[Senate Hearing 118-785]
[From the U.S. Government Publishing Office]




                                                        S. Hrg. 118-785

                     HACKING AMERICA'S HEALTH CARE:
                    ASSESSING THE CHANGE HEALTHCARE
                      CYBERATTACK AND WHAT'S NEXT

=======================================================================







                                HEARING

                               before the

                          COMMITTEE ON FINANCE
                          UNITED STATES SENATE

                    ONE HUNDRED EIGHTEENTH CONGRESS

                             SECOND SESSION

                               __________

                              MAY 1, 2024

                               __________

                                    
                                 
                                 
                                 
                                 
                                 
                 [GRAPHIC NOT AVAILABLE IN TIFF FORMAT]                 
                 
                 
                 
                 
                 
                 
                 
            Printed for the use of the Committee on Finance
            
                               ______
                                 

                 U.S. GOVERNMENT PUBLISHING OFFICE

63-595 PDF                WASHINGTON : 2026            








                          COMMITTEE ON FINANCE

                      RON WYDEN, Oregon, Chairman

DEBBIE STABENOW, Michigan            MIKE CRAPO, Idaho
MARIA CANTWELL, Washington           CHUCK GRASSLEY, Iowa
ROBERT MENENDEZ, New Jersey          JOHN CORNYN, Texas
THOMAS R. CARPER, Delaware           JOHN THUNE, South Dakota
BENJAMIN L. CARDIN, Maryland         TIM SCOTT, South Carolina
SHERROD BROWN, Ohio                  BILL CASSIDY, Louisiana
MICHAEL F. BENNET, Colorado          JAMES LANKFORD, Oklahoma
ROBERT P. CASEY, Jr., Pennsylvania   STEVE DAINES, Montana
MARK R. WARNER, Virginia             TODD YOUNG, Indiana
SHELDON WHITEHOUSE, Rhode Island     JOHN BARRASSO, Wyoming
MAGGIE HASSAN, New Hampshire         RON JOHNSON, Wisconsin
CATHERINE CORTEZ MASTO, Nevada       THOM TILLIS, North Carolina
ELIZABETH WARREN, Massachusetts      MARSHA BLACKBURN, Tennessee

                    Joshua Sheinkman, Staff Director
                Gregg Richard, Republican Staff Director

                                  (II)
                                  
                                  
                                  
                                  
                                  
                                  
                                  
                                  
                            C O N T E N T S

                              ----------                              

                           OPENING STATEMENTS

                                                                   Page
Wyden, Hon. Ron, a U.S. Senator from Oregon, chairman, Committee 
  on Finance.....................................................     1
Crapo, Hon. Mike, a U.S. Senator from Idaho......................     3

                                WITNESS

Witty, Andrew, chief executive officer, UnitedHealth Group, 
  Minnetonka, MN.................................................     5

               ALPHABETICAL LISTING AND APPENDIX MATERIAL

Crapo, Hon. Mike:
    Opening statement............................................     3
    Prepared statement...........................................    45
Warner, Hon. Mark R.:
    The Health Care Cybersecurity Ecosystem......................    46
Warren, Hon. Elizabeth:
    Letter to Gary Gensler from Senator Warren et al., April 29, 
      2024.......................................................    47
Witty, Andrew:
    Testimony....................................................     5
    Prepared statement...........................................    49
    Responses to questions from committee members................    52
Wyden, Hon. Ron:
    Opening statement............................................     1
    Prepared statement...........................................    79

                             Communications

Action for Health................................................    81
American Academy of Family Physicians............................    84
American College of Physicians...................................    86
American Dental Association......................................    89
American Gastroenterological Association.........................    90
American Medical Association.....................................    92
American Pharmacists Association.................................    99
American Senior Alliance.........................................   102
American Society of Anesthesiologists............................   103
Badia, Alejandro, M.D., FACS.....................................   105
Clarity Counseling, LLC..........................................   106
College of Healthcare Information Management Executives..........   106
Cowan, MaryAnn M.................................................   115
Federation of American Hospitals.................................   115
Garcia, Silvia, M.D..............................................   118
Good, Jocelyn, Ph.D..............................................   118
Greenway Health, LLC.............................................   119
Healthcare Leadership Council....................................   122
Levine, Krissy...................................................   124
Mayle, Mark A., CISSP............................................   124
Medical Group Management Association.............................   125
Metropolitan Neurology...........................................   127
National Association of Chain Drug Stores........................   129
North Florida Integrative Medicine...............................   134
People's Action..................................................   135
Perinatal Associates of New Mexico...............................   138
Reeve, Pamela....................................................   140
Smith, Ann, LCSW-C...............................................   140
Sternbach, Eliezer...............................................   141








 
                     HACKING AMERICA'S HEALTH CARE:
                    ASSESSING THE CHANGE HEALTHCARE
                      CYBERATTACK AND WHAT'S NEXT

                              ----------                              


                         WEDNESDAY, MAY 1, 2024

                                       U.S. Senate,
                                      Committee on Finance,
                                                    Washington, DC.
    The hearing was convened, pursuant to notice, at 9:01 a.m., 
in Room SD-215, Dirksen Senate Office Building, Hon. Ron Wyden 
(chairman of the committee) presiding.
    Present: Senators Menendez, Carper, Cardin, Brown, Bennet, 
Casey, Warner, Hassan, Cortez Masto, Warren, Crapo, Grassley, 
Cassidy, Lankford, Young, Barrasso, Johnson, Tillis, and 
Blackburn.
    Also present: Democratic staff: Shawn Bishop, Chief Health 
Advisor; Eva DuGoff, Senior Health Advisor; Rachel Lang, 
Advisor for Trade, International Competitiveness, and 
Innovation; Joshua Sheinkman, Staff Director; and Chris 
Soghoian, Senior Technologist and Senior Advisor for Privacy 
and Cybersecurity for Senator Wyden. Republican staff: Gable 
Brady, Senior Health Policy Advisor; Kellie McConnell, Health 
Policy Director; and Gregg Richard, Staff Director.

