this is about two hours and 15 minutes. [inaudible conversations] [inaudible conversations] >> the finance committee will finance committee will come cto order.k we examined the change healthcare act that nearly brought the healthcare system to a stand till. joining us is mr. andrew woody.

he will-call uhg and own change healthcare. let's put i things in prospective. they generated $324 billion in making it the fifthbillion in largest in the country. touchedos 152 individuals across all lines of business. insurance, home health, and pharmacy. with it's profits uhg purchased dozensth of healthcare companies and the largest purchaser of practices. i this corporation is a healthcare -- i believe the bigger the company the bigger the responsibilityty to protect systems from hackers uhg was a bigd. target long before it was hacked. the fbi said the healthcare industry is the number one target of er one

ransomware.y 15 billion transactions annuallh are done and third of american patient records pass through it's digital doors.an change specializes in moving patient data from doctors office to doctors office or to and from your insurance company. thatur means medical bills chald full of sincive diagnosis, treatments, medical histories that reveal everything from abortion to mental health disorders to diagnosis of cancer tod sexually transmitted innex. military personnel are included in the data. leaving this sensitivein information vulnerable to hackers whethers, criminal or foreign government is a member of the senate select committee on ill tell against a clear threat. i don't think it's a stretch the

etimpact here rivals the 2515 hk of government data from the office of perp nel management. the fbi called that a treasure attorney-client privilege of counter intelligence information for foreign intelligence sources. united health group has not revealed how many patients private medical records were stolen, how many providers went without reimbursement and how many seniors were unable to pick up their prescriptions as a result of the hack. the failures of ceos like mr. whitey who months in can't figure out how many people had their data stolen validates the fbi warnings in the wake of the cohack united disconnected chane from the rest of the healthcare from the rest of the healthcare it took weeks to put providers

in my home state of oregon doctors and hospitals went weeks without getting pay. they couldn't reimburse provider s providers including recepts for services and ability to reimburse patients are not back-up and running. mental health providers are unable to get straight answers on how long this outage willhe last. americans are in the dark about how much information was stolen. the credit monitoring service is

offering comfort to all of these flustered patients. the healthcare hack is considered to be the biggest disruption to healthcare in american history. it is in my view exhibit a the country needs tough cyber security standards. -- they need to meet minimum cyber security standards unlike the industries regulated. meeting al baseline of cyber security is a must. ssit's meaningless without strog enforcement. health and human services hasn't conducted a pro active cyber security audited in happen years if a company doesn't comply with

the regulations this amounts to nothing but a slap on the wrist. rithey need to fast track rules for americans private records and congress needtions to watchdog this to make sure what's getting done is the essential of protecting da. the change hack is a warning about the consequences of twof big to fail mega corporations gobbling up larger shares of the healthcare system. it's long pastime to do a scrub of the united health of ikanticompetitive practices that prolonged the fallout from the hack. for example change healthcare contract prevented one-third of providers from switching clearinghouses even though the systems were down for weeks.

the accountability starts at the top of before the hearing i asked the company which members have cyber security expertise. iduhg pointed to charlie baker o sign technology related legislationgo yearless ago in ti governor of massachusetts uhg used an expert we owe the people an explanation how they didn't protwofo party authentication oa service. e the plans were adequate and how long it will take to finally secure systems. i hope today's hearing can sa

make -- i encourage you to focus on the subject in hand. it's so important and vital. >> thank you mr. chair. i appreciate you holding this hearing today. on february 21, 2024 united health group learned they were the victim of a cyber attack launched by a nation state cyber security threat actor. in response change, the nations largest clearinghouse that processes $1.5 trillion inll medical claims annually disconnected all of it's systems to prevent the hackers from obtaining additional data. the fallout from this attack has effected the entire sector. by crippling changes'

functionality theyer left providers unable to verify patientscl insurance coverage, submit claims. generate cost estimates and process prior authorization requests. in the immediate aftermath of the attack many had to rely on reserves. american hospital association survey found that more than 90% of hospitals were impacted by0% the attack with more than 70% reporting the outage effected their ability to care. more than two weeks later the department of health and human services released guidance. on f march ninth they made accelerated and advance payments available to impacted

providers. the administrations delay exacerbated a landscape with concerns about access to medical services and life saving drugs. the february hack on change was the most disruptive cyber attack ony the healthcare industry to stdate. it wasn't the first. according to a report by the fbi the healthcare system experienced more attacks than any other sector in 2023. in t addition to the processing and revenue issues experienced byon providers and healthcare information was obtained by malicious actors. unfortunately, data is increasinglyy, attractive to cyr criminals seeking to use that

information f for brack mail or idy at no time think of the. they can have a devastating impact for years. many of their functions have resumed trust in the platforms need toen be rebuilt. we owe it to american patients and healthcare providers from health systems to klinenitions and community pharmacies to insure this doesn't and cannot happento again. today's hearing offers a valuable opportunity to learn from the uniteds experience to quickly react to sigh per attacks. cyber structure notifying en

phonement will offer lessons on a resilient system moving forward. which ren we mess assess the response of the government playing a critical role in those efforts. hhs hasdi a responsibility to convene insights from other branches oaf government and the private sector to deploy timely information abouts threats as well as best practices to stop intrusions and resources should an attack occur. thank you for being here tocu discuss building a secure and responsive healthcare system. thank you mr. chair. >> thank you, senator. an draw is the chief executive officer of the united health group. of prior to that executive vice president of united health and fceo of optum.

