meeting with me you know talking about change Health Care uh there was one server that didn't have dual authentication that that was the source of the breach and again the Cyber attackers are very sophisticated and they exploit those weaknesses this is a weakness is very well known I mean most hacks occur because of those types of security breaches that again in a large end it's hard to please tell that can you just kind of describe first of all the the history of change Healthcare how it built why you bought it what it's supposed to function Senator thank you for the question uh so change Healthcare grew over about 40 years through a a series of its own Acquisitions and and organic growth to become a network connector across the healthare system it's probably one of four or five companies who do the same kind of thing and and the same kind of thing is processes payments cor process claim send claims from providers to payers and then send payment back exactly and a reasonably complex thing to do highly complex in you know with you know Medicare rules and insurance rules I mean it's it's a complex thing to do exactly and and importantly it's a it's a software and network business not not a pipeline business in a physical s so when it's attacked the vulnerability is that the software is impacted or encrypted and that really freezes the whole system which is why this has been such a a a devastating impact so soin this polyon subsidiary of un that you purchased it had been built up over years through private Equity there was either one group or one I mean describe exactly where the vulnerability was yeah so so we were in the process of upgrading the technology that we'd acquired uh but within there there was a server which uh you I'm incredibly frustrated to tell you was not protected by MFA that was the server through which the uh the Cyber criminals were able to get into change and then they uh LED off a ransomware attack if you will which encrypted and froze large parts of the system and you you found out I mean you you found a very when you when your it people were aware of the breach you were notified immediately and you contacted the FBI within a couple hours correct all on the same day so February 21 I was told at I was at a board meeting uh they came in and told me uh on February 21 and we called the FBI the same day but You' probably been breached how soon before that uh we think in hindsight we didn't know at the time but as we've gone back and done the forensics we believe they uh entered probably nine days before and my previous work on homeland security I think it's averages about a couple hundred days the hackers are actually inside the system exploring it for the vulnerabilities before all of a sudden they're made known so again this it's again these are sophiscated actors here what was your response then I mean what what did you do uh the minute we knew about this in fact even before I'd been briefed our team had followed the right steps and disconnected change from all other connections because it was critical to prevent the infection affecting any other provider or network in the country that worked we know that did not happen so we contained the blast radius to just change uh and then it so you shut you shut down the system we shut down the whole thing obviously denying your customers payment which and you've admitted you know you could have handled that better and this is hard you're dealing with very difficult things to do here but then you established this interest free Loan program in general I mean percentage of your customers how how many are satisfied with your response to this versus the ones that are still pretty pretty upset with you so Senator first of all you're right we didn't get it right first time in the first week or so quickly change that uh and I think since then we've had extraordinary uptake from folks across the country and I believe as certainly judging by the correspondence I get from small providers in particular how grateful they are not just for the loan but for the ease with which it was provided usually in just hours or overnight they've been able to be supported and we continue to issue those loans today even though we believe the overall system is back to normal because we do know some people have not been paid yet well thanks for your testimony thanks for being allowing yourself to be objected to this thank you Senator thank you I'm going to go to the senator from Nevada in just a second but I want to also make sure because you've been all over the map with respect to personal accountability and you have consistantly downplayed your role in this and um your head of cyber security told us last week you know about this and we still need to know whether you knew that uh you didn't have uh MFA did you know that on this server in change no Absol absolutely not why not well so as the company had only recently relatively recently come into the group it was in the process of being upgraded but why wasn't it the first thing you would do so my understanding is that when change came into the organization there was extensive amount of modernization required and unfortunately and very frustratingly This Server had not had MFA deployed on it prior to the attack but you coming in would say we've got to deal with this I mean this is the first server this is not an abstract issue senator from Nevada thank you Mr Wy let me follow up on uh some of the line of questioning here you paid a ransomware correct to the hackers uh that's correct how much uh 2 million and the information that the hackers uh obtained was that identifi identifiable patient information uh we believe yes they they exfiltrated uh pii and Phi and that's the most personal information Healthcare information individuals would provide to you correct and don't you have an obligation to protect that information uh we certainly do and we take that obligation very seriously and of course we're incredibly uh frustrated by this attack and by law you're required actually to protect that information both state law and federal law correct that is correct and we take that obligation very seriously and under that same law you're also required to notify those affected partners and patients that their uh data their personal data has been compromised correct uh yes Senator and you haven't done that yet is that right no we're still W working how long is that going to take you so we think that will still take several more weeks to finish the data analysis to understand what is there and you've been saving several more weeks since what this attack was how long ago 69 days ago yes and and thank you for the question we only were able to start this process about a month after the attack um when we got uh the data set back and we're able to deal with uh start to interrogate it it's a very complex process it's we're trying is it complex because you have so much patient data that it is hard to actually identify all of it no it it's more complexity of the data structure and making sure that we get it right uh and making sure that we're notifying people of the correct information so as we sit here today there are many patients who do not know their healthc care information has been compromised so they can't put Protections in place to protect themselves against identity theft is that correct so we have not yet been able to notify people but we have not waited so let me let me jump to something else that is happening that I'm hearing in my state Nevada Health Centers is a federally qualified Health Center uh with locations across the state of Nevada and they rely on change Healthcare for real-time patient eligibility verification uh I am hearing despite portals being back online that critical provider and patient information is often missing or mismatched with nearly 50% of payer information being inaccurate Health Center seeks Clarity on on when these systems will be corrected but have struggled to get a reliable answer from United Healthcare Group so I I'm hoping you can provide that Clarity when will the real time eligibility and benefits verification functions of the change Healthcare Network be up to-date and accurate uh thank you for that question um if I may I will come back to you today with that information I do not have that with me right now okay so I hope you do because not just my Healthcare centers but across the country many are asking this question and for that reason you're aware that providers must adhere to timely filing deadlines uh set by insurance companies for claim reimbursement if they miss these deadlines in insurers may deny payment leading to delayed patient care and increased provider burden the recent um change Health Care hack requiring United Healthcare to take its systems down for a week undoubtedly poses challenges for providers in meeting these deadlines will you commit to extending United Health Plans filing deadlines for any claims affected by