UnitedHealth CEO to testify about ransomware attack

The chief executive of UnitedHealth Group will testify in Congress in May about the ransomware attack on a subsidiary that led to nationwide issues for the healthcare industry.

The company has faced significant backlash for deciding not to make anyone available for a House Energy and Commerce Committee hearing on the attack last week. 

Committee chair Cathy McMorris Rodgers (R-WA) said on April 16 she was “disappointed that UnitedHealth Group chose not to make anyone available to testify … so that the committee and the American people could hear directly from them about how this specific cyberattack occurred.”

But Rodgers noted that UnitedHealth Group committed to appearing at a future hearing. On Friday, the committee announced that CEO Andrew Witty would testify before its Oversight and Investigations Subcommittee on May 1. 

"Americans are still dealing with the fallout of the Change Healthcare hack. Individuals and smaller providers, in particular, have struggled financially following the cyberattack, threatening critical access for patients,” said Rodgers and Rep. Morgan Griffith (R-VA). 

A now defunct ransomware gang attacked UnitedHealth subsidiary Change Healthcare on February 21, causing immense disruption to the U.S. healthcare industry. 

Change Healthcare’s platform is a key cog in the industry because it allows healthcare organizations nationwide to handle insurance filings, particularly for pharmacy operations. Experts believe Change Healthcare processes about half of all medical claims in the U.S. and the company’s platform touches an estimated 1 in 3 U.S. patient records, Congress said. 

Its systems process roughly 15 billion transactions annually, and are linked to approximately 900,000 physicians, 118,000 dentists, 33,000 pharmacies, and 5,500 hospitals nationwide. 

While most of the company’s products are back online, doctors and healthcare officials told Congress last week that they are still dealing with a fallout from the chaos caused by the incident. Several leveled harsh charges at UnitedHealth’s conduct during the incident, noting that the company still has not informed healthcare providers of what information about patients the ransomware gang gained access to. 

The ransomware hackers behind the attack have continued to offer the data for sale on a new leak site, threatening to publish the information if they are not paid. 

UnitedHealth Group said during an earnings call last week that the attack has so far caused $872 million in losses.  

“Of the $870 million, about $595 million were direct costs due to the clearinghouse platform restoration and other response efforts, including medical expenses directly relating to the temporary suspension of some care management activities. For the full year, we estimate these direct costs at $1 billion to $1.15 billion,” President and Chief Financial Officer John Rex told investors.