we appreciate you being here. i believe you will take 5iv minutes to share your testimony and interest and you will get can questions and do what i can. mr. whitey. members of the committee. thank you for the opportunity to testify heree today. i'm the chief officer of the united health group we want be to make the health system work better for everyone. we pursue through the two businesses united healthcare providing a full range of benefits and optum bringing together care delivery, pharmacy services and patient center cared. change is part of optum. this allows information to flow

between governments. i appreciate the committee interest in the cyber attack on change healthcare. people worried about their data. to all of those impacted, let me be clear, i'm deeply, deeply sorry. our e our response so to secure systems. provide acsises to care and medication and assist providers with their financial needs. we have deployed the full resources of united health group. we will not rest, i will not rest, until we fix this. cyber experts continue to invest date the incident. we will learn more and eunderstanding might change this is what i can share today. cyber criminals interred a

portal and exfull traited data and deployed ransomware. the portal was not protected. our response was swift. we impleadly severed connectivity andpry vented malware from spreading. it worked. no evidence of spread beyond change healthcare. within hours of the random ware launch we contacted the fbi. we keyboarded share information so theti criminals can be brougt to justice. as we responded to the attack including dealing with the for random we do with the everything prosessable to protect peoples person nal health information. the decision to pay a ran some was mine. the hardest decisions i every had toad make. i wouldn't wish it on anyone. as you know, we found files in

the data with person nal identifiable inflammation covering a substantial proportion of people n america. so far, we have not seen evidence that materials like doctors charts ore medical history was exfull traited. it will take several months to identify and notify those impacted. rather than waiting to prevent the review. we have offered monitoring and polyvied support services. anyone concerned their data might have been impacted should visit change cyber support for more information. meanwhile, we continue to make progress in restoring change healthcare services.

first, the team build a new technology environment in a few weeks. second prioritized restoration ndefforts on services most vital to insure access so care. pharmacy services and claims. third, while the efforts were underway. we worked to provide financial assistance tota providers who nd it. we have add advanced more than $6.5 billion in payments and no interest no fee loans to ntthousands of providers. most of the funds are for claims for nonuhc health plans and 34% have gone to safety net hospitals and health centers.ss we will do this for as long as it takes. if there are prodescribedders in your state that need hip put us

in touch with them. fighting this crime is a hugees task and requires policymakers to come together. i look forward to answer your questions today. >> thank you, let's begin with this. this hack could have been stopped with cyber security 101. i'm talking specifically about multifactor authentication. mfa. when your bank app asks you to enter a code sent by text or e-mail, that's mfa. itit secures your account if yor password is learned. yet your testimony revealed the first sever that was hacked didn't have multifactor authentication. so, question one, i'd like a yes

or y no answer to it. kidney of your senior management knowow uhg wasn'try quiring mfa company wide? >> thank you for the question. our c policy is to have mfa for systems. >> so, if the answer is yes then that makes my point on your watch there was a cyber security failure abdomen then that's what caused the harm to patients healthcare sector in your investors. hceci don't believe there are ay excuses. my second question is will you commit within six months to require multifactor authentication company wide ande meet the tough mfa standards arequired of federal agencies,

again, yes or no answer.r >> yes, i'm happy to commit to that. as of today across the hall of uhg all systems have gone multifactor authentication. >> we will take that as a yes. it shouldn't have taken the worries cyber attack in the healthcare sector to do this bare minimum. second, with respect to national security. people claiming toct be involved with the hack and stole ca ta on u.s. government employeesmp including active duty members. my colme regals remember the hak of opm government personnel data that posed very serious concerns. i'm very concerned, as i said, about the national security imindications as

wwell. can you say if the hackers stole datau. pertaining to u.s. government employees? >> i'm concerned ability any patients information. in the context you just described so far through the process of working through the data. washington we have been able to identify iss a substantial proportion that could be implicated here. we believe members of the armed forces -- >> when can you give us in writing the number of military personnel? >> i give you my commitment? >> a week? two weeks? >> two weeks i expect it. >> we will proprioritize that. >> all right, let's talk about why a things are taking so long

and how hard providers are being hit. they are paying price for the failures that have been made on your watch. how much longer will they have to wait to be paid? >> mr. chairman. flow across the entire coup try is back to normal. certainly from a united health group prospective. we are paying claims as soon as they arrive -- >> providers tell memp it will take until june to clear the backlog. can we do that earlier. >> we can do it faster. >> when can you expect to have it cleared? >> we believe the system is back to no l r normal. >> every provider i bump into is

waiting to be paid. >> the payments from united have been made. we are caught up. >> will you commit to waving deadlines for timely filings and appeals for claims until everest is back in order. >> we have waved those. >> plan business operations. >> we are happy to engage. >> please send that to me in writing how composition system would work. let'sns mention one other area ervery quickly. i have followed your comments andd consistency, your views minimize the impact of your involve. you say united payments account for 6% payments in the healthcare system. that's basically hiding the ball. in 2022 the department said the change had records of 211

individuals going back to 2012. how many people have been impacted? find the files. what medical information was stolen. i need answers to those three questions. how many impacted? where did you find the files? what information was stolen. >> that's top priority. we are working our way through hrthat. we have not i didn'tfied anything like medical records o. >> you cannot tell us what dataw walked out the door. which have been working to get that. >> thank you, mr. chairman. the fbi warned the healthcare sectors attracted to cyber

criminals. united experiences a cyber intrusion once every 70 seconds. nationwide, side ber security preparedness appear to be disjointed. without disclosing security related details, how do you intend to revise unites experience? >> let me reiterate how serious we take it and diligent we are working to make it right technically and make sure we have to expand the patient implications.on your question how we responded. we have multifactor authentication on external systems e which is in place. >> can i interrupt, part of my

mquestion is. i want to make sure you are responsive. ois it as system as fixing the multifactor system? >> that's one element. it's only one element of the defense. making sure we have implemented in addition to normal scan of technology and environment we brought third party to do scanning across the system as a protection lawyer. we made the decision to straighten oversight of cyber security at the company which bringing to the board on an everyev meeting basis which is leading advisory service that's been helpful and become a board make sure we have thee a board best. >> would you agree, this

stronger approach needs to be standard across the healthcare industry. everything from government to private sector and frankly, the entire aspect of the healthcare system. >> i would agree with that. what we saw at change healthcare which was a company that just came in the group was a company that had older legacy technology. it's typical of many small to medium sized organizes in the healthcare environment. therefore inevidencably, a lot of work to be done to up agreed the standards. i agree with your assertion. >> thank you, i'd like to move onto restoration and protection of patient information. your testimony indicates pharmacy services and medical claims are flowing at near normal levels, is that accurate? >> yes. >> the effects of the attackct

continue from revenue backlogs . . . would also like e essence of the attack took place we encouraged providers to divert their volume two other competitors to change of which there are several. many of then continue to operate through those channels which is another way in which normal service has risen. >> have you heard reservations from providers about reconnecting to change?

