UnitedHealth CEO Grilled by Congress About Change Healthcare’s Crisis

Congressional leaders in the House of Representatives and the Senate unloaded blistering criticisms at Change Healthcare’s parent company UnitedHealth Group during a pair of hearings on Capitol Hill in May 2024. At issue was UnitedHealth’s management of the February cyberattack on its subsidiary Change Healthcare, the crisis we first covered in our April feature article “Did Hackers Who Attacked Change Healthcare Collect $22 Million in Ransom?” 

According to the Washington Post, the lawmakers argued that the conglomerate’s mismanagement of the cyberattack and its aftermath had damaged America’s healthcare system, threatened the financial stability of physicians and hospitals, and put tens of millions of patient data records at risk. The Republican chair of the House Energy and Commerce Committee, Washington Representative Cathy McMorris Rodgers, said that the way UnitedHealth had handled this situation will likely provide “a case study in crisis mismanagement for decades to come.”

UnitedHealth’s CEO Andrew Witty repeatedly apologized before the legislators for the hack on Change Healthcare and the firm’s sudden shutdown of its health insurance claims processing system to contain the threat. In apologizing, the former CEO of pharma giant GlaxoSmithKline pledged that he and his Minneapolis-based company won’t rest “until we fix this.” 

Moreover, Witty claimed that his firm had been offering zero-interest loans to impacted hospitals and providers and free credit monitoring services to patients who had also been affected. He also disclosed that about 111 million Americans out of the country’s population of 333 million could very well have had the security of their personal information compromised somehow by the hack.

However, sparks flew as the legislators repeatedly refused to accept Witty’s apologies during heated exchanges. Several lawmakers asked whether the vast scope of UnitedHealth’s operations put Americans at risk. After all, with stock valued at $450 billion by Wall Street, UnitedHealth Group has been the top-ranked healthcare conglomerate and the fifth-largest firm on the Fortune 500 for three straight years, earning $372 billion worth of revenue during 2023. What’s more, its Change Healthcare subsidiary processes 15 billion claims worth about $1.5 billion annually, or about 50 percent of all the health insurance claims filed across the United States. 

Some lawmakers even called for antitrust actions to break the conglomerate apart into smaller independent companies. Massachusetts Senator Elizabeth Warren, for example, Characterized UnitedHealth as “a monopoly on steroids.”

But Witty’s admission that drew the most ire from the officials is one that also surprised a number of cybersecurity experts and analysts. His disclosure will provide a teaching moment not only for every prospective and current MHA student reading this article, but also for every MHAOnline reader who uses a computer or a mobile device—which amounts to pretty much everybody reading our platform’s reports.

Witty disclosed for the first time that the hackers gained access to the computer network at Change Healthcare through a portal where multifactor authentication (MFA) was a security option available to system administrators at the time of the incident but not turned on. Although because of the Change crisis, most Americans are now learning about this term for the first time, multifactor authentication is the name of the security feature on many web platforms that now require additional information to log in besides a username and a password. 

For example, Apple introduced a version of MFA called two-factor authentication for all users of its online systems starting about ten years ago. Although denying that its iCloud server network itself had been breached, Apple was nevertheless forced to toughen security following a famous September 2014 hack that leaked hundreds of nude photos of Hollywood celebrities stored in dozens of iCloud accounts. 

Actress Jennifer Lawrence and pop star Rihanna were among the celebrities targeted by the exploit. After stealing the photos, the hackers posted them to the notorious “deep web” online forum 4chan. 

Apple’s implementation of MFA only allows logins to iCloud through a web browser after a user who’s entered a password also copies in a temporary verification code that Apple sends to a separate application on the same device, like an email program. Had Apple operated this hardened two-factor authentication system in 2014, the attackers would never have been able to break into all the iCloud accounts with only user name and password credentials.

More secure MFA implementations only permit logins after users type in a code number viewable on a different device, such as on a mobile phone or tablet that displays a code required for a user who’s trying to log in on a computer.

These days, most systems that store confidential financial or personally identifiable information require logging in with a password, followed by entering such a verification code that’s been transmitted to a second device.

But at Change Healthcare, no basic two-factor authentication was activated at the time of the incident. The lawmakers savaged Witty because the network management executives working for him at Change failed to ensure that the attacked portal’s multifactor authentication security system had been turned on—even though other cybersecurity protocols running on the portal were known to be inadequate.

The chairman of the Senate Finance Committee, Oregon Senator Ron Wyden, told Witty that the hack “could have been stopped with cybersecurity 101.” Brandishing a copy of Hacking for Dummies, Senator Thom Tillis of North Carolina then asked Witty how auditors working for UnitedHealth could have possibly overlooked the issue where multifactor authentication was available but had not been turned on. He told Witty that “this is some basic stuff that was missed.”