the the change healthc care hack and subsequent system outage uh yes absolutely and will you agree to extend the filing deadlines for claims filed before before the February 21st Cyber attack considering that the appeals processes for these claims have been disrupted by United Health Group systems outage again we're happy to do whatever is necessary to make this impact as minimal as possible for the provider yes that would be yes thank you so let me uh also address this um I am concerned uh about the lasting effects of United Healthcare Group cyber security failure on the health sector providers that I am hearing from have faced dramatic drops in Revenue and are missing out on interest from delayed payments in Nevada one Health Center reports spending $122,000 every week uh on overtime for staff who are dealing with the billing and eligibility issues caused by this change Health Care outage for many small providers in my state missing just two payments could force their forclosure so my question to you is what steps will United Health Group take to compensate providers for the administrative cost they are incurring due to this Cyber attack so thank you very much for the question uh first and foremost we continue to make available the interest free loans and secondly more than willing to engage with individual providers on their circumstances as you described interest free loans will address these administrative issues or are there conditions upon the interest free loans are that they have to respond there are no sorry there there are no conditions on the interest free loans other than um that they would be repaid 45 days after the provider has confirmed that they are back to normal okay um thank you Mr Woody thank you Mr chair thank you thank thank my colleague Senator Tillis is next thank you Mr chair um thank you for being here uh Mr wedy when uh I'm trying to get I know people have asked questions about your redundancy plan and uh multiactor authentication uh can you give me some sense as to whether or not either internal or external audits identified uh this as a as a compliance or audit risk in the past uh you for the for MFA on this I've got to believe that anybody uh any qualified internal or external a auditor on systems controls would have identified multiactor authentication not being U uh in use as a major risk factor do you know if there's a record out there that management would have been made aware of of this particular server yeah uh not that I'm aware of okay okay it'd be interesting for the record if we can find any information from either your internal audit or external audit if that was identified U uh as a an actionable matter um tell me a little bit about redundancy too I I used to work and uh redundancy bu building redundant uh systems cutover systems it sounds like it was not a very smooth cutover so how did that not make it through a system audit as well that thank you very much for the question um so I agree with you that it's very frustrating that there wasn't a quick redundancy switch over um the the attack I mean you are an information technology provider at a large scale that's right so within and within change Healthcare which again was a company that had only recently come into our organization and was in the process of being upgraded um the attack itself um implicated both um the prime and the backup environments and so and that was partly due to the age of the technology and the fact that it large amounts of it were not in the cloud the elements which were in the cloud we were able to bring back almost immediately the elements which were in the older data centers and had within them multi-layers of historic Legacy technologies that was The Challenge on the restart and well I brought you know I I actually brought in I used to bring this to when I was on Senate arm Services I had to give up Senate arm services to get on finance but I always brought this book in when we had cyber attacks it's called hacking for dummies this is the fifth edition it doesn't include the nature of the breach that uh that you all developed that this is some basic stuff that was missed so shame on internal audit external audit and your system systems F task with redundancy they're not doing their job um and as a result we have a data breach where U I've said in Judiciary Committee this the first meeting I've had where we're talking about data privacy data breach uh since I've been on finance but I really do believe it's your problem to fix uh and the damage to the consumer data uh is you got to you got to keep them whole that Enterprise your your entire Enterprise is based on the movement of data movement and exchange of data that's how you create value my health records the health records of people that are moving um so when you have a breach it's got to be your problem not my problem and so everything that you do to keep those folks information those folks whole for any damage in the brief I think is just a a function of doing business do you agree with that uh I do so and we we've lent in to take full responsibility on notification and we ar waiting for that notification we've already stood up credit protection identity set protection for anybody who can and they can reach us through a 1 1800 number or through our cyber support it raises interesting challenges about timeline um uh Etc but we'll we'll submit some questions for the record about just how long you're willing to make that commitment and how easy it is I for one do not want uh I got a notice you know on on possibly being uh involved in uh data breach and it was kind of interesting say we will help you with your problem and I'm thinking no I I will help you with your problem but you are not going to make this difficult for consumers and we'll be keeping track and I'm talking to those folks I'm going to take it face value you're going to do it right uh but this this is not the problem of the person who now may have to deal with the consequences of the use of their data it's got to be your problem to fix but Mr chair I I I just want to bring up I hope that we can get back if you remember about three or four years ago after Europe passed the gdpr which is data privacy data breach uh everybody was talking about how Congress needed to act on that and Congress has done nothing in part because it's a multi-jurisdictional issue uh that weighs into Commerce wads into uh Judiciary I think there's a third committee as well we are making a huge mistake by not having Federal rules of the road on data privacy data breach and how these Enterprises have to mitigate things and we've really got to work on it because now we've got a patchwork of over a dozen states that are doing it differently and I think it creates distraction and cost for the businesses that take them away from actually protecting our data so hopefully we can uh we can work on this it's a very critical subject and I'm all about making sure that the people whose data has been captured um or kept hold thank you sen Senator Tillis a couple of very important points you make the last one in terms of bringing together the various committees is essential I don't want to leave though the other important point that you make multifactor authentication is vital for prevention but redundancy which you touched on basically helps the company get back on its feet this company flunk both and I thank you for it Mr chair Senator Langford Mr chairman thank you Mr Woody thanks for being here and uh there's a lot of conversations happening around this Das I appreciate our phone call that we had a couple of days ago just to be able to talk through some of these things in in Greater depth I I do want to tell you a story uh getting started that's um I'm going to combine several people together uh just to be able to tell you a story uh for an Oklahoma that lives in a rural area she's in her mid 70s uh several years ago she used to go to her her local physician but that local physician practice has closed down because of just the administrative burden they couldn't keep it going so now she drives to a hospital it's about 30 minutes away to be able to meet with the doctor there she that that the hospital and that physician is on her insurance uh she's Medicare Advantage uh but by the time she actually scheduled an appointment she actually lined up the appointment and found out no they just switched off they're no longer on Medicare Advantage uh but they were when she originally scheduled when she originally signed sign up for the plan uh then when she finally goes to the doctor on that she gets there um the doctor needs to run some tests but she can't get the test done that day because they have to do a prior authorization with the insurance company so she has to drive home when it's a test that she needs they could do that day but they can't do that day because they're waiting on prior authorization to be able to go through the hard part is two years