and if so, how are you working to address those concerns? >> mr. chairman, yes, i think that's a natural and could concern for people to after a data, after an attack like this. you want to be reassured the system is safe to be reconnected. that's why we disconnected so quickly in the beginning so we didn't infect anybody else hear the reason why it's taken longer than you might expect to recover is real literally built this platform back from scratch. so that we can reassure people that there are not elements of the old attacked in private with the new technology, at the new technical environment that we've created. we are sharing all of those details with clients and customers as they reconnect and i'm pleased to say they are reconnecting substantially. >> all right. thank you. and finally would you share an update on your understanding of the magnitude and the type of patient information that may have been obtained by the hackers? and when you expect to begin the process of contacting impacted

individuals? >> thank you for your question. we are working closely with the regulators on that last point of time, how to and when to start communicating. want to try and avoid piecemeal communication and it's our top priority to get this done just as fast as possible. >> thank you. .. getting clarity about substantial portion of people in america affected by this because it looks like anybody doing business and i will tell you the reality and providers in placing

is wildly different picture you statement processing similar 86% incidence levels this morning you said it was back i will tell you there is a backlog any of our providers in hospital staff are not able to get in and make these claims here's a good instance small independent hospital. they have diligently submitted all of their claims burdened with the backlog of medicare

claim equivalent to 30 days of revenue. waiting things to be transmitted because of the missteps you all have had.

experience. we will reach out to find the names and we will get connected. >> every hospital, every provider. hospitals pulling on a line credit, are you going to pay that interest? >> we are offering -- like i said, are you going to pay the interest cost? one of surprises the chairman mentioned is lack of redundancies built into the system. your revenue is bigger than some companies gdp. how in heaven's name do not have the necessary redundancy so you did not experience this attack

and find yourself so vulnerable? >> they for the question. first, the united health group, were in the process of upgrading. the attack itself backed up. we have work so we know and it is not aggressive from the attack. >> was there not in thought process in place on the front end? you can protect yourself from vulnerability.

>> you are in a hospital. >> i'm fully aware of. >> there again, for whatever reason for sightedness not having a plan to incorporate -- let's move on. widely acknowledged the temporary assistance program fails to adequately address financial setbacks caused by this. we got one provider disclosed receiving a down payment significantly below their usual daily revenue of $20000. these providers resorted tapping into personal savings, seeking loans from banks. are you going to cover all of

those costs they had to incur in order to keep the doors open because you did not have an appropriate backup plan? >> your companies slow progress restoring services advancing prd operational disruptions with consequences for providers, and patients across the nation. for weeks, hospitals and providers had to deal with low offers to the company and in some cases less than 1% of the typical filling while patients suffer. the company is the nations largest private health insurer and largest position employer in the every quarter.

it is unacceptable but it took so long to help providers during a crisis of your creating. now i'm concerned what's going to happen on the back so commit to not exploiting the markets you created to further acquire city areas? >> absolutely will not take advantage. we have not. i would like to reassure you we understand in the efforts to go quickly we didn't get all of the terms right. we fixed very early and have been able to advance $600 billion. >> united healthcare divided about volume and financial support to providers but you are dealing with an enormous claim easily over $14 billion. some estimates at many

multiples. your exhilarated event payments for a tiny fraction of the total amount of services. it is my understanding united healthcare and city areas no the money the average provider bills. providers in my state and across country are struggling keep their doors open as they waited for payments. what reasonable explanation could you have for taking so long to get these payments out the door? >> thank you again for the question. you not know from other payers why our initial approach is not as effective as we would like. put in place a mechanism giving them loans within hours of applications and it remains

available. >> it seems almost incredible do not know a company established even though flow of the daily weekly monthly amount is, hard to believe. >> we understand the flow we are payer and those would be the situation as i'm sure you are aware making loans for the cash flow. >> it seems you waste a lot of time trying to pull a fast fast one on providers. coming loan repayments and claims backlog is clear? >> we have streamlined and yes, we've already told providers is no need to repay interest-free loans until 45 days after they have concluded. >> do the loan terms prohibit

how providers from working with united or ockham's competitors? >> no. >> following the breach you were offered to do notifications for hospitals and providers still grappling with ongoing disruptions to daily operations. this commitment is an important step in the right direction as writer should not be found by the burden of providing notifications but no medical group can rely on vague promises and containing no specific for implementation providers mounting concerns about their own regulatory exposure united not fulfill these offices. patient aware of disclosures of their senses provide even has proven biden. when concrete details on notifications and writing on united healthcare?

>> you want to get it done as fast as possible the was regulars. >> i think it will be in the next several weeks. >> mentation about the reliability very clear. >> are likely to respond to the committee. >> health and human services regarding article and perception within the healthcare sector. the need for strong relationship public and private partners to ensure the safety of critical

structure systems. i inquired about legacy technology systems. cyber attacks on healthcare system not only have severe impact on our economy but it's up. my first question is, united health relationship and government agencies as it relates to cybersecurity of the healthcare industry, how have hhs and cybersecurity and information security agency work with your company in the aftermath of the failure? daily engagement within hhs truly engaged in terms of how we work to support providers to prioritize system and the fbi

has been our prime partner in response to the attack you not health group that need if so, what is venting to update? >> a company that came into our organization with older technologies in many different technology generations. as we always do with companies like that probably strive to upgrade united which i believe higher than the companies with brought into the organization. >> i think you touched on it but let me ask havoc taken and software? you repeat that, please?