   OPENING STATEMENT OF HON. RON WYDEN, A U.S. SENATOR FROM 
             OREGON, CHAIRMAN, COMMITTEE ON FINANCE

    The Chairman. The Finance Committee will come to order.
    This morning, the Finance Committee examines the Change 
Healthcare hack that nearly brought our country's health-care 
system to a standstill 6 weeks ago. Joining the committee is 
Mr. Andrew Witty, CEO of UnitedHealth Group. You will hear them 
called UHG, and they own Change Healthcare.
    Let me put things in perspective. Last year, UnitedHealth 
Group generated $324 billion in revenue, making it the fifth 
largest company in the country. Overall, the company touches 
152 million individuals across all lines of business: 
insurance, physician practice, home health, and pharmacy. With 
its profits, UHG has purchased dozens of other health-care 
companies, and is the largest purchaser of physician practices. 
This corporation is a health-care leviathan.
    I believe the bigger the company, the bigger the 
responsibility to protect its systems from hackers. UHG was a 
big target long before it was hacked. The FBI says that the 
health-care industry is the number one target of ransomware. It 
is obvious why. Change Healthcare processes roughly 15 billion 
health-care transactions annually, and a third of American 
patient records pass through its digital doors.
    Change specializes in moving patient data from doctor's 
office to doctor's office, or to and from your insurance 
company. That means medical bills that are chock-full of 
sensitive diagnoses, treatments, and medical histories that 
reveal everything from abortion to mental health disorders to 
diagnosis of cancer to sexually transmitted infections.
    Military personnel are included in this data. Leaving this 
sensitive patient information vulnerable to hackers, whether 
criminals or a foreign government, is in my view--as a member 
of the Senate Select Committee on Intelligence--a clear 
national security threat.
    I do not think it is a stretch that the impact here rivals 
the 2015 hack of government personnel data from the Office of 
Personnel Management. The FBI called that ``a treasure trove of 
counterintelligence information for foreign intelligence 
sources.''
    UnitedHealth Group has not revealed how many patients' 
private medical records were stolen, how many providers went 
without reimbursement, and how many seniors were unable to pick 
up their prescriptions as a result of the hack. The failures of 
CEOs like Mr. Witty, who months in can't figure out how many 
people have had their data stolen, validates that FBI warning.
    In the wake of this hack, United essentially disconnected 
Change from the rest of the health-care system. It took weeks 
for Change to get back online, leaving health-care providers 
all across the country--certainly in my home State of Oregon--
in a state of financial bedlam. Doctors and hospitals went 
weeks delivering services but without getting paid.
    Insurance companies could not reimburse providers. Even 
today, key functions supporting plans and providers, including 
sending receipts for services that have been paid, and the 
ability to reimburse patients for their out-of-pocket costs, 
are not back up and running.
    The small providers, particularly mental health providers, 
have been left holding the bag, stuffing envelopes with paper 
claims and unable to get straight answers on how long this 
outage is going to last, and patients are bearing the brunt of 
it.
    Prescriptions went unfilled. Patients were stuck at the 
hospital longer than needed, and Americans are still in the 
dark about how much of their sensitive information was stolen. 
The credit monitoring service Change is now offering is cold 
comfort to all of these frustrated patients across the land.
    The Change Healthcare hack is considered by many to be the 
biggest cybersecurity disruption to health care in American 
history. It is, in my view, Exhibit A that the country needs 
tough cybersecurity standards, and they are needed to protect 
critical infrastructure and patients across the country. The 
Health and Human Services Department does not require health-
care providers, payers, or health-care clearinghouses like 
Change to meet minimum cybersecurity standards, unlike 
industries regulated by other Federal agencies.
    Meeting a baseline of essential cybersecurity standards is 
a must, but it is meaningless without strong enforcement. 
Health and Human Services had not conducted a proactive 
cybersecurity audit in 7 years. As it stands, if a company does 
not comply with the relatively meager cybersecurity 
regulations, the fines amount to nothing more than a slap on 
the wrist. In my view, Federal agencies need to fast-track new 
cybersecurity rules for Americans' private medical records, and 
the Congress needs to watchdog this every day to make sure that 
what is getting done is the essentials of protecting patient 
data.
    Finally, the Change hack is a dire warning about the 
consequences of ``too big to fail'' mega-corporations gobbling 
up larger and larger shares of the health-care system. It is 
long past time to do a comprehensive scrub of UnitedHealth's 
anticompetitive practices, which likely prolonged the fallout 
from the hack.
    For example, Change Healthcare's exclusive contracts 
prevented more than one-third of providers from switching 
clearinghouses, even though Change's systems were down for 
weeks. Accountability for Change Healthcare's failure starts at 
the top.
    Before this hearing, I asked the company which members of 
its board have cybersecurity expertise. UHG pointed to the NCAA 
president Charlie Baker, who signed some technology-related 
legislation years ago when he was Governor of Massachusetts. He 
certainly seems to be an expert on basketball, but UHG needs an 
actual cybersecurity expert on its board.
    Mr. Witty owes Americans an explanation for how a company 
of UHG's size and importance failed to have multifactor 
authentication on a server providing open-door access to 
protected health information, why its recovery plans were so 
woefully inadequate, and how long it is going to take to 
finally secure all of its systems.
    I hope that today's hearing can mark the beginning of a 
bipartisan effort here on the Finance Committee. That is what 
we have done on PBMs and a variety of other important issues. I 
encourage all the members of the committee on both sides of the 
aisle to focus on the subject at hand. That is because this is 
so important, it is so vital, and there is much to discuss.
    Senator Crapo?
    [The prepared statement of Chairman Wyden appears in the 
appendix.]