later that hospital has just stopped taking Medicare Advantage at all as we've had several of our hospitals do in Oklahoma saying that just the realized reimbursement is 20% less than Medicare they just can't keep up with Medicare Advantage because all the prior authorizations and because all the denial of service so they' just stopped taking Medicare Advantage entirely which for her really puts her out in a difficult spot she goes to her local pharmacist that she's gone to for years and finds out that there's pretty remarkable pressure on them and they're going to have a hard time they're not sure they're going to be able to stay open but her insurance company tells her hey we want to do mailorder Pharmaceuticals but she has pretty complicated chronic diseases and she wants to have somebody that she can talk to I I I wish this was a story that wasn't true but it is and it's the complications now you've been engaged in United's engaged in all of those areas both in the pbms both in Medicare Advantage this is not a story just on United this is just a reality that we're facing here especially in rural areas and in my state of 4 million people two 2 million people live in an urban area and 2 million people live in a rural area so it it's a reality for those folks that live in a rural area of those exact challenges that I laid out not asking you to answer all of those I guess I'm just I'm just saying those so you'll hear it because that really is a reality of what's happening on the ground uh every day in rural Oklahoma and they're just want to get health care and want to just be able to get access to that I do want to clarify something you and I talked about it is when hospitals and pharmacies will be made whole after all of the issues of the reimbursements when everything's done when is that Target time when everyone will be made completely whole uh Senator thank you very much just on your first comment if I may um I'm 100% aligned with the aspiration you describ there in terms of how we can help modernize the system and clearly that is not for one company all and it's it's a government state company uh obligation we do need to reduce for example burnout of Physicians we need to make it easier for seniors like the lady you describ in Oklahoma to navigate this system we need to be able to provide that help we need to make sure that the system is timely and responsive in how it helps those folks so that they get access as quickly as possible that's what drives every single person at United to try and improve and we are very open to ideas and suggestions of how we can improve that's why for example in just in the last year we've eliminated 20% of all of the prior authorization codes which existed a year ago so I just want to reassure you of our commitment and our sentiment to do exactly what you're looking for in terms of helping to streamline the system be very helpful and I know as we've talked about offline as well there are families that they do sign up with a specific plan because they know their physici in their hospitals in that plan and they sign up in October November but when they make their appointment in January they or February they suddenly find out no that just switched it switched over in January though they signed up for it in October they need to know that if they sign up for a physician that physician is going to actually be there I I I certainly agree with you sir and provider directories is one of the key areas which we all need to try and work together to be to be better at in terms of making whole we continue to make sure that the uh interest free loan funding capacity remains available for people all the way through completion of this and and uh we'll work with individual providers on other issues that they're concerned about what do you think is the date when everyone's made whole I would hope that that's in the next um months or six weeks okay that that'll be helpful for all those providers you and I can talk later on this one but any specific ideas on the other side of this that the FBI can have as you know I serve on the homeland security committee as well as your own Finance so I'm dealing with both sides of this um ransomware attack things that the FBI could have done better things that would have been more helpful proactively or information that would be helpful so if any of the folks in your company want to be able to pull together a list that we can help work on that side of it as well we'd be very happy time of my friend has expired as reluctant as I am to break up this friendship here we've got so many people coming and going Senator Brown you were next and then I very much want to get Senator Casey in very quickly but if we kind of keep breaking this up it's going to be Bing here Senator Brown uh thank you uh Mr chairman U Mr Wy welcome glad you're here in addition to being a large insurance company UHD also owns and operates a PBM as you know Optum RX which tells you a lot about the problems going on in healthare system I hear from so many Independent Pharmacy owners in Ohio who are forced to make impossible decisions including considering dropping out of Medicare Part D even having to close their doors entirely a couple who runs five pharmacies came to me they've shut down because of pbms the same story driving up cost through abusive practices like imposing punitive direct and indirect renumeration or drr fees on pharmacies were you aware Mr wedy that in a recent National community phes Association survey of Independent Pharmacy owners and managers over onethird reported they're considering closing this year due to financial constraints are you aware of that I have I am certainly aware of similar research yes okay thank you do you acknowledge that PBM played a significant role at least some of those closures so thank you for the question from a from our PBM optimar X we we're actually for example we we do not have di fees we are not doing back to the question do you acknowledge that pbms play a significant role in some of those closures um I don't I don't necessarily believe that to be the case I I think the pbms provide a very significant service in in a variety of support to clients who are looking well it's sorry to cut you off I have only five minutes it's clear that Dr dir fees contribute to local pharmacy closures as I said I just met with two Ohio pharmacist last week forced to close their stores they they are in rural areas Five Pharmacy in five different communities where those Community people those communities will have to drive at least 5 or 10 miles um they had record sales but PBM practices meant they can't even break even it's clear that PBM that your PBM your company owns is making massive amounts of money you know that I assume you've probably bragged about that last year PBM reported revenues of of 116 billion dollar so it's pretty clear you could you could lower eliminate those fees and still be making plenty of money will you commit today in front of the chairman white in this committee to lower and when possible eliminate dri fees to save Community pharmacist in Ohio and across the country Senator Brown we we have already eliminated di fees and Absol will you help us in the industry convince some of your colleagues to do the same uh to the extent that we're able or allowed to do that U we will certainly encourage that direction okay it's clear that a number of pbms are not going to reform uh on their own it's why we need urgently need to to pass this legislation Mr chairman to reign in uh these corporate middlemen uh and we need to pass it this Congress um moving on to something Mr Langford was talking about this Cyber attack put a financial burden on the doctors and hospitals pharmacies and Health Systems in Ohio due to disrupted payments and particularly community health centers are facing some of the most dire consequences from this attack you know how important community health centers are in Pennsylvania and Ohio and Idaho and Oregon they serve patients often the most vulnerable they operate on Slim margins there's a health center in my hometown of Mansfield Ohio whose Revenue dropped from an average of $600,000 a week to under 200,000 a week due to this attack unacceptable of course health health systems can't continue to operate like this without certainty that they'll be compensated for these kinds of losses what is United's plan to compensate providers and Health Systems who are bearing these additional Financial burdens because of this reach uh so in so thank you for the question so in the in the context of the uh Family Health Center you describing Mansfield in that situation we have our interest Rel Loan program over $2 billion dollar have gone to family uh Health Centers along like the ones you describe and we'd be very happy to reach out to your office and and if that particular provider has not yet taken advantage of that program it is still available and it and it would bridge