>> he said he couldn't understand. >> has united health group taken every available option to remove safety risk and software? >> i'm not sure i completely understand the safety risk. i can assure you -- answering and writing. >> i can do that. my understanding is the change healthcare is one of the medical records in the united states. i like to better understand how bunker source patient data. how does change healthcare

management, is it stored by third parties loading and storing his patient data sent overseas? >> both on premises and a limited extent in the cloud. we into the cloud which created much more secure computer environment. >> in 2023 is united healthcare experienced another cyber taxes room 21. >> out how to come back to you.

we are under attack consistently and i would like to respond out be happy to come back to you will not. >> do you feel company prepared for another cyber attack? >> thank you question. we are doing everything we can to be as prepared as possible but recognize the pressure of the attacks that come in. i believe we are taking every sensible precaution and brought multiple organizations. while i block ways in which we can pressure on the systems we are trying to manage. >> thank you senator grassley. >> the conversation. first let me acknowledge as i

spoke to doctor spectrum the worst is passed on many have said resolved so credit you for the artwork with don. it presents a different set of questions. one, he mentioned united is waiting authorization but change handles claims for others and as we know, sometimes it is denied retrospect retroactively so it is approved and they are called back. we don't know for the it will drop in the future or it will have a problem with the process. to what degree has united work with other insurers to address the uncertainty front authorization and penalized

because of damage done to the system from another insurer. >> thank you question it issues with me and followed him from united your perspective, when somebody applies for prior authorization and it's printed, we never go back in time if they have acquired not. we are supportive prior authorization on the system in terms of getting access. >> the other insurers in this process change within the intermediary.

how about be handled next. >> do they reach out to smooth it over in this. orange the ability of change provides a function? >> thank you. i am clear with the question. let me reassure you think there what people have acted in faith for example, from suitable without getting authorization, they thought it would be okay. we are ordering all of that. >> let me ask you this is a broader question. in our conversation and i gather on an earnings call you point out that asking about the breach, cyber attack was paradoxically validation of the size and scope of the business

partners. i've been told washington post article that i% of u.s. gdp closer united everyday. yes but if you read, the fact that you are so big and dominant presents special vulnerability and you have deep pockets by which to address this but the fact that you're so big means is a wide ranging ripple effect out sized so thing for us would have to ask. is the dominant role of the united to donna because it's into everything it messes with everybody? clear the activity was the same of the day before, it didn't change. >> but i don't want to our imagination to just change.

5% of our nation's gdp closer united everyday been is there something else that could be incurred upon united don't have further reaching effects? >> the whole united are we defendant protect the organization and the two how we can upgrade. >> the size of united is almost on too big to fail insurer because of it fails it will bring down more than it ordinarily would. >> i do believe it is because for example we have no spills in america we do not own any drug manufacturers. he. >> we employed less than 10000. hospitals across america 400,000 she's. we contract an affiliate with

physicians who voluntarily choose to work alongside of colleagues so we are very proud of the positions who were breast but oftentimes the dishes with employed physicians with our less than 1% of adults. >> this is an extraordinarily important issue you are raising. classic too big to fail policy. i the bigger the healthcare company, responsibility to protect i think california beak senators on both sides of the aisle to look forward to working with you. >> our next president in order of appearance would be senator warren. >> in 2023 united health brings it $22 billion making it the

most profitable healthcare company in the country. by revenue, united health is the 11th largest company in the entire world. united health group owns the country's largest insurer of the country's largest claims processor about the country's third-largest benefit manager, pharmacy chain, the largest employer of physicians nationwide or control and with at least 90000 positions testified. one utterly ten doctors in the country, is that correct? >> as part is positions under 10000. >> i think not controlled the work with.

>> because united health brought up every link in the healthcare chain, you are in a position to check up prices and squeeze competitors and revenues and the opportunities for price gouging are everywhere, united health is the biggest purchase in medicare advantage. the government programs that pay private insurers to administer clinica benefits. this web of assisted city areas well-positioned to reagan taxpayer money praxis follow-up cutting to make it look thicker. the vascular disease for the medical art and no clinical basis for the diagnosis and no treatment plan.

according to a 2019 investigation by the hhs specter general, united health is far and away the most aggressive abuser of according practices. you know how much according to the inspector general united health treated taxpayers out of 2017? >> thank you, i'm not familiar. it's only up connie practices. that was five years ago. united health under investigation from the d.o.j. for among other things, billing practices. >> we have a long-standing practice i understand you might

not want to comment on it. although your company has not disclosed this investigation. yesterday i sent a letter raising concerns about $100 billion stock sales united of executive made in the days and weeks before the investigation revealed by the press. >> united health this huge and loose some of the profits with among other things, illegal early tactics and that takes me to the data breach. after the largest ever talk on the healthcare industry in american history hundreds of thousands of healthcare providers at risk of collapse from united help using price expanded monopoly even further.

how do? they filed with regulators to allow them acquire the doctors practice on an expedited basis. while this position united health even bigger? like to put on the record. >> i had a very simple question. will make united health is 11th largest company in the entire world even bigger? >> the organization i hope becomes better. >> regarding talked about business practices.

the question is bigger. for the make united health bigger? as we grow, who become larger. >> using its own data breach just about doctor practices by the same data breach. it's no wonder united told shareholders this would have no material impact on the company's finances. united stop at nothing to grow bigger, bigger and bigger as we speak. it is ruined by private equity and corporate greed. for the psaki of doctors and nurses.

mike next in order, go ahead. >> a different perspective. the largest financial energy in the world is the united states federal government. to incur $45 trillion worth that the largest in the world had all the time. last year we had 236 billing dollars of improper payments run for the largest entity in the world. how 60 obvious you are a victim of the crime, correct?

victims of crime, was hoping utilize your experience to figure out what went wrong so the people watching can try and corrected. they are very sophisticated exploit weaknesses they are well-known. most packs are because of security breaches from can you describe the history and change of healthcare from a hawaii audit and how it supports the

function. >> through a series of interactions and organic growth connector across the healthcare system. one of four to five like the same thing process payments to providers the payers and back a complex thing to do medicare rules hospitals a complex thing to software in network business of about five-point so when against the vulnerability the embrace of the system which is a devastating impact it buildup over years and there was one -- describe exactly where the vulnerability was we were in the

process of upgrading and they were not protected in the server which criminals were able to get in and the policies. >> is probably been breached for that as we go back and do forensics novelty nine bait days before.

