House hearing on Change Healthcare hack: Providers testify – UnitedHealth a no-show
During the first congressional hearing on the Change Healthcare cyberattack on Tuesday, lawmakers zeroed in on the 2022 merger of UnitedHealth and Change Healthcare, which some members said was a national security risk.
Congressional leaders asked providers about the fallout from the Change Healthcare cyberattack during a Tuesday hearing, and they got an earful. Witnesses shared stories of interrupted cash flows, high-interest loans, substantial administrative burdens, fragmented care coordination and resulting confusion for patients in testimony before the House Energy and Commerce Committee’s Subcommittee on Health.
“This really deserves a strong response from the Congress, the outrageousness of this,” said ranking member Rep. Anna Eshoo, D-Calif. “It’s too important; it’s an entire sector.”
Rep. Michael Burgess, R-Texas, himself a physician, agreed. “One of the things that concerns me so much about all of this is, everything that we’ve talked about seems geared toward blaming the victim,” he told a surgeon who testified. “You are the victim in this; this is not your fault, you did not leave the data out on the sidewalk for someone to drift by and pick it up like it was an abandoned wallet. You were attacked. The government should be helping you with that. Change Healthcare should be helping with that.”
UnitedHealth Group, the parent company of Change Healthcare, was invited to participate in the session but did not attend. Lawmakers repeatedly described its decision not to attend as “extremely disappointing” and “appalling,” although the company has committed to appearing before lawmakers at a later date. On Monday, the committee sent a letter to UnitedHealth Group CEO Andrew Witty requesting information about the impact of the cyberattack, the actions the company is taking to secure its systems and the outreach to the health-care community in the aftermath.
Late last year, the Biden administration began establishing a series of cybersecurity performance goals and other enforcement incentives to improve health care providers’ adoption of cybersecurity best practices.
Subcommittee Chair Brett Guthrie, R-Ky, said he appreciated the administration’s work but said he “can’t help but wonder if we could have avoided the most recent event if these steps were taken much sooner. While I don’t ever believe it is ever too little too late, we have our work cut out for us.”
Related: Hospitals, providers still scrambling to get paid after Change Healthcare cyberattack
Each witness and several representatives said they would recommend increased consideration of cybersecurity risk when regulators consider a proposed merger. Several hearing attendees also warned that events such as the Change Healthcare disruption actually could fuel increased consolidation by forcing financially threatened providers into the arms of larger entities. Questions also arose about whether the government wrongly allowed UnitedHealth Group to grow too big and powerful through mergers and acquisitions, leaving hospitals and doctor practices too dependent on a smaller pool of critical vendors.
“The past two months have shown everyone what Change knew years ago: The health care system did not work without Change Healthcare,” said John Riggi, national cybersecurity adviser at the American Hospital Association.