the gap in the cash flow that you described and these loans though will be they will be required to pay back only when they are fully back to normal and all backlogs have been cleared and they not me but they confirm that that their cash flow is normalized they they will make the determination of back to normal correct and then they will have 45 business days to then start the repayment so two calendar months and low interest loans precisely means what no interest no no no interest Lo no interest no fee thank you senat Cas fortunately Mr chairman thanks for much Mr Woody good to be with you in public statements United Healthcare claims that the vast majority of services has been restored to pre- Cyber attack levels you spoke about the company's efforts to make providers whole I continue to hear however from providers in Pennsylvania who are struggling to serve their patients as they await reimbursement for the care they're providing Dr Christine Meyer who owns a practice in Exton Pennsylvania Southeastern part of our state initially looked into taking out a home equity loan to keep her practice afloat she reached out to United Healthcare to participate in your loan program but she was only offered $44,000 a month which would cover 8% of her monthly expenses now months later she's finally receiving and finally received I should say a more generous loan from opum but she's worried about the repayment terms she said the terms are unclear and she she's worried that she'll have to pay back these loans before her practice is fully up uh in running would you commit to supporting providers uh like Dr Meyer by by delaying the deadline for their loan repayment until the backlog of claims has been cleared regardless of the time frame Senator Casey thank you for the question let me first off apologize to Dr Meer for um the delay in getting the right level of loan capacity to them and in in the effort to move quickly here we recognized we didn't get it right always at the very beginning of this process I think we've improved that dramatically and that's why I'm sure she was able to get the kind of full loan she has I'd like to absolutely confirm to you and Dr Meer that we have no intention of asking for loan repayment until after she determines that her business is back to normal and even then we would not look for repayment until 45 business days 60 calendar days after that and there would be no interest and no fee associated with that loan so it would be a determination she makes that's absolutely right and secondly I wanted to ask you about the risk especially when in the context of children um in seniors when uh the obvious risk when when health care or financial information is breached in the context of a child the child's data is stolen it can be a blank slate for cyber criminals to open up bank accounts and apply for loans and it can take obviously years if not longer to repair the damage for for seniors for older adults whose rates of Vic victimization from scams has been skyrocketing in recent years a data breach means even more of their information is available to scammers to use against them in the future United healthc Care still hasn't notified any victims of this Cyber attack it's been more than two months but according to the company's website it will take quote several months unquote to identify and notify impacted consumers uh or customers I should say and individuals and I think it's clear that if United had stronger defenses like multifactor authentication um then this could have gone very differently at the same time United is is growing and expanding uh it's lacking adequate and and protective cyber security infrastructure to secure people's most private information so I'd ask you this and two questions one is in the context of a parent parents who are worried about their child's personal and Private health information being out there in the world for the rest of their lives what would you say to those parents uh Senator Casey first off I'm very sorry that this situation has happened and there has been a a Data Theft um uh we are working uh incredibly hard to get that information and working with Regulators to get notif notification as fast as possible uh We've also done everything we can to try and minimize the possibility of that data in fact leaking out uh at all I I just want to reassure any parent any individual uh already today prior to notification anybody in America can call us or come on to our cyber support website for Change and already the servic is available to provide two years credit protection two years Identity Theft Protection it's as simple as making the call to 1866 262 5342 if you ring that number within the first few seconds of that folks will offer those Services is a very straightforward thing to do available to anybody thanks I'm I'm out of time but I will I will submit one question for the record thank you sen Senator Casey before you leave um I just appreciate your standing up for families and we're going to have some more discussion of this because I happened to think Mr witty credit monitoring is the thoughts and prayers of data breaches this is absolutely inefficient and I'm going to ask some more additional questions here shortly Senator Hassen well thank you very much Mr chairman and ranking member crbo for this hearing and thank you Mr witty for being here today following the February Cyber attack on your subsidiary company I heard from New Hampshire hospitals that saw nearly all of their revenue disappear overnight you and I subsequently had a series of discussions about the need for United Health to provide financial assistance to hospitals under Fair terms while this shouldn't have been necessary in the first place I appreciated your work to change the terms of United Health's assistance program to provide Fair relief options to these hospitals during what was an unprecedented crisis though there is a long road ahead to return to normal operations so I have a couple of questions um and I'm hoping we can get through them let me start by following up on a question uh that Senator Cortez masto asked in United Health's April 22nd press release the company stated that personal information for quote a substantial proportion of people in America close quot millions of families was likely obtained by cyber criminals in the attack on your subsidiary company under Hippa uh covered entities whose data have been breached are required to notify individuals and the HHS secretary within 60 days of when health information is known or reasonably believed and I'm emphasizing those two words reasonably believed to be exposed in a hack in other words when in doubt you have to notify people who may have been affected by the breach however you have just testified that United Health has not yet notified individuals or the HHS secretary that sensitive health information was compromised to meet your hipa obligations you need to at least send preliminary notifications to individuals so that they can take protective actions like monitoring their bank accounts changing passwords and enrolling in the credit monitoring system that United Healthcare has set up when specifically will United Health send this initial notification to all possibly affected people and will this information about the um include uh information will the notice include information about the credit monitoring that you are offering Senator thank you for the question could I also thank you for the way you advocated for the hospitals and helped us understand where we needed to improve our terms and conditions I appreciated that in regard to your question this is our top priority to go as fast as we can to understand this of course what we're trying to get here is to make sure that the information and the people we communicate with is right first and foremost we're working with Regulators to understand how best to do that we were held up in the process because it took time to get the original data set back uh we only got a hold of that in midm March uh we are working on that and we're working with Regulators on how to do exactly as you described all right so let me just I'm going to push you a little bit on this because the attack happened on February 21st the Hippa deadline for reporting to the agency and individuals was April 21st it's now May 1st 10 weeks is way too long for millions of Americans to not know that their records may be available to criminals on the dark web so I really urge you to immediately notify any families that could have been affected so that they can take proactive steps and I also urge you to use United Health's substantial resources to do more for patients who were exposed in this hack including by offering comprehensive identity protections to individuals beyond the two years of credit monitoring that you're offering right now to Senator wien's Point um second question in cyber security a single point of failure refers to a piece of it