>> averages about a couple hundred days there inside the system before they are made known. these are sophisticated actors. what was your response? >> before i was about to change network in the country. that works from a happen. >> we shut down the whole thing. you could have had about better and history own program and

respond to this. we quickly changed that we have had extraordinary updates from folks across the country and judging by respondent like it for the loan which they are chatting just hours supported. we show those loans today even though we do know people who have. >> being subjective. micro center from nevada in a second you have instantly downplayed euro and kind of

cybersecurity. last week and so need to know whether happened. did you know that? >> company only recently come into the group. it was in the process of being upgraded but why wasn't it the first thing you would do? like my understanding the organization and the amount of organization required frustratingly not the. >> to deal with our server, it's not abstract, senator from nevada think of.

meet follow-up on a line of questioning you paid a ransomware to the attackers? 22 million back in the information packers obtained, was that identifiable identification? likely traded. >> and the most personal information individuals were provide you? you have an obligation to protect that? certainly do and we take it very seriously. of course we are incredibly frustrated. >> and bylaw you are required to protect the information state law and federal law, correct? that is correct, and we take the obligation seriously you are also required to be fine those affected that there personal data has been compromised, correct? and you haven't done that yet? >> we are still -- how long will

it take? >> we think it will take several to understand what is the. >> if you happen several weeks how long ago? denied base? >> yes and thank you for the question. we were only able to solve this exactly is talk without data sent back and able to deal with the complex process. >> is a complex because you so much data does hard to identify? >> it's more the data structure making sure we get it right and making sure we get the correct information so there are many nations who do not know their healthcare information is optimized? we have not yet been able to notify people connect let me to something else happening i'm

hearing my kate. a federally horrified el centro with locations across the state like nevada and they rely on and healthcare for real-time eligibility verification. i am hearing despite being back online, critical patient information often seen or mismatched with 50% of payer information in accurate. health centers clarity on where the systems will be corrected but struggled to get reliable answers from united healthcare group so hoping you can provide clarity, when will real-time eligibility and benefits verification functions healthcare network be up-to-date and accurate? >> i will come back to you today with that, i do not have that with me right now but i hope you do because not just my across the country many asking this and for that reason you are aware providers must adhere to timely

filing deadlines set by insurance companies claim reimbursement. if they missed the deadlines, insurers make and i payments lead denied patient care burden the recent act requiring healthcare poses challenges for providers. what you meant to extending health plans deadlines for any claims affected by the change hasn't subsequent out of? >> absolutely michael you agree to extend claims filed before the every 21st ever attack considering the appeals processes for the claims have been disrupted by united health outages? we are happy to do whatever necessary. >> that would be a yes? thank you let me also address but i am concerned about the effect of united healthcare

providers i'm hearing from basic drops in revenue and i missing out missing from the light. 12,000 dollars every week on staff dealing with billing at eligibility issues caused by this healthcare outage. small providers in my state missing just to payments could force foreclosures so my question to you, what steps will united health to compensate the administrative cost cyber attacks? >> thank you very much for the question we continue to make available reloads and more than willing to engage in providers on this as you described industry loans will address administrative?

>> there are no conditions other than they would be repaid 45 days after the provider confirmed they are back to normal. >> okay thank you. >> senator tillis is next. >> thank you in here. i know people have asked about your redundancy plan authentication, could you give me a sense or not internal or external audits identify as a compliance our audit risk? effectively if any qualified systems controls to defy multi- authentication use as a major

risk factor, do not there's a record affect middleware? >> not that i'm aware of. >> if we can find nation or your auditor, if it was identified as an actionable matter. tell me a little bit about redundancy. i used to work in redundancy systems, it sounds like it was not smooth. how does that not make it into an audit as well? >> thank you for the question. i agree it is frustrating switchover. >> your an information technology provider a large-scale democrats right so within change healthcare company that only recently came in the organization in the process of being graded. the attack itself implicated

prime at back up environment so partly do to the technology. the elements we bring back immediately and the technologies. >> i used to bring this we had to go and finance but hacking for dummies, the best addition that doesn't include the nature developed some basic stuff so shame on the systems for redundancy, they are not doing their job and as a result the data breach right side judiciary committees by been on finance

the damage to the consumer's data is you got to keep them whole. enterprise is based on movement of data, exchange data and that's how you create data so you have a breach, except to be your problem, not my problem so everything you do to keep those old for any damage is just a function of doing business, do you agree? >> full responsibility and we are waiting for that. for anybody can reach us through 1800 interesting challenges about online etc. but we will

make questions for the record. i do not want -- i got a notice think about data breach and interesting will help you with your problem and i will help you with your problem you will not make this difficult for consumers. i will take it for face value you will do this right but it's not a problem of a person who now they have to deal with the consequences of the use of their data, it's got to be your problem i hope back if you remember three or four years ago after passing the data breach everybody was talking about how congress needed to act congress has done nothing in part because of the will jurisdictional issue

but ways and to judiciary. we are making a huge mistake not having federal rules of the road data breach and how empathizes have to mitigate the now we haven't devastated thing at different and has distractions for making sure data is captured. >> in terms of bringing together various committees the important. a litigation is vital for prevention it basically helps

the company gets back on its. >> senator langford. >> thanks for being here and there's a lot of conversations. i want to tell your story right together was very bright oklahoman in a rural area and for making these she's the local physician that has close the valve because of the burden think the design self matthew got to the hospital 30 minutes away to meet with doctor that position is one of the provider thursday schedule all she light of the appointment the medicare