             OPENING STATEMENT OF HON. MIKE CRAPO, 
                   A U.S. SENATOR FROM IDAHO

    Senator Crapo. Thank you, Mr. Chairman. I appreciate you 
holding this hearing today, and thank you, Mr. Witty, for being 
here with us.
    On February 21, 2024, UnitedHealth Group learned that its 
subsidiary, Change Healthcare, was the victim of a cyberattack 
launched by a suspected nation-state-associated cybersecurity 
threat actor. In response, Change, the Nation's largest health-
care clearinghouse--which processes $1.5 trillion in medical 
claims annually--disconnected all of its systems to prevent the 
hackers from obtaining additional data.
    The fallout from this unprecedented attack has affected the 
entire health-care sector. By crippling Change's functionality, 
the hackers left providers unable to verify patients' insurance 
coverage, submit claims and receive payments, exchange clinical 
records, generate cost estimates and bills, or process prior 
authorization requests.
    In the immediate aftermath of the attack, many providers 
had to rely on reserves to cover the resulting revenue losses. 
An American Hospital Association survey found that more than 90 
percent of hospitals were financially impacted by the 
cyberattack, with more than 70 percent reporting that the 
outage had directly affected their ability to care for 
patients.
    More than 2 weeks after the cyberattack was announced, the 
Department of Health and Human Services released a public 
statement and guidance related to the incident. On March 9th, 
the Centers for Medicare and Medicaid Services made accelerated 
and advanced payments available to impacted Medicare providers.
    The administration's delay exacerbated an already uncertain 
landscape, leaving providers and patients with reasonable 
concerns about access to essential medical services and 
lifesaving drugs.
    While the February hack on Change was by far the most 
disruptive cyberattack on the health-care industry to date, it 
was certainly not the first. According to a report by the 
Federal Bureau of Investigation, the health-care sector 
experienced more ransomware attacks than any other critical 
infrastructure sector in 2023.
    In addition to the processing and revenue issues 
experienced by providers, patients' private identification and 
health-care information were obtained by malicious actors 
during the breach.
    Unfortunately, personal health-care data has become 
increasingly attractive to cybercriminals, who seek to use that 
information for blackmail or identity theft. For patients, the 
emotional and financial effects of leaked private information 
can have a devastating impact for years.
    Although many of Change's functions have now resumed, trust 
in the security of this platform needs to be rebuilt. We owe it 
to American patients and to our front-line health-care 
providers--from health systems to clinicians to community 
pharmacies--to ensure that this does not and cannot happen 
again. Today's hearing offers a valuable opportunity to learn 
from United's experience so we can better protect against and 
quickly react to future cyberattacks.
    Gaining a deeper understanding of how the hackers 
infiltrated Change will help identify and address gaps in our 
existing cybersecurity infrastructure. Evaluating steps taken 
by United in response to the attack--from disconnecting its 
platforms to notifying law enforcement--will offer lessons on 
how to build a more resilient and collaborative health-care 
system moving forward.
    We must also assess the response of the Federal Government, 
which plays a critical role in those efforts. HHS has a 
responsibility to serve as a central hub for coordination, 
convening insights from other branches of government and the 
private sector, to deploy timely information about active 
threats, as well as best practices to deter intrusions and 
resources should an attack occur.
    Thank you, Mr. Witty, again for being here to discuss 
building a more secure, resilient, and responsive health-care 
system, and thank you, Mr. Chairman.
    [The prepared statement of Senator Crapo appears in the 
appendix.]
    The Chairman. Thank you, Senator Crapo.
    Andrew Witty is the chief executive officer of the 
UnitedHealth Group. Prior to that, he was the executive vice 
president of UnitedHealth and CEO of Optum. From 2008 to 2017, 
Mr. Witty was CEO and a director of GlaxoSmithKline.
    Mr. Witty, we appreciate your being here. I believe you are 
going to take 5 minutes or so to share your testimony, and we 
have a lot of member interest. And you are going to get 
questions, and I am going to do everything I can to keep them 
on this extraordinarily important topic.
    Mr. Witty?