infrastructure that if it fails can lead to the breakdown of an entire critical system such as payments to healthc care providers healthc care providers want to have contingency plans to be better prepared for system failures some in New Hampshire have told me that they're no longer comfortable with the risk of relying on a single system for processing their payments yet United Health Group includes exclusivity terms in at least some of its change healthare contracts these terms prohibit providers from working with other companies that process healthc Care payments so is it true that your contracts include exclusivity Clauses uh so the Legacy change some of the Legacy change Healthcare did and we are uh releasing those so that people can indeed adopt uh redundant Pathways okay um so um I think it's important that you make sure that future contracts do not have these exclusivity terms because they can effectively create single points of failure um and um I guess the the next piece of this um I I think you've answered so you are you agreeing right now you won't use exclusivity Clauses in future contracts uh Senator that's right because we we agree with you that having business redundancy is an important backup to technological risk okay thank you very much thank you Mr chair thank you Senator Hassen and I noted uh in the discussion in preparing for this hearing that you were one of the first to kind of blow the whistle on some of these major issues and I commend you and look forward to working with you this committee is going to be actively involved and we're going to make a bipartisan effort which has been a forte of my colleague from New Hampshire and I I look for to working with her and all of our colleagues sener Warner thank you Mr chairman I appreciate you and the ranking member holding this hearing um as you know um November 20 22 um we put out a white paper on the need to have some level of overview and people in charge in terms of um cyber and health care and I'd love to submit for the record of um without objection Senator Warner statement record this chart which indicates frankly cyber and Healthcare is dealt with by four separate secretariats and about 12 different um entities and and I think this lack of clarity is is um one of the challenges I I feel very strongly and I appreciate that the Chairman's already um I think alluded to this and I want to hear from you Mr Woody I know we discussed this when we met individually is um no industry likes minimum stand standards but just as we put in energy and in finance um minimum cyber security standards I think we need uh those minimum standards in health care as well um I think you've tended to agree but if if we were to put those minimum standards in place um you I would want to make sure particularly whether we're talking about change or we're talking about um you know big United that there be transparency in those standards can you speak to this subject Senator Warner thank you very much yes certainly I do think um and we're supportive of a direction of travel which moves towards minimum standards uh I think today there is a blend of guidance some standards and others and I think there needs to be Clarity within that as you rightly say there are a mix of different oversight agencies I think that's um as you think about smaller and mediumsized organizations across healthc care it's difficult often times to navigate some of those things uh so I do think a refreshed view of all of that I think minimum standards do make sense uh we'd be very very happy to engage and any lessons learned from this with you on that and one of the things I think we need is you know we would have people wouldn't be surprised if an individual provider was attacked or or the United parent being a huge entity but you know my understanding of changes in a fact they were the the rails uh that folks didn't understand allowed the the dock or the insurer and provider to kind of communicate information better I think if we we think about these minimum standards it has to be um all the way up and down the food chain you can't just um um check a box and say well as a provider I'm covered we've got to go Trace back that through that whole supply chain um in a way that um that again quite honestly I'm not sure we have enough transparency in the system overall uh I also believe and I think we we said since this was multiactor thought authentication problem you guys are the biggest in the business and the fact that I know you had acquired change you were two years into the acquisition and you still had not put the type of standards that United corporate would already have in place into change why why was it taking so long Senator thank you for that question um that is very much still we're trying to dig through exactly why that s server had not been protected by multifactoral authentication I'm I'm as frustrated as anybody about that fact um and uh we are working to try and understand exactly why why it was not uh covered at the time well Mr chairman this is one of those areas where if we don't have I think resilience I mean i' I've got providers that have not only gone through literally weeks of not being able to have payments made um and lost such faith in change that they are now talking about getting a new provider that adds more and more weeks in the meantime patients providers others are not getting their payments made so I I think we need to look um not only at a minimum standard system but also how we build resiliency into this system uh I think the whole business model here if if any entity that is providing and effect the the connections the from a telom guy as I used to be those connections between docs providers insurers there's got to be a backup system in place and whether that means within a single provider like change United you'd have a backup system or whether the whole Model H business model has to change so that whoever you sign up you have a a backup uh in reserve because without that you've got the kind of Crisis that the system has prevented here you said you were going to try to change that model can you speak to that for a moment I know totally so Senator certainly agree with that sentiment and uh which is we would encourage people to have backup systems those providers who had two Alternatives they were able to fail across to their backups and were able to carry on without interruption essentially uh some did not have those backups we need to we need to work with those providers to make that possible and help them to be able to uh have that that second pipeline if you will or that second rail which would allow them to have failed across to that if there had been a technology failure on the first system I know Mr chairman you want to take on this issue I look forward to working with you I know Senator cassid is interested but I think this is a time that's well overdue we were just waiting for a crisis like this to happen we knew it was going to happen now I think we need to act thank you I think those points are well taken Senator Warner and I think that there's an opportunity to link up a number of these issues as I understand it your proposal is essentially a Medicare related kind of effort we have begun working on the fin finance committee staff which is available of course to all of of the members because we have jurisdiction over the Hippa security rule as well which gives us a chance to look at some of these issues relating to enforcement and standards and accountability and I think your point as it relates to kind of resiliency allows us and we've started it this morning to kind of walk through how all of this actually works I mean you can't walk into a shop in most of America and talk about multiactor authentication I mean everybody would just kind of look at you kind of what planet have you descended from but that's all about prevention but Senator Tillis came in and gave us the chance to make a link between prevention and getting everybody up and running again quickly which is what the redundancy effort is all about so as we link up these issues and work in a bipartisan way there's lots to do and I look forward to working with my colleague all right let's see next we would have we would have Senator barassa yeah thanks Mr chairman thanks for being with us today um since the change healthc care Cyber attack I've heard from hospitals providers all across Wyoming and I'm sure you've heard from people all across the country shared in Memorial Hospital shared in Wyoming shared with me how the attack has impacted them and their patients so it took 26 days uh for the uh claim processing to be restored at Sheridan Memorial like thousands of other Hospital hospitals they experience Financial hits that are going to take them months from which to recover over the 26 days they were delayed in filing 17,000 claims uh resulted about $20 million uh in unpaid Services rural hospitals all across Wyoming in the US