The House Energy & Commerce Health Subcommittee held a hearing yesterday, “Examining Health Sector Cybersecurity in the Wake of the Change Healthcare Attack.” It reportedly did not go well for Change Healthcare and UnitedHealth Group, who were not invited to testify and who did not send any representatives to the hearing. The committee was previously briefed by the firm before the hearing.
Witnesses at the hearing included:
- Greg Garcia, Executive Director for Cybersecurity, Healthcare Sector Coordinating Council
- Robert Sheldon, Senior Director of Public Policy and Strategy, CrowdStrike
- John Riggi, National Advisor for Cybersecurity and Risk, American Hospital Association
- Scott MacLean, Board Chair, College of Healthcare Information Management Executives (CHIME); and
- Dr. Adam Bruggeman, MD, Orthopedic Surgeon, Texas Spine Center
A video of the hearing can be viewed on YouTube.
Becker’s Hospital Review noted some of the criticisms:
“It has been reported that UnitedHealth has exploited this crisis in order to acquire health practices that are in urgent need of revenue just to keep their doors open,” Rep. John Joyce, MD, said during the hearing. “While patients and physicians are still struggling, UnitedHealth’s day-to-day operations have continued. This underscores that while Change Healthcare was a target of this ransomware attack, ultimately the patients and the physicians were and continue to be the real victims.”
“The attack shows how UnitedHealth’s anti-competitive practices present a national security risk because its operations now extend through every point of our healthcare system,” Rep. Anna Eshoo of California said. “This really deserves a strong response by the Congress — the outrageousness of this.”
And while UnitedHealth Group recently tried to suggest that without ownership of Change Healthcare, the impact of the attack would have been even worse, some legislators yesterday questioned vertical integration:
Both Republican and Democratic lawmakers pointed to the hack as an example of what they said are the harms caused by vertical integration and industry consolidation. Those testifying recommended that future reviews of healthcare mergers and acquisitions by federal regulators involve cybersecurity considerations. UnitedHealth purchased Change in 2022 following a failed antitrust challenge by the Justice Department.
“The FTC has failed the American people by allowing vertical integration to happen, and it needs to be busted up,” Rep. Buddy Carter said.
“We have got to do a better job here,” Rep. Larry Bucshon, MD, said. “I do think that vertical integration in our healthcare system, [which is] supposed to save money, is actually going the other direction.”
The Senate Finance Committee is also planning a hearing, although the April 30 date mentioned in news reports is not yet on the committee’s calendar.
The cyberattack reportedly might cost UnitedHealth Group $1.6 billion this year.
And to add to the firm’s problems, the threat group known as RansomHub announced yesterday that they were putting 4 TB of data exfiltrated from Change Healthcare up for sale.