      STATEMENT OF ANDREW WITTY, CHIEF EXECUTIVE OFFICER, 
               UNITEDHEALTH GROUP, MINNETONKA, MN

    Mr. Witty. Thank you, and good morning, Chairman Wyden, 
Ranking Member Crapo, and members of the committee. Thank you 
for the opportunity to testify here today. My name is Andrew 
Witty. I serve as chief executive officer of UnitedHealth 
Group.
    Our mission is to help people live healthier lives and help 
make the health system better for everyone. We pursue this 
mission through our two distinct businesses: UnitedHealth Care, 
which provides a full range of benefits; and Optum, which 
brings together care delivery, pharmacy services, and 
technology and data to advance patient-centered care.
    Change Healthcare is now part of Optum. It enables 
information, claims, and payments to flow quickly and 
accurately between physicians, pharmacists, health plans, and 
governments. I appreciate the committee's interest in the 
recent cyberattack on Change Healthcare.
    As a result of this malicious cyberattack, patients and 
providers have experienced disruptions, and people are worried 
about their private health data. To all those impacted, let me 
be very clear: I am deeply, deeply sorry. Our response to this 
attack has been grounded in three principles: to secure the 
systems, to ensure patient access to care and medication, and 
to assist providers with their financial needs.
    We have deployed the full resources of UnitedHealth Group 
in this effort. I want to assure the American public we will 
not rest, I will not rest until we fix this. Cyber experts 
continue to investigate the incident, and while we will learn 
more and our understanding may change, here is what I can share 
today.
    Cybercriminals entered a Change Healthcare portal, 
extricated data, and on February the 21st, deployed ransomware. 
The portal they accessed was not protected by multifactor 
authentication. Our response was swift and forceful. To contain 
infection, we immediately severed connectivity and secured the 
perimeter of the attack to prevent malware from spreading.
    It worked. There is no evidence of spread beyond Change 
Healthcare. Within hours of the ransomware launch, we contacted 
the FBI. We continue to share information with them so that 
these criminals can be brought to justice. As we have responded 
to this attack, including dealing with the demand for ransom, 
my overarching priority has been to do everything possible to 
protect people's personal health information.
    The decision to pay a ransom was mine. This was one of the 
hardest decisions I have ever had to make, and I would not wish 
it on anyone. As you know, we found files in the exfiltrated 
data containing protected health information and personally 
identifiable information, which could cover a substantial 
proportion of people in America.
    So far, we have not seen evidence that materials such as 
doctor's charts or full medical histories were exfiltrated. It 
will take several months before enough information will be 
available to identify and notify impacted customers and 
individuals, partly because the files containing that data were 
compromised in the attack.
    Rather than waiting to complete this review, we are 
providing free credit monitoring and identity theft protections 
for 2 years, along with a dedicated call center staffed by 
clinicians to provide support services. Anyone concerned that 
their data may have been impacted should visit 
changecybersupport.com for more information.
    Meanwhile, we continue to make substantial progress in 
restoring Change Healthcare's services. First, the team built a 
new technology environment in just a matter of weeks. Second, 
we prioritized our restoration effort on services most vital to 
ensuring access to care: pharmacy services, claims, and 
payments to providers. And third, while these efforts were 
underway, we worked quickly to provide financial assistance to 
providers who need it. We have advanced more than $6.5 billion 
in accelerated payments and no-interest, no-fee loans to 
thousands of providers. Most of these funds are for claims for 
non-UHC health plans, and about 34 percent of the loans have 
gone to safety-net hospitals and Federally Qualified Health 
Centers.
    We will provide this assistance for as long as it takes to 
get providers' claims and payments flowing at pre-incident 
levels. And if there are providers in your States who need 
help, please put us in touch with them. Fighting cybercrime is 
an enormous task, and one that requires us all--industry, law 
enforcement, and policymakers--to come together.
    I look forward to answering your questions today.
    [The prepared statement of Mr. Witty appears in the 
appendix.]
    The Chairman. Thank you, Mr. Witty.
    Let me begin with this. This hack could have been stopped 
with cybersecurity 101, and I am talking specifically about 
multifactor authentication, MFA.
    When your bank app asks you to enter a code sent by text or 
email, that is MFA. It secures your account, even if your 
password is learned. Yet your testimony reveals this first 
server that was hacked did not have multifactor authentication.
    So, question 1 I would like a ``yes'' or ``no'' answer to, 
Mr. Witty: prior to the hack, did you or any of your senior 
management know that UHG was not requiring MFA company-wide, 
``yes'' or ``no''?
    Mr. Witty. Mr. Chairman, thank you for the question. Our 
policy is to have MFA for externally facing systems.
    The Chairman. So, if the answer is ``yes,'' then that makes 
my point that, on your watch, there was a cybersecurity 
failure, and then that is what caused the harm to patients, the 
health-care sector, and your investors. I do not believe there 
are any excuses for that.
    So my second question is, will you commit, within 6 months 
at the latest, to require multifactor authentication company-
wide and meet the tough MFA standards that are required of 
Federal agencies? Again, a ``yes'' or ``no'' answer.
    Mr. Witty. Mr. Chairman, again I am happy to commit to 
that. In fact, I can confirm to you that as of today, across 
the whole of UHG, all of our external-facing systems have got 
multifactor authentication enabled.
    The Chairman. We will take that as a ``yes.'' It should not 
have taken the worst cyberattack ever in the health-care sector 
for an agreement to do this bare minimum.
    Now second, with respect to national security, people 
claiming to be involved with this hack have asserted publicly 
that they stole data on U.S. Government employees, including 
active duty U.S. military service members.
    My colleagues remember the 2015 hack of OPM government 
personnel data, which obviously posed very serious 
counterintelligence concerns. I am very concerned, as I said in 
my opening statement, about the national security implications 
of this hack as well.
    Are you in a position this morning to say whether the 
hackers stole data pertaining to U.S. Government employees?
    Mr. Witty. Mr. Chairman, thank you for the question. Like 
you, I am extremely concerned about any patients' information, 
but particularly in the context you just described.
    So far, through the process of working through the data, 
what we have been able to identify is indeed a substantial 
portion of people across the country's data could be implicated 
here. We do believe there will be members of the Armed Forces 
and veterans----
    The Chairman. When can you give us in writing the number of 
military personnel affected and your best assessment of who 
they are? Can I have that quickly?
    Mr. Witty. I give you my absolute commitment that is a top 
priority.
    The Chairman. A week?
    Mr. Witty. It will take longer than a week, but as fast as 
we possibly can, we will get that to you.
    The Chairman. Two weeks? This is a national security 
priority, Mr. Witty.
    Mr. Witty. We will----
    The Chairman. Two weeks, I expect it.
    Mr. Witty. We will absolutely prioritize that, sir.
    The Chairman. All right.
    Let's talk about why things are taking so long, and 
particularly how hard providers are being hit, because they are 
paying the price for the failures that have been made on your 
watch. How much longer will a provider who sent in a claim for 
services delivered in February have to wait in order to be 
paid?
    Mr. Witty. Mr. Chairman, thank you for the question. Our 
belief at this point is that claims flow across the entire 
country is essentially back to normal. Certainly, from 
UnitedHealth Group's perspective, we are paying claims as soon 