provide access to Essential Health Services you know they represent the most financially vulnerable hospitals because when a hospital closes and has it's usually a rural hospital so 50% of rural hospitals already operating right now in the red uh this breach may send some of them into a financial spiral for which they can't come back and those communities are often rural Frontier areas there's not a hospital another hospital nearby so how are you prioritizing the processing of claims Senator thank you very much for the question and and let me say how sorry I am to hear the kind of pressure that you just described um and we please be assured we're working everything we can to make sure that we're as responsive as possible not just a claims clearance but also to make sure that there is loan programs available uh particularly for Rural hospitals and family health centers and about a third of the six and a half billion dollars we've issued have gone to those types of organizations and if there are specific hospitals within Wyoming who uh have not yet connected with us I I would encourage them to do so claims processing is broadly back to normal so we believe most of the backlog on claims processing is mostly back not I obviously I cannot assert for 100% but I think broadly where we're still where we still have uh lag is payment on those claims so for example if a claim is submitted to United healthc Care our insurance company for payment we will pay instantly but not all payers are paying instantly so some may be paying as normal 30 days after claim receipt that would explain why you're continuing to see that delay we're committed to maintaining that loan interest free loan capacity for folks until they have got through this cash FL cash flow challenge yeah cuz we want you to make sure you're specifically prioritizing these Rural and financially vulnerable hospitals because they need to keep their doors open and they're the only force of Supply I mean there's been a lot of discussion about uh two-factor verification today we have a small community hospital they have a health fair I tend to try to get to every year chem Wyoming Town of 2500 people um 2023 they spent nearly a million dollars on cyber security the uh it it's evident from how much hospitals like AR South Lincoln County hospitals spend that hospitals take cyber security very seriously um you know change healthcare's commitment to cyber security uh it's not as clear we've had everything just about every person here asked those questions uh you know I've heard the responses that you've had to me it seems like an excuse South Lincoln Medical Hospital in kemer even has this multiactor authentication uh they're operating in the red uh and change healthare was established in 2007 this was a hospital that was established 1961 and they this A system that has been already updated so did you lack the financial resources to implement a multifactorial auth authentication system I'm just not sure why you haven't had this in place yet uh Senator thank you for the question and like you I'm very disappointed and frustrated that this particular server did not have MFA installed that change Healthcare came into our group a little over a year and a half ago we've been up grading their technology since we acquired it uh you're right they were established 2007 but some of their some of the Legacy systems in that company Go Back 40 years uh we've been working to improve those and unfortunately that we've dis we we have discovered a server which was not covered by MFA and and as a result uh was uh exploited so have you implemented the requirements since the breach oh absolutely so we have a policy at United Health Group for MFA on external services we are using external uh support to ensure we have all those in place we run continuous uh pen penetration test to make sure that they're active um but in this par this this is a very frustrating situation which we're continuing to try and investigate to understand why it was like it was you know I practiced orthopedic surgeon in Wyoming for 25 years we had a small group practice five to six of Physicians and the small group practices are getting hit as well in addition to the larger practices uh you have any plan to change policies to ensure that providers aren't financially on the hook in the future um we certainly uh so I I think importantly we're providing uh really unlimited loan uh support for folks to get through this cash flow situation and and of course we're always willing to talk to Providers on our case-by case basis if there are other issues that need to be addressed thank you Mr chairman Senator barassa before you go I want to associate myself with your remarks because this is so important as it relates to these small families and we've been at it for about you know two hours and I think you touch on what I regard as one of the key areas and we've just heard excuse after excuse this morning from Mr witty and you know the fact is that uh first server that was hacked did not have multiactor authentication and Mr witty's head of cyber security knew about it so we got to get to the bottom of it this is going to be a completely bipartisan effort we hadn't had any Senators saying let's get a democratic bill or a Republican bill we're going to do this together I very much appreciate the important issues you've raised thank you Mr chairman let's see Senator Bennett is next thank you Mr chairman thank you Mr Woody for being here today I I have similar issues that I want to talk about in terms of of Colorado I'm very grateful that the chairman and the ranking member has held this Mr Woody I appreciate the initial efforts that you that UHD has made to accelerate payments to offer some financial assistance this is um obviously affecting uh cash flows all across the state we've got patient patients in Colorado that um that are continuing to need care and since the hack my office has been working with offices all over the state that are um still two or three months away from their normal cash flow and they're already as you know uh Opera on a Sho string as this is so on top on top of what they're dealing with normal reimbursement processes if yet to come back online one critical access Hospital in Colorado uh has $1.5 million in outstanding payments that uh are reable that's half of their total monthly Revenue their ability to pay their doctors and nurses and other staff is at risk as a result of this so their operation is at risk it's not just hospitals pharmacies like good day Pharmacy and level in Colorado have been forced to pass on the cash the cash piece of medications to payments to patients some of which cost over $1,000 for uh over 30 days some coloradans understandably can't afford that expense and they haven't gotten their medicine they've been left empty-handed as a result of that they're unable to pay their bills they can't sh you know do it on they can't pay it online and some auto payments have stopped this single attack and I know you've heard this today but one more one more State the single attack has kicked off a cascading series of crises that are unmasking some deep vulnerabilities in the core of our our Health Care system and Colorado practices and hospitals have been left to pick up the pieces covering the cost of someone else's cyber security failure so I wonder what you could say maybe in addition to what Senator bro asked you about or what cost you think you might be responsible for here and and how you're thinking about the that those challenges uh Senator thank you very much for the question and also sharing the situation in Colorado we uh and I'm I'm very sorry for the disruption that has been caused there and we're working very hard to fix those Technical Solutions as fast as possible let me reassure you that our financing capacity remains in place so for example in the hospital that still has a $1.4 million I think you said of issue uh we will reach out to your office to to connect with those folks to ensure that they have uh the support to bridge them through until they're back to normal uh we're we are um more than willing to keep that support in place if that's a month or two months or three months and that would be interest free um no cost loan to those to that hospital well I appreciate that Mr Woody we'll take you up on that how about the C is there something to do about the costs on a going forward basis to deal with the um I mean how are we going to avoid having this happen again in the future so uh it's a very so that's a a very good question I I think we all have to take we are clearly trying to take our responsibility responsibility in this attack we are also trying to learn from it and we want to make sure we share all of those learnings we're trying to be as open as we can be on uh the things we're learning we'll continue to do that as our investigations continue to uh to pursue uh any other understandings here um but the