Congressional Committees Hold Hearings on Change Healthcare Cybersecurity Attack

On May 1, both the House Energy and Commerce Oversight and Investigations Subcommittee and the Senate Finance Committee held hearings questioning UnitedHealth Group CEO Andrew Witty on the recent Change Healthcare cybersecurity attack. Both hearings highlighted vulnerabilities within UnitedHealth Group’s systems, questioning the preparedness and response to current and future cybersecurity threats.  

Key points raised included uncertainty in the number of patients who now have compromised privacy, as well as the number of providers who went without reimbursement and thus experienced significant cash flow problems. Additionally, both committees emphasized the issue of Change Healthcare's failure to implement a robust two-factor authentication system before the attack and the subsequent jeopardization of patient data as a result. Witty explained in his testimony (PDF) that UnitedHealth Group has, in fact, found “files containing protected health information and personally identifiable information,” in extracted data jeopardized by the attack. He claims that since the attack, UnitedHealth Group has committed to working diligently to rectify the damages by prioritizing patients' access to care and quickly finding alternative channels to restore transaction flow. He additionally recommended federal policy solutions to strengthen national cybersecurity infrastructure and expressed support for mandatory minimum-security standards.