as they arrive. We are aware that other companies may not be 
paying as quickly.
    The Chairman. Providers are telling me it is going to take 
until at least June to clear the backlog. Can you do that 
earlier?
    Mr. Witty. We can, absolutely, move faster than that, and 
in the meantime, we are providing financial support----
    The Chairman. When can you expect to have that cleared?
    Mr. Witty. We believe the system is broadly back to normal 
now. If there are any providers in your State who you would 
like to refer us to, we can make sure that they are 
particularly----
    The Chairman. Practically every provider I bump into is 
waiting to be paid.
    Mr. Witty. Those payments from United certainly have been 
made. We are caught up, and we continue to advance significant 
interest-free loans for our providers.
    The Chairman. Will you commit to waiving deadlines for 
timely filings and appeals for claims until everything's back 
in order?
    Mr. Witty. Yes, we have already waived those.
    The Chairman. Will you commit to paying meaningful 
compensation to each provider and plan whose business 
operations you disrupted?
    Mr. Witty. So, we are happy to engage with providers to 
discuss that.
    The Chairman. Please send that to me in writing, how the 
compensation system would work.
    Let me mention one other area very quickly. I have been 
following your various comments, and consistently your views 
seem to minimize the impact of your involvement.
    You say that UnitedHealthcare payments processing accounts 
for only 6 percent of payments in the health-care system. My 
view is, that is basically hiding the ball. In 2022, the 
Department of Justice said that Change retains records of at 
least 211 million individuals going back to 2012.
    So, how many people have actually been impacted, where did 
you find those files, and what medical information was stolen? 
I need answers to those three questions. How many have been 
impacted? Where did you find the files? What medical 
information was stolen?
    Mr. Witty. Mr. Chairman, thanks for the question. As I 
said, that is very much a top priority for us to get to the 
bottom of. We are working our way through that. As of this 
point, we have not identified anything like that, medical 
records or medical histories. What we have seen is claims 
information----
    The Chairman. You do not have the logs that would show what 
data walked out the door, because we have been working to get 
that, and we have not seen it.
    Senator Crapo?
    Senator Crapo. Thank you, Mr. Chairman.
    Mr. Witty, the FBI has repeatedly warned that the health-
care sector is particularly attractive to cybercriminals. As 
your testimony notes, United alone experiences an attempted 
cyber-intrusion once every 70 seconds.
    However, nationwide, cybersecurity preparedness and 
response guidelines for health-care sectors appear to be 
disjointed. Without disclosing proprietary or security-related 
details, how do you intend to revise United's cybersecurity 
protocols to incorporate the lessons that you have learned from 
this experience?
    Mr. Witty. Senator Crapo, thank you very much for the 
question. First and foremost, let me reiterate how seriously we 
take this, and how diligently we are working to make this 
right, both technically and also to make sure we understand the 
patient information implications.
    To the question of how we are responding to this, first and 
foremost, let me reiterate: we have an enforced policy across 
the organization to have multifactor authentication on all of 
our external systems, which is in place.
    Senator Crapo. Can I interrupt for just a second? I think 
part of my question is, and you were about to get to that, but 
I wanted to be sure that you are responsive to this. Is it as 
simple as fixing the multifactor system?
    Mr. Witty. It's multilayered, sir. So that is one element, 
but it is only one element of the defense. Making sure--so for 
example, we now have implemented, in addition to our normal 
corporate-wide scanning of our technology environment, we have 
now brought external third parties to do double or triple 
scanning across our systems as a further protection layer.
    We have also made the decision to strengthen our oversight 
of cybersecurity at the company by bringing to our board, on an 
every-meeting basis, Mandiant, which is the leading 
cybersecurity advisory service in America. They have been 
extremely helpful in understanding this attack, and they have 
become a board advisor to ensure that we have the very best 
advice at the top of the company.
    Senator Crapo. Would you agree that this type--and maybe 
even a stronger approach than this type--needs to become 
standard across our health-care industry, everything from 
government to the private sector, and frankly, the entire 
aspect of our health-care system?
    Mr. Witty. Senator Crapo, I would agree with that. And what 
we saw in Change Healthcare, which was a company which just 
came into our group a little over a year and a half ago, was a 
company which was an older company, had older legacy 
technologies.
    But I think it is very typical of many small to medium-
sized organizations in our health-care environment, and 
therefore, inevitably there is going to be a lot of work to be 
done to upgrade those standards. But I do agree with your 
assertion.
    Senator Crapo. Thank you.
    And I would like to move on to restoration and protection 
of patient information. Your testimony indicates both pharmacy 
services and medical claims are now flowing at near-normal 
levels. Is that accurate?
    Mr. Witty. That is, I believe, yes.
    Senator Crapo. And while this is welcome news, the effects 
of the cyberattack continue, from ongoing revenue backlogs to 
unfolding details about exposed patient health and identity 
information. Which functions remain offline, and when do you 
expect 100 percent of Change's systems to be restored?
    Mr. Witty. Thank you very much for the question. So, all of 
our core systems are now up and fully functional. So that means 
pharmacy, processing, claims, payments. The systems which are 
not available are really ancillary support functions, so not 
determinative of the main claims activity or the payments, 
which is where the disruption has been caused.
    I would also just like to emphasize that as soon as the 
attack took place, we encouraged providers to divert their 
volumes to other competitors to Change, of which there are 
several, and many of them continue to operate through those 
channels, which is another way in which normal service was 
resumed.
    Senator Crapo. Have you heard reservations from providers 
about reconnecting to Change, and if so, how are you working to 
address those concerns?
    Mr. Witty. Senator Crapo, yes. I think that is a natural 
and good concern for people to have after an attack like this. 
You want to be reassured that the system is safe to reconnect 
to. That is why we disconnected so quickly in the beginning, so 
that we did not infect anybody else.
    The reason why it has taken longer than you might expect to 
recover is, we have literally built this platform back from 
scratch, so that we can reassure people that there are not 
elements of the old attacked environment within the new 
technology, at the new technical environment that we have 
created.
    We are sharing all of those details with clients and 
customers as they reconnect, and I am pleased to say they are 
reconnecting substantially.
    Senator Crapo. All right; thank you.
    And finally, would you share an update of your 
understanding of the magnitude and the type of patient 
information that may have been obtained by the hackers, and 
when do you expect to begin the process of contacting impacted 
individuals?
    Mr. Witty. Thank you for your question. We are working 
closely with the regulators on that last point of timing, how 
to and when to start communicating. We want to try and avoid 
piecemeal communication, and it is our top priority to get this 
done just as fast as possible.
    Senator Crapo. Thank you.
    The Chairman. I thank my colleague.
    Just on this multifactor authentication, we know that we 
heard from your people that you had a policy, but you all were 
not carrying it out, and that is why we have the problem.
    Senator Blackburn?
    Senator Blackburn. Thank you, Mr. Chairman, and thank you 
for being with us. I am from Tennessee. We have been absolutely 
inundated with phone calls since this came back. People are 