attacks were under are sustained uh they are going up it's not going down the attacks are becoming more more sophisticated and the levels of technology that we're going to need to protect against those attacks will will continue have to be elevated and and that's going to be a challenge I think for many participants in the system to keep up with the pressure which is why I think it's also important that we focus on how we reduce the attack rate and uh making sure that the numbers of attacks which come into the into into the health system and more broadly into the country begin to drop it's simply escalating and uh I think I think the probability of other breaches in other parts of the healthc Care environment must be high given the pressure that the system is under thank you thank you Mr chairman I than my colleague next is Senator young I believe and then Senator Carper uh thank you chairman Mr Woody good to see you uh thank you for uh making yourself available to me in my office and and um the back end of of these attacks um Healthcare entities and devices are increasingly connected to the internet and other healthc Care Facility networks to provide features that manage administrative functions increase efficiency or improve the ability of healthc care providers to treat patients we of course have to have confidence these systems and tools can be used safely and securely in order to reduce risks and vulnerabilities for patients and providers uh there remain some unanswered questions and lessons to be learned from this attack uh you've acknowledge that Mr witty one of the workarounds for payers and providers uh which we discussed was to move to a different Clearing House including change healthc Care's competitors how long could a transition take for a provider to be fully up and running with a new vendor Senator thank you for the question I that can be I think within just a few days I I can come back to you on really a more educated assessment of that but I would say a few days to a week or so okay and and well that's okay that gives me a rough estimate is change healthc care helping with these transitions yes in fact we recommended and diverted uh clients to as many alternative competitors as possible um and we will continue to encourage clients to have a backup system in place so to have two at least two alternate channels in case there were future attacks in the system and I I I know this is uh already been uh covered a bit but um to confirm there's been reporting of exclusivity Clauses between change Healthcare and its clients will any exclusivity Clauses be enforced and what should providers be aware of if they transition to a new provider Senator you're quite right that uh the Legacy change Healthcare contract indeed did have exclusivity uh Clauses we've waved those and we would not intend to enforce them because we want to make sure people have backup capabilities in place okay all right thank you uh tulip tree Family healthc Care is a community health center in the southern part of my state um it's unable to switch Clearing Houses um they indicate it's a time-sensitive process for uh their billing department which has two people and connecting to the new system could put their cyber Li liability insurance at risk uh since it hasn't been guaranteed secure they've turned to a 100 paper perc paper submission of claims by mail incurring all kinds of overtime expensive and significant postage costs for a small Health Care uh Center that uh tries to provide the most they can for their uh patients tulip tree learned about about the attack from the national news do you have a notification process in place sir uh that's one of the that's very good question and and that's one of the areas where I think we need to figure out how to communicate not just for companies but for government we saw the same thing in Co it very difficult to communicate with providers across the system in this particular attack our customer files were uh compromised in the attack so they were encrypted which made it very difficult for to reach out directly to those clients I would say in this particular situation that you just you described uh we we'd love to reach out to your office understand uh who that clinic is and if we can help them in a technical transition or if they need financial support during the bridge to the new Supply we be happy to help and you did mention that those mechanisms you've created to provide that Financial bridge I I I uh am encouraged by that how are you more broadly disseminating information to Providers particularly you know these small safety net Health Centers like tulip tree um again thank you for the question so we've used everything from our UHC insurance provider bulletin which goes to about a million Physicians across the country uh we've used social media we've sent something like 700,000 emails to a variety of different provider addresses we've tried to use every channel we've worked with all of the key medical associations to encourage associations to get the word out to Pharmacy to to Providers and others um and of course there's been a uh we've been running regular national telephone calls for technology leaders across all of the organizations and encouraging them to spread the word in their in their regions so for example large hospitals encouraging them to spread the word um but I do think uh communication to providers in whether it's a cyber situation or a pandemic situation I think that is an area which repeatedly comes up as an area for opportunity thank you for answering my questions Mr witty uh I I guess the only other thing I would ask is is um you know you will have all manner of Lessons Learned uh including that there may be limitations under existing law to being able to respond to these sorts of attacks and and serve uh your clients optimally to extent those lessons are learned I ask that you communicate that information to my office and and to this committee so that we might consider changing the law thank you all right thank you Mr chairman I thank my my colleague and uh I look forward to working with him we've had a very good bipartisan you know effort and my colleague has had a great interest in National Security issues and I'm really struck by how little we know about the data that could involve our service personel so look forward to working with them okay Senator Carper Mr chairman uh to our ranking member thanks for uh pulling us together today and uh Mr Woody uh thank you for taking your time to talk with me earlier uh this week and for your testimony today among the things that I shared with you some of the principles that that guide me in my life in this role and in other roles I've been privileged to to serve but uh one of my guiding principles is everything I do I know I can do better and I think everything I do I know I can do better I think that's true for all of us driving to toward Perfection we know we're not going to get there but at least that's our goal uh another one of my guiding principles is to treat other people the way uh I want to be treated Golden Rule and U but I try to put myself in other people's shoes whether you happen to be a constituent you happen to be a patient would they happen to be a practitioner or a provider put myself in their shoes and and let that help guide me the other uh U thing I mentioned to you yesterday uh this is shared responsibility the idea of shared responsibility it's clearly obligations that that you and your colleagues have but there's a role for uh for government and there's a role for for others to play but there's a shared responsibility one of the things I mentioned yesterday I quoted Abraham Lincoln the role he was asked what is the role of government and he said the the role of government is to do for the people what they cannot do for themselves and uh there's yeah state government you know County local government and we have federal government so there's probably a ro a role for for all of us to play um we're proud in Del we have about a million people in Delaware about 100 miles from north to south 50 miles from east to west I cover my state like a glove every week just about every week it's something I love to do and it's easy to do but we've heard from constituents um families people that have been not just U you know uh disadvantaged but I really hurt really potentially put In Harm's Way We heard heard from practitioners and providers in a real way in a human way on the phone and in person so for us this is very real but uh thinking uh allow in terms of the role of government since are the government federal government uh role of government here what what might be one or two of the roles that we could play should play well Senator Cara thank you very much for the question and and uh your comments um I think maybe two areas I would uh suggest um one is uh helping uh the Health Care System think through what what the uh minimum standards what the kind