advantage. she the coast let's see if there the doctor needs to run tests she can't get done that day insurance company so she has to drive home and they could do it that they can't because they are waiting on prior authorization to procure pop. two years later the hospital stopped taking medicare advantage general saying the reimbursement 20% less than medicare medicare athletic because of prior authorizations out of service for her put her in a triple spot she goes to a local pharmacist to talk to for years and finds out there's a

remarkable pressure from a they not sure it will be able to say open. insurance company tells her we want you to mail your resentful so she part diseases and wants to talk to. i wish this was a story that wasn't true but it is. it is the complications engaging in all of those areas medicare advantage. this is just a reality we are facing here especially in rural areas and in my state 2 million people living urban and 2 million and also it is a reality for those folks propose exact challenges i played out. just saying so you will hear it because it really is a reality of what's happening on the ground. everyday there want to get healthcare and get access to

that. or to put up something we talked about, when hospitals pharmaceuticals will be made whole the issues and reimbursements. one is the time.everybody will need made whole? >> let me first comment one 100% aligned with what you described there and how we can help modernize the system. a government state company obligation. we do need to reduce both positions and make it easier to navigate the system provides the help mitchell this is and how it helps we are very open to ideas and suggestions.

>> the new line. >> there are families that sign up with plans because i know that physicians and sign up in october november but then they find out it switched over in january but they signed up in october. they need to know they sign up for physician opposition will. >> i agree with you in these key areas we need to work together. >> we continue to make sure interest on the capacity remains available work with providers on other issues. >> what you think of it they?

hope months or six weeks. >> that will be helpful for providers. any pacific ideas on the other side the fbi could have dealing with both sides of this ransomware attack, things the fbi could happen doing better that could have been helpful so any books in your company want to pull together a list work on that side as well. >> time has expired. as reluctant as i am breakup was psychic, we have people coming and going. i want to get senator casey but we can break this up. >> thank you, mr. chairman. roger here.

owns and operates tells you about the problems going on in our healthcare system. i hear from orders forced to make impossible decisions and considering closing their doors entirely and shut down abms the same story driving up costs or abusing direct and endeavor these are pharmacies. for you aware recent national disease association survey independent pharmacy owners and managers over one third reported considering closing this year due to financial constraints, are you aware? >> i am aware of. >> to the significant role in these closures? >> thank you for the question.

we are -- we do not have these. >> do you acknowledge abms like a significant role? >> i don't necessarily believe that to be the case. i think they provide significant service at a variety support sorry to cut you off i only have five and it's. it's clear that contribute to local pharmacy closures. i met with due process last week forced to close stores. they are in rural areas, five pharmacies and five communities where they have to drive at least five to 10 miles they had record sales they can't even break even. it here the company a lot of money you know that. i'm assuming he writes about that last year brothers of 116

billing dollars so it's pretty clear you could lower or eliminate peace and still make plenty of money. we'll commit in front of the committee to lower and eliminate the pharmacist from ohio and across the country? >> we've already eliminated -- you help us in the industry claimant your colleagues to do the same? >> we will encourage that it's clear they are not going to reform on their own right we need to pass legislation to remain in corporate middlemen and pass moving on in the financial burden from doctors and hospitals and health systems and the most dire consequences from the attack you know how

important they are and i serve those most audible and operate on markets. was a health center in ohio dropped from an average of 600,000 week 20,200,000 week on unacceptable can't continue to operate like this without certainty it will be compensated for these losses. what is united plants to compensate for these financial burdens? >> think about the question. in the context described in that situation we have an interest in program, 200 billing what would be happy to reach out to your office.

it's still available and what bridge the gap loans required to pay back. >> when they are fully back to normal and weird. >> they will make the determination? >> correct and then 45 business days payments of two calendar months. >> and low interest rates means -- no interest. >> no interest. >> thank you. >> thanks very much. statements united healthcare claims the vast majority of services has been restored to pre-levels i providers in pennsylvania struggling to their patients and family

reimbursement doctor christine meyer who owns a practice in pennsylvania initially taking out a home equity loan or practice afloat and reached out to participate in your loan probably only offered 4000 a month% of her monthly expenses. months later she is receiving or from the received more generous loan from optima but is worried about repayment. she said the term dark here and read she will have to pay back the loans before or practice is up and running. when you commit to supporting providers delaying the deadline of the loan repayment to the back or claims. regardless? >> let me apologize for the

delay in the right level of loan capacity in the efforts to move quickly recognize we didn't get it right always at the beginning of this process. this. we have detention asking for sean street they let and back to normal. even then would not look for repayment of 45 business days no interest no fee associated want to ask while the risk especially complex of children the obvious click on healthcare or financial information is reached.

how child stalling cyber criminals to open up years apart longer to repair damage. for seniors in older adults, victimization has been skyrocketing. data breach even more scammers use in the future. united healthcare southern company becomes the cyber attack predicates and more than two months according to the company website it will take several months unquote to identify and notify impacted diverse -- customers, individuals and i think it's clear united has defenses differently time united going to expand and flocking but

from he's not worried about personal profit health information upfront along much has happened break of relief that we can to minimize the possibility of it being happy today notification, in america who come to our services to provide prevention and

protection of within first use of the substance. a straightforward enough time i will submit the record. >> before you leave, i appreciate family more discussions often impeach. it is absolutely inefficient. >> thank you for this hearing today provides direct her hospitals saw all that wrote severe overnight stereos that

visits to hospitals under terms for unnecessary the first work hospitals during what was spent isis but she returned to operations. i hope we can get more lobby senator has asked, from basic information portion of people in america from of millions of families obtained by cyber criminals in the attack on your company for breach required to notify individuals within six decays of health reasonably you

have to affected. however acute health or the secretary health information is compromised. to meet your obligations need to send informationis little

because at first that michael reportedly begins the first is not ten weeks away too long for millions of americans cannot know their this lady available to criminals oligarchs web so i urge you medially notify family so they can take i urge you to