trying to get some clarity around your statement about a 
substantial portion of people in America being affected by 
this, because right now, it looks like it's anybody that is 
doing business with you.
    I will tell you this. The reality that hospitals and 
providers are facing is wildly different from the rosy picture 
that you have painted. You have made a statement recently that 
payment processing by Change Healthcare is at approximately 86 
percent of pre-
incident levels.
    This morning, you said that it was back to normal, and I 
will tell you this. There is a backlog that many of our 
providers and hospitals have from 9 weeks of not being able to 
get in and make these claims. And here is a good for instance 
for you: a small, independent private act hospital in west 
Tennessee. And they have diligently submitted all of their 
claims, and they are burdened with a backlog of Medicare claims 
that is equivalent to 30 days of revenue. And they are waiting 
for these things to be transmitted to Medicare, and this is all 
because of the missteps that you all have had.
    Now, every day they call to get an update--every single day 
they are calling--and they get the run-around every single day, 
repeatedly. It is like you all cannot figure this out. And the 
absence of Medicare electronic remittance is compounding the 
problem, and it is requiring manual payment processing, and of 
course this goes into labor cost; you have error rates.
    So, when can Tennessee providers and hospitals expect you 
all to clear the backlog, to catch up, and be back to normal?
    Mr. Witty. Senator, thank you very much for the question, 
and I am very sorry to hear the experience in your State with 
those hospitals.
    Senator Blackburn. When?
    Mr. Witty. We will reach out to your office to find out the 
names of those hospitals. We will get connected with them to 
get that resolved----
    Senator Blackburn. Take every hospital, every provider. We 
have hospitals that are pulling on a line of credit. Are you 
going to pay that interest? Are you going to reimburse that?
    Mr. Witty. We are offering interest-free loans directly 
ourselves, and we're more that welling----
    Senator Blackburn. Good. No. I said are you going to pay 
these interest costs? Okay.
    Let me move on with you, because one of the surprises--and 
the chairman just mentioned this--is the lack of redundancies 
that you all had built into the system.
    Now, your revenues are bigger than some country's GDP, and 
how in heaven's name did you not have the necessary 
redundancies so that you did not experience this attack and 
find yourself so vulnerable?
    Mr. Witty. Thank you for the question. First and foremost, 
Change Healthcare had only recently become part of UnitedHealth 
Group. We were in the process of upgrading and modernizing 
their technology. The attack itself had the effect of locking 
up the various backup systems which had been developed inside 
Change before it was acquired.
    That is really the root cause of why it has taken so long 
to bring it back, and as I have emphasized, we have work to 
rebuild a brand new technical environment so that we know that 
it is modern and it is not infected from the attack.
    Senator Blackburn. Well, there may be excuses, but was 
there not a thought process put in place on the front end, as 
you were going through this, of how you would protect yourself 
from vulnerabilities?
    Mr. Witty. So, Change Healthcare came into the organization 
just about a year and a half ago----
    Senator Blackburn. I am fully aware of that.
    Mr. Witty. We were in the process of upgrading that 
technology when this attack occurred.
    Senator Blackburn. Okay; all right. There again, for 
whatever reason, shortsightedness and not having a plan to 
incorporate--let us move on.
    Optum--it is widely acknowledged that Optum's temporary 
assistance program fails to adequately address the financial 
setbacks that are caused by this. Now, we have one Tennessee 
provider that disclosed receiving a one-time payment of $8,000, 
significantly below their usual daily revenue of $20,000.
    These providers have resorted to tapping into personal 
savings, retirement funds, seeking loans from banks. And so, 
are you going to cover all of those costs that they have had to 
incur in order to keep the doors open, because you did not have 
an appropriate backup plan?
    The Chairman. As important as this question is, briefly, 
because we have a lot of members interested. You may answer.
    Mr. Witty. So, Senator, thank you for the question. Very 
happy to engage with those providers. We will reach out to your 
office to get their names.
    Senator Blackburn. We look forward to the engagement.
    The Chairman. Thank you, Senator Blackburn.
    Senator Menendez?
    Senator Menendez. Mr. Witty, your company's slow progress 
in restoring services and advancing loans to providers caused 
operational disruptions with consequences for providers, 
pharmacies, and patients across the Nation.
    For weeks, hospitals and providers had to deal with low 
loan offers and onerous terms from the company, in some cases 
less than 1 percent of their typical weekly billing, all while 
patients suffered. Your company is the Nation's largest private 
health insurer and the largest physician employer in the 
country, earning billions in profits every quarter.
    It is unacceptable that it took so long to help providers 
during a crisis of your creating. Now I am concerned about what 
is going to happen on the back end. So, do you commit to not 
exploiting the destabilized provider markets that you are 
creating to further acquire other subsidiaries? A simple 
``yes'' or ``no'' would be great.
    Mr. Witty. Senator, absolutely. We will not take advantage 
of that, and we have not. I would also like to reassure you, we 
understand that in the effort to go quickly in terms of setting 
up our loan program, we did not get all of the terms and 
conditions right.
    We fixed that very early, and we have now been able to 
advance $6.5 billion to more than 100----
    Senator Menendez. So let's talk about that. 
UnitedHealthcare, as you have just said, claims to have 
distributed $6.5 billion in financial support to providers, but 
you are dealing with an enormous backlog of claims estimated to 
be easily over $14 billion, with some estimates putting the 
total impact in services at many multiples of that.
    In other words, your accelerated or advance payments were a 
tiny fraction of the total amount of services affected. It is 
my understanding that UnitedHealthcare and its subsidiaries 
know to the penny what the average provider's bills in an 
average day, week, or month are. Yet providers in my State and 
across the country were struggling to keep their doors open as 
they waited for these payments.
    What reasonable explanation could you have for taking so 
long to get these accelerated payments out the door?
    Mr. Witty. Senator, thank you again for the question. 
Unfortunately, United does not know the flows of folks to other 
payers than United, which is part of the reason why our initial 
approach was not as effective as we would have liked it to have 
been.
    We put in place a mechanism which, for the vast majority of 
providers, gives them authorization on interest-free loans 
within hours of application, and that remains open and 
available for providers who need it today.
    Senator Menendez. It seems to me almost incredible to 
believe that you do not know, a company that is so long 
established, you do not know the flow of what a daily, weekly, 
monthly amount is to a certain provider. That is hard to 
believe.
    Mr. Witty. So, sir, we understand the flow when we are the 
payer, but oftentimes we are not the payer, and those would be 
the situations. As I am sure you are aware, we have been making 
loans to underwrite the cash-flow consequences for other 
payers, not just UnitedHealthcare.
    Senator Menendez. Well, it seems to me that you wasted a 
lot of time trying to pull a fast one by imposing onerous loan 
terms on providers. Can you commit to not demanding loan 
repayments until the claims backlog is cleared?
    Mr. Witty. Sir, we have streamlined all of our terms and 
conditions, and, yes, we have already told providers there is 
no need to repay these interest-free loans until 45 days after 
they have concluded they are back to normal.
    Senator Menendez. Do any of the loan terms prohibit health 
providers from working with any of United or Optum's 
