House subcommittee members grilled UnitedHealth Group CEO Andrew Witty over the recent Change Healthcare cyberattack that left providers in financial turmoil and constituents without their prescriptions. Witty expressed deep remorse for the incident, which occurred after UnitedHealth’s subsidiary, Optum, acquired Change in 2022.
During the hearing, Witty revealed that a $22 million ransom in bitcoin was paid to protect patient health information. He admitted that the attack exploited outdated systems lacking multi-factor authentication, a vulnerability that has since been addressed.
Lawmakers questioned why a company as profitable as UnitedHealth failed to secure the Change system post-acquisition. Witty acknowledged the oversight and assured the committee that restoration efforts were underway, with all claim holds lifted and operations gradually returning to normal.
However, the American Medical Association contradicted UnitedHealth’s claims of swift recovery, citing ongoing financial struggles for physician practices affected by the cyberattack. Small practices continue to face revenue loss and operational challenges, prompting concerns about the consolidation of healthcare entities like Change and UnitedHealth.
The hearing shed light on the widespread impact of the cyberattack, prompting calls for greater cybersecurity measures and shared responsibility across the healthcare sector. Lawmakers emphasized the need for transparency and accountability to prevent future breaches and safeguard patient care.