"The fact that you're so big and so dominant, presents a special vulnerability."
On Wednesday, UnitedHealth Group (UHG) CEO Andrew Witty sat before Congress to give his testimony during a hearing regarding the Change Healthcare ransomware attack. Witty was met with intense questioning about everything from UnitedHealth’s billing practices to its “leviathan” presence in healthcare.
Here are the key takeaways from the hearing:
Security Updates
UHG was in the process of updating its outdated security systems to meet “UnitedHealth standards.” The security systems UHG had in place at the time of the attack did not call for multi factor authentication, which seems to be how the hackers were able to get into the system, UHG believes the hackers broke into the system nine days prior to deploying ransomware.
Payments
Witty confirmed that UHG has paid more than $6 billion to providers since the attack, in the form of interest-free loans that they do not have to repay until 45 days after confirmation that they are fully operational.
In his written testimony, Witty confirmed that UHG paid the $22 million ransom and that it was his decision to do so.
Too Big To Fail
The size of UHG was scrutinized due to its substantial presence in healthcare, with one senator comparing the company to a leviathan. Oregon Senator Ron Wyden opened the hearing by “putting things in perspective” he said: “Last year UnitedHealth Group generated $324 billion in revenue, making it the fifth largest company in the country. Overall the company touches 152 million individuals across all lines of business, insurance, physician practice, home health, and pharmacy.”
UHG has been called the largest physician employer in the country, but Witty argued against this statement saying that UHG employs less than 10,000 physicians and it contracts and affiliates with another 80,000 who voluntarily chose to work with its Optum colleagues.
United may not directly employ the other 80,000 physicians, but it owns Optum, which, albeit indirectly, expands its physician groups and market power.
Witty was also questioned by Senator Elizabeth Warren about the federal investigation into UHG’s billing practices, calling UHG “a monopoly on steroids.” Witty did not provide a comment on this.
Accountability
Witty confirmed that the data breach resulting from the ransomware attack affected about 111 million people. Congress noted that is a massive amount of people and data to be handled by a single enterprise.
“The bigger the company, the bigger its responsibility to protect its system from hackers,” said Louisiana Senator Bill Cassidy, MD during the hearing. “The fact that you’re so big and so dominant, presents a special vulnerability.”
Cassidy may be right. Millions of consumers having their data exposed and the American healthcare system being brought to an almost absolute standstill begs the question: how big is too big when it comes to payers?
Studies show that these mega-payers are not serving the best interests of patients, but instead creating less options with steeper prices.
As CEO, Witty has a lot of responsibility on his shoulders, arguably too much for one person. Ultimately policymakers will have to decide if the weight is too much to bear.
If we pause to think about it, there’s a large possibility this type of attack could happen again…and it could be worse. When asked if he was certain if UHG was prepared to deal with another cyberattack, he said that UHG is doing everything in its power to do so. But would everything in its power be enough? We better hope so when just about the entire country’s private health data is on the line.
Marie DeFreitas is the finance editor for HealthLeaders.
KEY TAKEAWAYS
UnitedHealth has paid $22M in ransom to the group behind the Change Healthcare attack.
Around 1 out 3 Americans were affected by the cyberattack.
The court brought up concerns about UnitedHealth’s large size and the amount of data it stores for the country