competitors?
    Mr. Witty. No.
    Senator Menendez. Now, following the breach, you offered to 
do breach notifications for covered entities like hospitals and 
provider groups that are still grappling with severe and 
ongoing disruptions to daily operations. Now, this commitment 
is an important step in the right direction, as providers 
should not be bound by the burden of providing HIPAA-required 
breach notifications. But no prudent medical group can rely on 
vague promises containing no specifics with respect to timing 
or implementation.
    Providers currently face mounting concerns about their own 
regulatory exposure should United not fulfill these promises. 
Further, as more patients become aware of the possible 
disclosures of their sensitive information, they will turn to 
their providers for information and assurances, neither of 
which can currently be provided.
    So, when can providers expect concrete details on breach 
notifications in writing from UnitedHealth Group?
    Mr. Witty. Sir, this is our top priority. We want to get 
this done as fast as possible, and we are working with the 
regulators to ensure that we can get that communication out as 
quickly as possible.
    Senator Menendez. Okay, so can you give us a time period? 
Is that a week, is it a month?
    Mr. Witty. I think it will be in the next several weeks.
    Senator Menendez. And what sort of documentation will 
UnitedHealth Group require of covered entities, and will 
agreements include information about limitation or waiver of 
liability?
    Mr. Witty. That is something we are working through with 
the regulators so that we can be very clear to those providers.
    Senator Menendez. Well, I would like you to respond to the 
committee when you get to that conclusion.
    Mr. Witty. Of course.
    Senator Menendez. Thank you, Mr. Chairman.
    The Chairman. Thank you, Senator Menendez.
    Senator Grassley is next.
    Senator Grassley. Welcome to the committee.
    Last month, I wrote to Health and Human Services Secretary 
Becerra regarding protecting critical infrastructure within the 
health-care sector. In that letter, I highlighted the need for 
a strong relationship between public and private partners to 
ensure the safety of U.S. critical infrastructure systems. I 
also inquired about legacy information technology systems. 
Cyberattacks on our health-care system not only have a severe 
impact on our economy, but put lives at risk.
    So my first question is, what is UnitedHealth Group's 
relationship with HHS and other government agencies as it 
relates to cybersecurity of the health-care industry? How have 
HHS and cybersecurity and information security agencies worked 
with your company in the aftermath of the cybersecurity 
failure?
    Mr. Witty. Senator Grassley, thank you for the question. We 
have had a close relationship, I would say daily engagement, 
with particularly CMS within HHS. CMS has been extremely 
engaged and supportive through this, particularly in terms of 
how we have worked to support providers and to prioritize 
recovery of the system. And the FBI has been our prime partner 
in terms of law enforcement and response to the attack itself.
    Senator Grassley. Does UnitedHealth Group use legacy IT 
systems that need to be updated? If so, what has been done to 
update?
    Mr. Witty. So, Change Healthcare is a good example of a 
company that came into our organization with older technology. 
It is a 40 year-old company with many different technology 
generations within it.
    As we always do with new companies like that, we strive to 
upgrade them to the standards of UnitedHealth Group, which I 
believe are consistently higher than the companies that we 
brought into the organization.
    Senator Grassley. I think you touched on it, but let me ask 
specifically: has UnitedHealth Group taken every available 
action to immediately remove memory safety risk in its IT and 
software?
    Mr. Witty. So, could you just repeat that, please? I could 
not hear the second part of the question.
    Senator Crapo. He asked you to repeat it.
    Senator Grassley. What?
    Senator Crapo. Repeat it, your question.
    Senator Grassley. He refused to answer it?
    Senator Crapo. No, he just said he could not understand it.
    Senator Grassley. Oh, well----
    Senator Crapo. So he just asked you to repeat the question.
    Senator Grassley. Yes. Has UnitedHealth Group taken every 
available action to immediately remove memory safety risk in 
its IT and software?
    Mr. Witty. I am not sure I completely understand the 
question around ``memory safety risk.'' I can assure you that 
since the attack----
    Senator Grassley. Why don't you do this: answer that 
question in writing.
    Mr. Witty. Absolutely, yes. I am happy to do so.
    Senator Grassley. My understanding is that Change 
Healthcare touches one in three medical records in the United 
States. I would like to better understand how Change Healthcare 
stores and manages patient data.
    How does Change Healthcare manage and store patient data? 
Where is the data stored? Is it stored by third parties, and at 
what point through processing, coding, and storing is patient 
data ever sent overseas?
    Mr. Witty. So, Change Healthcare stores data both on 
premises in data centers and also, to a limited extent, on the 
cloud. As we have rebuilt the technology environment, we have 
moved much more into the cloud, which we believe creates a much 
more secure future environment.
    Senator Grassley. According to the FBI, there were 249 
ransomware attacks against the health-care industry in 2023. 
Has UnitedHealthcare Group experienced another cyberattack 
since February 2021?
    Mr. Witty. I would have to come back to you on that. We are 
under attack consistently. I would like to make sure I am 
accurate in how I respond to that question. I will be happy to 
come back to you with that.
    Senator Grassley. In writing, okay?
    Do you feel like your company is prepared for another 
cyberattack? And this will be my last question.
    Mr. Witty. Senator, thank you for that question. We are 
doing everything we can to be as prepared as possible, but we 
recognize the pressure of the attacks that come in. I believe 
that we are taking every, every sensible precaution, and we 
have brought in multiple third-party expert organizations to 
supplement our own teams.
    Where I hope we can also look is for ways in which we can 
start to reduce the attack pressure on the systems that we are 
all trying to manage.
    The Chairman. Thank you, Senator Grassley.
    Senator Cassidy is next.
    Senator Cassidy. Mr. Witty, thank you for being here, and 
thanks for the conversation that you and I have had prior to 
this. First, let me acknowledge, as I spoke to doctors back 
home, the kind of worse case has passed, and many have said 
that it is resolved. So let me credit you for the hard work you 
have done.
    But that does kind of present a different set of questions, 
please. One, you mentioned that United is waiving prior 
authorization essentially, but Change handles lots of claims 
for other insurers. As we know, sometimes prior auth is denied 
retroactively, so surgery would be approved, and then at a 
later point it is unapproved, and the dollars are clawed back.
    Some of the docs say they do not know whether the shoe will 
drop in the future, whether it is a Cigna that will have a 
problem with the prior auth process, et cetera. To what degree 
has United worked with other insurers to address the 
uncertainty regarding prior authorization, and to what degree 
would United hold harmless the doctor who is penalized, if you 
will, because of the damage done to the prior auth system 
through this from another insurer?
    Mr. Witty. Senator Cassidy, thank you very much for the 
question, and I very much appreciated the time you spared to 
talk through some of these issues with me. I actually followed 
up after our last conversations on some of these.
    From a UnitedHealthcare perspective, I would like to 
confirm that when somebody applies for prior authorization and 
it is granted, we never go back to contradict it. We never go 
back in time to change it if they have already acquired that.
    To your broader point, we are very, very supportive of 
efforts to modernize and enhance prior authorization in ways 
that can be much less burdensome on the system, and much more 
effective in terms of ensuring patients get access to safe 
care----
    Senator Cassidy. Yes, but as regards the other insurers in 
