In a tense Senate hearing on Wednesday, lawmakers sharply criticized UnitedHealth Group’s handling of the cyberattack that paralyzed the U.S. health care system, citing the failure of its security systems and the potential disclosure of sensitive medical information of millions of Americans.
Democratic and Republican senators questioned whether the cyberattack of Change Healthcare, which manages a third of all U.S. patient records and some 15 billion transactions a year, was so vast because UnitedHealth is too deeply embedded in nearly every aspect of the nation’s medical care. UnitedHealth Group is not only the parent of Change but also the parent of the country’s largest health insurer and a big pharmacy benefit manager (Optum). United also oversees nearly one in 10 doctors in the country.
“The Change hack is a dire warning about the consequences of ‘too big to fail’ mega-corporations gobbling up larger and larger shares of the health care system,” said Senator Ron Wyden, the Oregon Democrat who is the chairman of the Finance Committee.
The U.S. health system was thrust into chaos after the Feb. 21 attack on Change, which serves as a digital highway between health insurers and hospitals and doctors. Patients could not fill prescriptions, and hospitals and doctors faced a severe cash crunch because they could not be paid for their care.
UnitedHealth’s chief executive, Andrew Witty, was summoned to testify before both the Senate Finance Committee and the House Energy and Commerce Committee.
On Wednesday morning, he defended the company’s efforts to restore services and apologized.
“As a result of this malicious cyberattack, patients and providers have experienced disruptions and people are worried about their private health data. To all those impacted, let me be very clear: I am deeply, deeply sorry,” he said.
But Mr. Witty acknowledged the lax digital security that enabled hackers to enter Change’s network and conceded that United fumbled initial efforts to help cover payments for providers.
Just last week, United began to reveal that hackers did get access to some patient data, although Mr. Witty told the senators it would be quite a while before the company would have a solid grasp on how extensive that breach of patient information was.
Mr. Witty said that UnitedHealth was working with regulators to determine when and how to begin communicating with people who were affected.
“We want to try and avoid piecemeal communication,” he said.
United was forced to shut Change’s systems down completely for several weeks, prompting testy exchanges between senators and Mr. Witty over the pace of reimbursements to hospitals and other providers.
Mr. Witty told senators that “claims flow across the entire country is essentially back to normal.” Mr. Wyden said that he had heard from providers who filed claims in February that it would take until at least June to be reimbursed.
“We can move absolutely faster than that,” Mr. Witty said, asking to be put in touch with any organization that had complained to Mr. Wyden.
“Practically every provider I bump into is waiting to be paid,” Mr. Wyden shot back.
Minutes later, Senator Marsha Blackburn, Republican of Tennessee, echoed Mr. Wyden, accusing Mr. Witty of presenting a “rosy” portrayal of the reimbursement process and saying that her office had been bombarded by calls from health providers waiting to be paid.
One hospital in the state had a backlog of Medicare claims equivalent to a month of revenue, Ms. Blackburn noted.
“Every day they call to get an update. Every single day they’re calling. And they get the runaround every single day, repeatedly,” she said. “It’s like you all can’t figure this out.”
Mr. Witty also acknowledged that the company paid a $22 million ransom to the attackers, saying “the decision to pay a ransom was mine. This was one of the hardest decisions I’ve ever hard to make.”
The F.B.I. and other authorities are investigating the hack.
UnitedHealth has been criticized for being circumspect about the details of the attack.
“You’ve been all over the map in terms of personal accountability,” Mr. Wyden told Mr. Witty. “You have consistently downplayed your role in this.”
Mr. Wyden said that UnitedHealth had failed to enforce the most basic kind of cybersecurity measure — so-called multifactor authentication.
Mr. Witty said that as of Wednesday, all of UnitedHealth’s “external-facing systems” were deploying that form of authentication. The company had also brought in outside groups to do additional scanning of the company’s technology, he added, and had hired Mandiant, a cybersecurity firm, as an adviser.
“This is some basic stuff that was missed,” Senator Thom Tillis, Republican of North Carolina, said, holding up a copy of the book “Hacking for Dummies.”
The hearing gave Mr. Witty the chance to offer a more detailed timeline of the hack and the response to it.
The cybercriminals gained access to Change’s systems on Feb. 12, nine days before UnitedHealth realized it needed to shut them down. Mr. Witty emphasized that the company quickly prevented the attack from spreading beyond Change to the parent company or any of its other units, like Optum or the health insurer. “We contained the blast range just to Change,” he said.
Mr. Witty also argued the vulnerability of the health care system to hacks goes way beyond United, which he said repeals an attempted intrusion every 70 seconds alone. He said that because United only acquired the Change system 18 months ago, it had been unable to fully revamp Change’s “legacy technologies” that made it vulnerable to the hack.
Mr. Witty said at a different point in the hearing that he was sympathetic to providers who were reluctant to use Change again.
“The reason why it’s taken longer than you might expect to recover is we’ve literally built this platform back from scratch, so that we can reassure people that there are not elements of the old attacked environment within the new technology,” he said.
United’s acquisition of the Change network in 2022 was held up by some senators as an example of mass consolidation in the health care industry. The Justice Department, which oversees health insurers, tried to block United’s purchase of Change, but failed to persuade a federal judge that the deal was anticompetitive.
Senator Elizabeth Warren, Democrat of Massachusetts, labeled UnitedHealth “a monopoly on steroids,” noting more than once that it was the 11th largest company in the world.
She accused United of taking advantage of the chaos created by the hack to acquire even more doctors’ practices, saying it now oversaw one in 10 of the nation’s doctors.
Mr. Witty disputed her claims, pointing to sectors where United did not do business. “Despite our size, we own no hospitals in America and no drug manufacturers,” he said.