Fraud Management & Cybercrime , Government , Healthcare

Congress Asks What Went Wrong in Change Healthcare Attack

Parent Company UHG Is a No-Show at Hearing & Faces Data Leak, Attack Costs of $1.6B
Congress Asks What Went Wrong in Change Healthcare Attack
Industry experts testify at a House Energy and Commerce Committee hearing Tuesday on the Change Healthcare attack. (Image: U.S. Congress)

The aftershocks of the Change Healthcare cyberattack are still reverberating through the healthcare sector nearly 60 days into the recovery process. But on Tuesday, members of Congress and industry experts grappled with how to avoid a future replay - minus a key witness: UnitedHealth Group, parent company of Change Healthcare.

Instead of traveling to Washington, D.C., to discuss the attack's effect on the healthcare industry at a House subcommittee hearing, UnitedHealth Group released its earnings and told financial analysts the attack had an "unfavorable effect" of $872 million on first quarter 2024 earnings.

See Also: On Demand | Defining a Detection & Response Strategy

Yet the company's revenues grew nearly $8 billion year over year to $99.8 billion - surpassing Wall Street's quarterly expectations. For the year, the attack could cost up to about $1.6 billion, the company said.

Meanwhile, far away from Wall Street and the U.S. Capitol, hackers on the dark web reportedly have begun to leak data they claim was stolen in the Change Healthcare attack. Cybercriminal gang RansomHub reportedly has posted several screenshots on its dark web site that supposedly show a sample of the 4 terabytes of data allegedly stolen by an affiliate of another ransomware group - BlackCat/Alphv (see: Second Gang Shakes Down UnitedHealth Group for Ransom).

"RansomHub claims that the UnitedHealth/ChangeHealthcare is now for sale," said Brett Callow, a threat analyst at Emsisoft on Tuesday on X, formerly Twitter.

The RansomHub listing claims the Change Healthcare/UnitedHealth Group data stash pertains to "tens of insurance companies," including Medicare and Tricare.

Too Big and Dominant?

While UnitedHealth Group contends with this latest dark web development, the House Energy and Commerce Committee's Health Subcommittee members and industry witnesses deliberated on the many factors that led to the mass disruption caused by the Change Healthcare attack.

Lawmakers, for example, questioned whether the company's cybersecurity planning had been robust enough to weather such an incident. Experts testified they did not yet know the inside scoop. Questions also arose about whether the U.S. government wrongly allowed UnitedHealth Group to grow too big and powerful through mergers and acquisitions, leaving hospitals and doctor practices too dependent on a smaller pool of critical vendors.

"When UnitedHealth Group proposed its acquisition of Change Healthcare in 2021, the AHA wrote to the Department of Justice to express its significant concerns about the transaction, explaining that the acquisition also will concentrate an immense volume of competitively sensitive data in the hands of the most powerful health insurance company in the United States," testified John Riggi, national cybersecurity adviser at the American Hospital Association.

"The past two months have shown everyone what Change knew years ago: The healthcare system did not work without Change Healthcare," said Riggi, a former longtime FBI official before joining AHA.

Greg Garcia, executive director of the Healthcare Sector Coordinating Council, told lawmakers that U.S. regulators need to carefully consider future mergers and acquisitions in the healthcare sector to weigh the potential for increased cyber risk and "catastrophic" impact on the ecosystem involving a "single point of failure" and lack of redundant systems.

In the attack, Change Healthcare had to shut down more than 100 applications that hospitals, doctors and pharmacies rely on. Many practices are still dealing with the fallout two months later as the company restores the last of those systems (see: Change Healthcare Attack 'Devastating' to Doc Practices).

Dr. Adam Bruggeman, an orthopedic surgeon at the Texas Spine Center, testified that unlike many other small providers, his practice fortunately had sufficient cash reserves to continue operating and treating patients without receiving any payments for many weeks during the Change Healthcare outage.

"This means we did not face the immediate prospect of closing our doors. However, there were still significant challenges," he said.

Even as systems are coming back online, problems with payment and other areas persist - and the workloads to catch up on are abundant. That includes helping patients rectify incorrect bills they are receiving for care they received during the outage, for which the practice could not submit claims to payers. "My staff has to spend countless hours instructing patients to disregard these erroneous bills," Bruggeman said.

Several witnesses testified that efforts to promote the adoption of stronger cyber practices and controls in the healthcare are important but should remain voluntary - and be incentivized through government resources, such as grants, rather than enforced through the threat of penalties.

Such financial help is especially needed by smaller, specialty and rural entities, testified Scott MacLean, CIO of MedStar Health and chair of the College of Healthcare Information Management Executives.

"With the healthcare sector only as strong as its weakest link, it is imperative that the federal government prioritize programs designated to aid small and under-resourced healthcare delivery organizations to protect themselves against, detect, respond to or recover from cybersecurity threats," he said.

"Cybersecurity must be a joint responsibility across stakeholders throughout the entire ecosystem of healthcare - not simply a subset."

UnitedHealth Group to Testify in Future

On Monday, a day before the hearing, the House Energy and Commerce Committee in a letter grilled UnitedHealth Group CEO Andrew Witty about the Change Healthcare attack and the company's response to the incident.

The long list of committee questions included asking whether the company will commit to releasing publicly "an after-action report on the cyberattack on Change Healthcare, including steps UnitedHealth has taken to improve the security of Change Healthcare's systems and prevent prolonged system downtime."

During the hearing, some members of the House Health Subcommittee complained that UnitedHealth Group - Change Healthcare's parent company - declined to send a witness to testify at Tuesday's hearing.

More than one committee member even suggested that UHG should be subpoenaed to testify before Congress. But by the end of the hearing, ranking member Anna Eshoo, D-Calif., announced that she had just learned that UHG agreed to testify at an upcoming congressional hearing. She didn't say which one.

The Senate Finance Committee is also planning a hearing on the Change Healthcare attack, but it has not announced a date or list of witnesses.

UnitedHealth Group did not immediately respond to Information Security Media Group's request for comment.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.