of um the right level of system protection and redu redundancy is to try and guard against uh the impacts of future attacks and then the second is uh to to uh see what further can be done what more can be done to reduce the attack velocity uh that is coming at the US Health Care system from uh cyber CRI criminals and other possible actors so I would maybe suggest those two areas okay uh for a thought good thanks um this attack was uh as I understand maybe the worst of its kind against our Health Care system and the people that depend on that system but the ramifications remain widespread it's clear that the change Healthcare was not prepared for this attack I don't know if it's possible to actually be prepar fully prepared for an attack of this nature but uh you you shared with me yesterday that the attacks are ongoing and they're becoming more frequent and more uh the people that are doing these launching these attacks aren't stupid and they're not getting any Dumber unfortunately but uh it's clear that change Healthcare uh wasn't prepared for this attack the lack of BAS six cybercity measures left our health care providers and their patients vulnerable to disruptions in care and sensitive data and personal information being stolen and like my my colleagues I've heard from as I said earlier providers we've heard from practitioners we've heard from families from individuals throughout our state who are directly impacted uh from uh this uh this attack one individual we talked to was unable to uh receive her insulin prescription for several days because of the significant Pharmacy delays and that's that's not acceptable for for any of us but uh Mr Woody why do you think it took so long for your systems to get back up and running and why are many pharmacies still offline today uh Senator again thank you for the question and uh I'm very sorry to hear the situation of the patient who was waiting for their insulin uh we have tried to make clear that we would honor any prescriptions which were filled with the pharmacists uncertain of what the reimbursement status was but but perhaps that also emphasizes the challenge of communicating across such a wide group of uh providers the speed of recovery of our systems was really determined by the way the attack uh encrypted large parts of the environment and to ensure that the system when it was brought back online uh garnered the confidence of all other participants in the environment that it was safe to reconnect to and remembering that change Healthcare is a big connecting system uh we really built the environment from scratch so we we did not resuscitate large parts of the old environment which could have brought with it the risks and the suspicion of infection and would have led to I think uh people not being willing to reconnect at all uh we we we spent a lot of time rebuilding from scratch and then having third party organizations test scan penetrate it to make sure it was super robust before it came back but unfortunately that took time and the consequence of the way the attack impacted the first system and then the commitment to bring back a better clean system was the explanation I I think my colleague just a few additional questions I'm not clear on um appr propo of the patients the real victims in my view of your negligence uh Equifax for the people who had their information stolen sent the individuals $5 how are you going to go about uh compensating people for their stolen data and do you think that's right to give people $5 uh Mr chairman we're we're working hard to get that notification as soon as possible to understand who is potentially impacted um but in the meantime we haven't stood by to wait for that we've already put in place Services call centers to help um people understand the situation if they need advice support and also to make sure that they already can access and for anybody and actually whether their data is in this or not anybody in America can access uh credit protection and identity theft protection for the next two years and very easy to do I I I identity theft and protecting against it is something I'm very supportive of but I also am very hawkish on protecting people's private medical data and when I saw Equifax tax given people $5 and this happened very recently I wanted to know from you all whether you thought that was reasonable how are you going to go about it I mean you envision sending out $5 checks too uh Mr chair at this time uh I do not I feel like I feel as if the important thing here is to reassure people that a we're doing everything we can to try and ensure the data does not in fact leak B that we would make sure uh that their that their situation is protected through the services that we've already made available uh and is available to anybody in the country let's um also get on the record uh one of the questions that Senator Menendez touched on with respect to doctors because for a lot of us particularly in small representing small communities in our states that Oregon much of Oregon you know his rural Senor barasso was talking about that you know as well um you know our our physicians are very much at risk they owe you for these loans and uh I'm concerned that these loans are going to give you valuable financial information that based on the company's history is going to be used to gobble up lots of other small providers across the country and as you know I asked you about uh what was going on in Oregon that Senator Warren touched on it as well so this is not a hypothetical question for your company because your company is buying these people up hand over fist so uh I would like to see at a minimum a firewall established so as you can't use the data from these doctors that were gleaned from the loan process to go out and buy up more doctors because that's the last thing we need in America will you support that at chman w um first of all so first of all I do support that I think that's a good idea and a good recommendation uh but secondly I also just want to reassure you we have not asked for any loan repayment yet from anybody uh and we are uh we will be guided by the provider's confirmation that their cash flow is back to normal so it will be under it will be under their guidance that that conversation would begin but your suggestion I think is a good suggestion and I'm I I'm while I'm very confident we would never take advantage of that information to to uh be uh abs absolutely clear we I'm happy to put in place the process you just described so uh we've been at it for more than two hours you know now and uh there's a lot we don't know there's a lot that the American people don't know we don't even know what data was stolen and I'm not convinced that we are going to find that out anytime soon we may never find it out and this data as I said several hours ago can reveal abortions mental health conditions sexually transmitted infections and more because this company is so big and we heard my colleagues talk about too big to fail and I think they were frankly more eloquent than I was a couple of hours you know ago but I think you know companies that are so big have an obligation to protect their customers and to lead on this issue and in much of what I've read about this you're kind of saying the American people you should feel lucky that we're big well I think that a lot of Americans today don't buy that and I think that your company on your watch let the country down and these millions of people on both the prevention side which is mult what two- Factor authentication multiactor authentication is all about and on getting us back and going and we still have questions about getting it back and going and that's redundancy so there's a lot of heavy lifting to do and I want you to know that this is the area that I've tried to kind of concentrate on uh in the years over the years in public service I was director of the senior citizens group this is one of the most important issues I've taken on because I think the intersection of Health policy economics and National Security is now front and center and I am all in on this this is one of the most important fights that I've taken on because what worries me is all these people who are Professionals in the field say shoot this is an example to the bad guys of what they can accomplish and you're going to have to be much more active and much more forthcoming in terms of these kinds of specific issues that we've talked about today if we're going to turn this around so with that uh the finance committee's adjourn [Music] youli billi see greedy see greedy we can see we see our our [Applause] [Music] Jame Jame Shan [Music] [Music] our e e e e

Info

Channel: CBS News

Views: 30,799

Rating: undefined out of 5

Keywords: cbs news, news, live news, livestream, breaking news, unitedhealth group, change healthcare, cyberattack

Id: vjQAcWy1_dQ

Channel Id: undefined

Length: 135min 23sec (8123 seconds)

Published: Wed May 01 2024