Incredibly, the CEO told the lawmakers that UnitedHealth would install and activate multifactor authentication on its systems company-wide within six months. That surprising statement implies there are other systems at the conglomerate besides the Change portal targeted by the hackers that currently continue to operate without MFA turned on.

Witty at times blamed Change, which UnitedHealth bought in 2022, for continuing to operate outdated technology. The CEO complained to the lawmakers that he was “incredibly frustrated” about the lack of multifactor authentication security on the compromised server. “We were in the process of upgrading the technology we’d acquired,” he said.

Pointing out that even small older hospitals in his state use multifactor authentication, Wyoming’s Senator John Barrasso told Witty that he was confused as to why Change had not universally deployed MFA. He called Witty’s explanation that Change’s security was insufficient because of old technology “an excuse.”

The cyberattack isn’t the only recent issue that’s placed UnitedHealth Group under fire and attracted intense scrutiny. During a protest on July 15, police arrested 11 individuals for blocking roads outside the Minnetonka, Minnesota headquarters of the conglomerate’s UnitedHealthcare subsidiary.

According to the Minneapolis Star Tribune and WCCO-TV, about 150 people showed up to protest what critics claim is a repeated pattern of improper coverage denials by the firm. UnitedHealthcare, which provides insurance, health benefit plans, and managed care services, is the largest health insurer in the United States.  

Aija Nemer-Aanerud with the Chicago-based protest organizer People’s Action Institute issued a press release that day, saying, “UnitedHealthcare policyholders and medical professionals have petitioned, protested and spoken directly to the chief medical officer of UnitedHealth Group about our concerns, but their leadership has refused to acknowledge that prior authorizations and claim denials are a widespread problem.“

UnitedHealthcare then countered with its own statement. The firm said that “the safety and security of our employees is a top priority. We have resolved the member-specific concerns raised by this group and remain open to a constructive dialogue about ensuring access to high-quality, affordable care.”

Prior authorization rules are controversial and have attracted scrutiny by critics in recent years. Healthcare providers and patients argue that such rules have blocked necessary care and improperly resulted in coverage denials, inappropriately inflating insurance companies’ profits in the process. By contrast, insurers argue that the rules can improve quality while controlling costs.

However, comprehensive public data about the frequency of medical necessity denials is lacking, especially about coverage paid for by employers. In April 2024, the consulting firm Kodiak Solutions issued a report showing that health insurers’ claim denials have ballooned by 42 percent since 2020, from 1.2 percent to 1.7 percent. The Kodiak study aligns with reports from healthcare providers, who say they’re clearly encountering more issues with insurance denials. 

Surprisingly, even though UnitedHealth reported much larger expenses due to the cyberattack’s fallout, the healthcare giant’s earnings for the second quarter of 2024 nonetheless beat Wall Street analysts’ expectations.

In April, the conglomerate underestimated the cyberattack’s impact by more than a billion dollars. UnitedHealth now says that the total impact will cost the firm between $2.3 billion and $2.45 billion during 2024. That total will include larger direct expenses to financially support healthcare providers harmed by the attack and costs for notifications that consumers will receive later during the summer. 

As we pointed out in our previous coverage, healthcare providers have struggled for months to bill for their services because of the outage at Change. And the lawmakers at the two Washington hearings criticized Witty for not doing enough to compensate providers.  

For example, Republican Senator Marsha Blackburn of Tennessee complained that providers in her state were still struggling to get paid by UnitedHealth. “It is like you all can’t figure this out,” she said. “When can Tennessee providers and hospitals expect you all to clear the backlog, to catch up, and be back to normal?”

But despite the assertions of Senator Blackburn, UnitedHealth Group’s second quarter 2024 earnings report paints a different picture. It turns out that as of April, UnitedHealth had already spent more than $6 billion on funding advances and zero-interest loans for healthcare providers. As we go to press in July, that total has now soared to about $9 billion. And while continuing to deliver financial assistance to providers across the nation who still need support, the firm asserted in the statement accompanying the report that it had restored most of the Change Healthcare services that it had shut down as soon as it discovered the hack. 

Despite the crisis, the company had actually earned $6 billion more than it did during the second quarter of 2023, with 2024 Q2 revenues of $98.9 billion. However, because of all the fallout from the hacking incident, net income fell. Last year the firm’s profits were $5.4 billion during the second quarter, but this year UnitedHealth only posted $4.2 billion in net income. 

Although that total amounted to about a 22 percent decline, it was still less of an income slide than some analysts had predicted. In an upbeat statement released with the earnings report, Witty said “the diversified, durable growth across UnitedHealth Group stems from our colleagues’ commitment to ensuring high-quality, affordable care is available to the people we serve, and positions us well for the near- and long-term.”

“We operate in an environment where change is constant,” Witty later added during an investor conference call. “What you’ve come to see is that when changes happen, foreseen or unforeseen, we just deal with it.”