(This story is from our new Health Tech newsletter. If you’d like to sign up, just click here.)
Senators questioned UnitedHealth Group CEO Andrew Witty for more than two hours on Wednesday over the February cyberattack that paralyzed the US healthcare industry for months and bled some providers dry.
While most of the questions directed at Witty concerned whether UnitedHealth did enough to prevent and respond to the attack on its technology business Change Healthcare, senators also drilled into a central question that’s swirled around the entire debacle: Is UnitedHealth too big?
“The Change hack is a dire warning about the consequences of too-big-to-fail mega-corporations gobbling up larger and larger shares of the healthcare system,” Senate Finance Committee Chair Ron Wyden (D-OR) said at the Wednesday morning hearing. “It is long past time to do a comprehensive scrub of UnitedHealth’s anticompetitive practices which likely prolonged the fallout from the hack.”
Members of the House Energy and Commerce’s Oversight and Investigations subcommittee also pressed Witty on UnitedHealth’s size and its response to the cyberattack in a hearing Wednesday afternoon.
UnitedHealth’s size linked to hack fallout
During the Senate hearing, Witty downplayed UnitedHealth’s size, arguing to senators that the company, which boasts a $448 billion market cap, doesn’t own hospitals or drug manufacturers. He said it employs fewer than 10,000 physicians across the US, while the additional 80,000 doctors it contracts or affiliates with “voluntarily choose to work” with the company. Hospitals employ far more physicians, he said.
Witty also insisted that Change Healthcare’s footprint is the same size as it was when UnitedHealth bought the business for $13 billion in 2022.
The attack on Change Healthcare, which says it handles 15 billion transactions a year, sent shockwaves that reached every corner of the industry, impacting even those providers that don’t rely on the company for claims processing or other technology functions. Hospitals and clinics couldn’t bill for services, so payments dried up. Some patients weren’t able to fill prescriptions.
To critics, the fallout was a clear sign that the US healthcare system relies far too heavily on one corporation. Beyond Change, UnitedHealth owns the largest US health insurer. Its Optum business owns a sprawling fleet of physician groups, urgent care centers, and surgery facilities. Optum also runs one of the biggest pharmacy benefit managers.
UnitedHealth’s acquisitions reportedly have caught the attention of the US Department of Justice. Witty declined to comment on the alleged investigation.
Wyden told reporters after the Senate hearing that he thought Witty played down UnitedHealth’s reach over the healthcare system and said he’s considering legislative action focused on enforcement and audits.
“We’re working on legislation where we have jurisdiction as well on HIPAA,” he said. “Our team is already working on it. We’ll have some more to say about that down the road.”
He stopped short of getting into the details of antitrust, noting that issue falls under the Senate Judiciary Committee, but said there’s “plenty” the committee can do to support competition in the industry.
It wasn’t just lawmakers that Witty received heat from on Wednesday. Protesters from the advocacy group People’s Action filled the Senate hearing room wearing shirts emblazoned with “United Health denies care,” protesting UnitedHealth’s claims denials. They swarmed the CEO as the hearing ended, chanting “Andrew Witty you can’t hide, we can see your greedy side.”
Responding to the cyberattack
Witty spent much of the Senate hearing discussing why the cyberattack occurred and how the company reacted. He confirmed that he made the decision to pay the attackers a $22 million ransom.
He blamed the lapse in cybersecurity on the legacy Change technology, which he said UnitedHealth had been in the process of upgrading. A Change application was vulnerable because it did not require multi-factor authentication. Witty said UnitedHealth is doing everything it can to be prepared for another attack, but emphasized that something needs to be done to reduce the amount of cyberattack attempts across the US.
“The attacks we’re under are sustained. They are going up, they are not going down, and they’re becoming more and more sophisticated,” Witty said.
He said Change’s claims processing systems are essentially back to normal, though some other health insurers are lagging in paying the backlog of claims that built up.
Senators also questioned Witty about the potential that private patient health data had been exposed in the attack. UnitedHealth previously said patient information covering “a substantial proportion of people in America” may have been impacted. Witty apologized and said UnitedHealth was working to minimize the chances the data would leak out of the organization. He said UnitedHealth was offering two years of credit monitoring and identity theft protection.
“Credit monitoring is the ‘thoughts and prayers’ of data breaches,” Wyden said.
Lia DeGroot contributed reporting.
Editor’s note: This story has been updated to correct the date of the Senate hearing and to add details from the House subcommittee hearing on Wednesday afternoon.