use united read

but as you think

about smaller organizations often times they navigate those things so i think a refreshed you, i think they make sense. we would be happy to engage on that. >> one thing people wouldn't be surprised for individual united parent on the entity but my understanding of change is the rails that folks didn't understand to communicate information better. we think about this and it has to be all the way up and down the food chain. you can't just check a box trace back to the supply chain in a

way that we don't have enough transparency overall. i know from wire change, years into the acquisition and still have not put standards united and do change. why does it take so long? trying to understand why it was not part of. >> an area where we don't have resilience, i've got providers

not only going through not being able to have payments made bathing change they are talking about getting a new provider. any meantime, patients and providers are not getting payments made. i think the whole business model of any entity providing the connections was about means that the provider you have a backup system and the whole model has to change so whoever you set up you have a backup in reserve

because without that you got some tear. >> certainly agree with that and we encourage people about backup systems. those backups we need to work with those providers to have that second pipeline from of the rail and the technology failure. >> the time as well overdue waiting for a crisis like this and we knew it would happen. >> i think it's well taken. there's an opportunity to make up the numbers.

your proposal is essentially a medicare -related effort. all of the hipaa security rule which gives a chance to look at these issues relating to enforcement and accountability. as it relates to resiliency allows us to walk through how this works. you can't walk into a coffee shop in america talk about multifactor authentication. >> that's all about prevention and senator tillis came in and give a chance to make a link between prevention getting everybody up and running again quickly which is what it's all about. we link the the issues and work in a bipartisan way and i look

forward to working with my colleagues. >> next senator brasa. >> thanks for being with us today the cyber attack all across wyoming out of sure you've heard from people across the country. memorial hospital the impact so the processing can be shared recover. they were delayed and 17000 unpaid business rural hospitals across wyoming in the u.s. essential health services so 50%

of rural hospitals right now the rent. fist may send them into a financial spiral. so how are you prioritizing the process claims? >> working with everything we have not just players but also make sure loan programs are available at rural hospitals. they have not yet, i would encourage them to do so. claims processing is back to normal so we just mostly.

we still have black, payment on those claims so if a claim is submitted united healthcare fate instantly but not all are paid instantly. some receipt, that would the delay. we are committed to the industry loan capacity to get through the cash flow college. >> need to keep their doors open. there's a lot of discussion about to factor verification today small community culture. a town of hundred people.

2023 they spent nearly a million on cybersecurity. it's evident hospitals spend and take cybersecurity very seriously. it's not as clear, we got just about every person here asked questions. i heard responses, to me it seems like an excuse. mostly factor authentication operating in the red and change hunger established in 2007. source 1961 in a system already updated. the financial resources.

great in that policy since we acquired, some of legacies have gone back years and they were covered by not an exploited. the services external support to ensure we run the risk situations to make sure they are active.

>> the larger practices and any plan to ensure. >> to get through the cash flow situation and provide a case-by-case basis. >> it's so important as it relates to the two hours and i think touch on one of the key areas and referred to several excuse. the head of cybersecurity we

knew so we got to get to the bottom of it and we haven't had any senators. very much appreciate this. >> thank you for being here today. similar issues i want talk about and i'm very grateful. this has been cash flows in colorado that are continuing in

the cash flow critical access in colorado and $1.5 million and half of the monthly revenue for others -- at risk. they've been forced to pass on the cash. understandably they can't afford that expense and they haven't gotten their medicine. they been left empty handed as a result. they can't pay it online.

i know you have heard this on cascading, unmasking the vulnerabilities in the healthcare systems and subject asked, what you think you might be responsible for account look about most challenges. in the technical solution. me reassure your financing capacity remains in place and they still have $1.4 billion.

and there is no customer for that hospital. >> we take you up on that. a going forward basis to deal with -- how are we going to afford this in the future?

continuing to pursue the understanding of the attacks were not going up or down, we were more and more sophisticated. the levels of technology to protect against those tax elevated about be a challenge for many keep up with the pressure and howie those and making sure the numbers of attacks into the country and begin to drop and escalate in the probability of breaches in the healthcare given the pressure of the system is up on the next time you're young and then senator carver. >> thank you, chairman.

for making yourself available. healthcare entities and prices are increasingly connected to the internet and on facility networks provide teachers that manage fenestrated functions, increased efficiency or improve the ability of healthcare providers and patients. we have not evidence which was can be used weekly and securely to reduce risk and vulnerabilities providers. there are still some unanswered questions and blessings to be learned we acknowledge that. one of the workarounds for providers we discussed was to move to a different clearinghouse including healthcare competitors how long

transition to be fully up and running? >> i think back to be within a few days and more educated. >> that gives me a rough estimate. is it helping with these transitions? >> we've recommended diverted too many alternative competitors as possible and we will continue to encourage back system. at least they were in the system. >> i know this has already been covered a bit. to confirm, there is reporting of passivity process rockwell any exclusivity clauses be enforced and partial providers be aware of that they transition

to a new provider? >> exclusivity we waive and do not to force the because we want to make sure they have backup abilities in place. >> family healthcare community health center in the southern part of my state, it is unable to switch to time sensitive process in the department which has two people in the new system could put cyber liability insurance at risk the paper submission lames by mail and current expense of significant postage costs personal healthcare center to provide the

most they can for patients. the attack from the national news, do you have a notification process in place? >> that's a very good question and that is one area to figure out how to communicate not just companies but the same thing in covid providers across the system and customer files compromised difficult. i was at the situation described would love to reach out to the office and financial support. >> you did mention the mechanisms to provide financial bridge. i am encouraged by that.

how are you disseminating information to providers? ... you did mention the mechanisms you created provide that financial branch. i am encouraged by that. particularly, the small safety net health centers. >> again, thank you for the question. we have used everything which goes to our million physicians across the country. we have used social media, something like 700,000 e-mails to a variety of different provider addresses. we try to use every channel. working with the key medical associations to get the word out to providers and others.

we have been running regular national telephone calls for technology across all of the organizations. for example, the encouragement to spread the word. i do think that communication to providers whether repeatedly comes up is an area of opportunity. >> thank you for answering my questions. i guess the only other thing that i would ask is, you know, you will have all manner of lessons learned including that there may be limitations under existing law to be able to respond to these sorts of attacks and serve your clients optimally to extend those lessons are learned isu communicate that information to my office and to this committee so we may consider changing the law. thank you. mr. chairman.

i am really struck by how little we know about the data that could involve our service personnel. look forward to working with them. >> mr. chairman, to our ranking member. thank you for putting this together today. thank you for the time to talk. thank you for your testimony today. among the things that i shared with you, some of the principles that guide me in this role another that i've been privileged to serve. one of my guiding principles is everything i do, i know i can do better. everything i do, i know i can do better. i think that that is true for us driving in our profession. another one of my guiding principles is treat other people

the way i want to be treated. i tried to put myself in other people's shoes whether you happen to be a constituent, a patient, a practitioner or provider. put myself in their share -- shoes and help guide me. this is a shared responsibility. the idea of shared responsibility. you and your colleagues have this spirit there is a role for that. one of the things that i mentioned yesterday quoting abraham lincoln. what is the role of government. he said the role of government is to do for the people what they cannot do for themselves. local government. probably that role for all of us to play. about a million people of delaware. 50 miles from east to west.

something that i love to do and it is easy. people that have been, you know, disadvantaged, but potentially put in harm's way. we have heard from practitioners and providers. on the phone and in person. so for us, this is very real. in terms of the role of government, the role of government here. it may be one or two. >> thank you very much. thank you for the comment. maybe two areas that i would suggest. helping the healthcare system through what the minimum standards, the right level of

system protection and redundancy for the impacts of future attacks. to see what further can be done to reduce the attack velocity that is coming up the u.s. healthcare system from cyber criminals. i know the possible act may be suggesting those two areas. >> thanks. this attack was as i understand maybe the worst of its kind against our healthcare system with people that depend on that system. the ramifications remain widespread. it is clear that they change healthcare's to prepare for this attack. i don't know if it's possible to actually be prepared. but you shared with me yesterday that the attacks were outgoing. they are not stupid. they are not getting any dumber, unfortunately. it is clear to change healthcare when prepared for this attack

the lack of basic cyber security measures left them vulnerable to disruptions and care. and sensitive data and personal information being stolen. like my colleagues i heard from from families and individuals throughout our stay. directly impacted from this attack. unable to receive her description for seven days because a specific pharmacy delays and that is not acceptable for any of us. why do you think it took so long for your systems to get back up and running. why are many pharmacies still out there today? >> thank you for the question. hearing the situation of the patient waiting for their incident. we have tried to make clear any prescriptions filled. what the personal status was.

i also emphasized the challenges of communicating across such a wide group of providers. the speed of recovery was really determined by the way the attack encrypted large parts of the environment and to ensure that the system when it was brought back online garnered the confidence in the environment that it was safe to reconnect to remember the change healthcare is a big connecting system. we really built the environment from scratch. we did not resuscitate large parts of the old environment which could have brought with it the risks and suspicion of infection and would have led to i think reconnecting at all. we spent a lot of time rebuilding from scratch. the third party organizations, test and penetrating to make sure it was super robust before they came back. consequence the way it impacted the first system and then the

commitment to bring back the clean system was the explanation >> i think my colleague. just a few additional questions i am not clear on. the apropos of the patient's, the real victims, in my view, through negligence, the people who have their information stolen sent the individuals $5. how are you going to go about compensating when they have stolen data. do they think that that is right >> we are working hard to understand he was potentially impacted. in the meantime, we have not stood by to wait for that. we have already put in place services, call centers to help people understand the situation

if they need advice and also to make sure and for anybody, whether that is in this or not. everybody in america can access theft protection for the next few years. >> identity theft and protect against it is something that i am very supportive of. i am also very hawkish on protecting people's private medical data. when i saw equifax giving people $5 and this happened very recently, i wanted to know from you all whether you thought that that was reasonable. how are you going to go about it can you envision sending this out to? >> this time i do not. i feel as if the important thing here is to reinsure people they are doing everything they can to ensure the data does not in fact leak. that we would make sure that the

situation is protected through the services that we have already made available. >> let's also get on the record, one of the questions that senator menendez touched on. for a lot of us representing small communities in our states that much of oregon, senator brosseau talking about that, you know, our physicians are very much at risk. they owe you for these loans. i am concerned that these will give you value financial information and based on the company's history will be used to gobble up lots of other small providers across the country. asking you about what was going on in oregon. this is not a hypothetical question for your company.

buying these people up to hand over fist. i would like to see at a minimum a firewall established so as you cannot use the data from the doctors from the loan process to go out and buy more doctors. that is the last thing that we need in america. >> first of all, i do support that. i think that is a good idea and a good recommendation. reassuring you. guided by the providers confirmation that their cash flow is back to normal. it is under their guidance. the suggestion is a good suggestion. i am very comforted.

to be absolutely clear. >> we have been at it for more than two hours now. there is a lot that we don't know. a lot the american people don't know. i am not convinced that we will find that out anytime soon. we may never find it out. this data as i said several hours ago can reveal abortions, sexually-transmitted infections and more. i just want to see evidence is willing because this company is so big i heard my colleagues talk about too big to fail. i think that they were more eloquent than i was a couple hours ago. companies that are so big have

an obligation to protect their customers and to lead on this issue. much of what i read about this, you are kind of saying the american people, you should feel lucky that we are big. i think that a lot of americans today do not buy that. on your watch, let the country down. millions of people on both the prevention side. getting us back in going. back in going. that is redundancy. the years, over the years in public service. directing the senior citizen group. one of the most important issues i've taken on. i think the intersection of

health policy, economics and national security is now front and center. this is one of the most important fight that i have taken on. what worries me is all these people who are professionals in the field say, shoot, this is an example for the bad guys of what they can accomplish. they will be much more active in much more forthcoming in terms of specific issues that we are talking about today. the finance committee has adjourned.