this particular process, if Change was an intermediary with 
Cigna--I keep using them because they come to mind--and there 
is an issue of prior auth, how will that be handled?
    Mr. Witty. So, in that situation, that would be a Cigna 
responsibility.
    Senator Cassidy. So has United reached out to Cigna to try 
and kind of smooth it over in this period in which the ability 
of Change to provide that essential function has been brought 
down?
    Mr. Witty. So, thank you. I am clearer with the question 
now. Let me reassure you that we have made clear that where 
people have acted in good faith during any outage, so for 
example a pharmaceutical was dispensed by a pharmacist without 
getting authorization--they thought that was okay; there was no 
system to check--we are honoring all of that.
    Senator Cassidy. Even through Cigna?
    Mr. Witty. We will cover that.
    Senator Cassidy. Now let me ask you--and this is a broader 
question, and something for this committee to consider. In our 
conversations--and I gather on an earnings call--you pointed 
out that, when asked about the breach, ``the cyberattack was 
paradoxically a validation of the size and scope of United's 
business practice.''
    I have read in a Washington Post article that 5 percent of 
U.S. GDP flows through United every day. Now, yes, but if you 
read something by Nicholas Taleb, he would say that the fact 
that you are so big and so dominant presents a special 
vulnerability, and that, yes, you have the deep pockets by 
which to address this. But the very fact that you are so big 
means it had a wide-ranging ripple effect that was outsized.
    And so, I think for us, we would have to ask, is the 
dominant role of United too dominant, because it is into 
everything, and messing up United messes up everybody?
    Mr. Witty. Senator, thank you for the question. I think it 
is really important to be clear that the Change footprint and 
activity was exactly the same on the day it was attacked as 
before it was acquired by UnitedHealth Group. It did not change 
because of UnitedHealth Group----
    Senator Cassidy. Yes, but I do not want to limit our 
imagination to just Change. If 5 percent of our Nation's GDP 
goes through United every day, then is there something else 
that could be incurred upon United that would have even 
farther-reaching effects?
    Mr. Witty. So, as we look across the whole of United, we 
continue to be, as always, focused on how we defend and protect 
the organization. We look to how we can upgrade organizations--
--
    Senator Cassidy. But that is not my point. My point is, has 
the size of United become a--it is almost a ``too big to fail'' 
insurer, because if it fails, it is going to bring down far 
more than it ordinarily would.
    Mr. Witty. I do not believe it is, because actually, 
despite our size, for example, we have no hospitals in America. 
We do not own any drug manufacturers.
    Senator Cassidy. But don't we know that you all own like 
some incredible percentage of physician practices now?
    Mr. Witty. Actually, we employ less than 10,000 physicians. 
Hospitals across America employ 400,000 physicians. We contract 
and affiliate with a further 80,000 physicians who voluntarily 
choose to work alongside our Optum colleagues.
    So, we are very proud of the physicians who work for us, 
but oftentimes I think people confuse the affiliated and 
contracted physicians with the employee physicians, where we 
employ less than 1 percent of doctors in America.
    Senator Cassidy. I am out of time.
    Thank you; I yield.
    The Chairman. Senator Cassidy, this is an extraordinarily 
important issue that you are raising. This is classic ``too big 
to fail'' kind of policy. And I said a while back I believe 
that the bigger the health-care company, the bigger the 
responsibility to protect its systems from hackers.
    I think there are going to be Senators on both sides of the 
aisle who want to pursue what you are talking about, and I look 
forward to working with you.
    Senator Cassidy. Thank you.
    The Chairman. Let's see. Our next person in order of 
appearance would be Senator Warren.
    Senator Warren. Thank you, Mr. Chairman.
    So, Mr. Witty, in 2023 UnitedHealth raked in a whopping $22 
billion in profits, making you the most profitable health-care 
company in the country. In fact, by revenue, UnitedHealth is 
the 11th largest company in the entire world.
    Now, Mr. Witty, UnitedHealth Group owns the country's 
largest insurer, the country's largest claims processor, the 
country's third largest pharmacy benefit manager, and a huge 
pharmacy chain. It is the largest employer of physicians 
nationwide or controller, with at least 90,000 physicians, as 
you just testified. That is about 1 out of every 10 doctors in 
the country. Is that correct, about your size?
    Mr. Witty. Thank you, Senator. As far as the physicians are 
concerned, we employ just under 10,000 and the rest are 
affiliated.
    Senator Warren. Well, as I said, I think you have control 
over about 90,000?
    Mr. Witty. I would say not control. They chose to work with 
us.
    Senator Warren. Okay; great.
    Because UnitedHealth has bought up every link in the 
health-care chain, you are now in a position to jack up prices, 
squeeze competitors, hide revenues, and pressure doctors to put 
profits ahead of patients. UnitedHealth is a monopoly on 
steroids.
    The opportunities for price gouging are everywhere. For 
example, UnitedHealth is the biggest participant in Medicare 
Advantage, the government program that pays private insurers to 
administer Medicare benefits. With this web of subsidiaries, 
UnitedHealth is well positioned to rake in more taxpayer money 
by using a practice called ``upcoding,'' to make enrollees look 
sicker--that is, noticing that a patient has a cane and adding 
a diagnosis of vascular disease to the medical chart, even if 
there is no clinical basis for the diagnosis and no treatment 
planned.
    Mr. Witty, according to a 2019 investigation by the HHS 
Inspector General, UnitedHealth was far and away the most 
aggressive abuser of upcoding practices.
    Do you know how much, according to the Inspector General, 
UnitedHealth cheated taxpayers out of in 2017?
    Mr. Witty. Senator, thank you. I am not familiar with that 
particular piece of work.
    Senator Warren. Yes. The number is $3.7 billion, and that 
is in just a single year, and that is from only two upcoding 
practices. You know, that was 5 years ago. Now as we speak, is 
UnitedHealth under investigation from the DOJ for, among other 
things, your billing practices?
    Mr. Witty. Senator, thank you for your question. We have a 
longstanding practice of not commenting on matters such as 
that, or things like mergers and acquisitions.
    Senator Warren. Well, I understand why you might not want 
to comment on it. Public reporting from The Wall Street Journal 
confirms that it is, although your company has not disclosed 
this investigation. In fact, yesterday I sent the SEC a letter 
raising concerns about over $100 million in stock sales that 
UnitedHealth executives made in the days and weeks before the 
investigation was revealed by the press, and I would like to 
make that part of the hearing record if I can, Mr. Chairman.
    The Chairman. Without objection, so ordered.
    [The letter appears in the appendix beginning on p. 47.]
    Senator Warren. Okay.
    So UnitedHealth is huge, and it boosts its multibillion-
dollar profits with, among other things, illegal billing 
tactics, and that takes me to the data breach. After the 
largest cyberattack on the health-care industry in American 
history, quote, ``put hundreds of thousands of health-care 
providers at risk of collapse,'' UnitedHealth is now using the 
crisis to expand its monopoly even further.
    For example, in Oregon UnitedHealth tried to purchase a 
local physician practice but faced enormous public opposition. 
After the data breach that we are talking about today, these 
doctors could not get reimbursed for their services, which 
pushed them to the financial breach.
    So, what did UnitedHealth do? They filed an emergency 
petition with regulators to allow them to acquire the doctors' 
practice on an expedited basis. Mr. Witty, will this 
acquisition make UnitedHealth even bigger?
    Mr. Witty. Senator, thank you for your question. I would 
just like to also put on the record that we, as an 
organization----
    Senator Warren. I had a very simple question. Will it make 
UnitedHealth, this giant, this 11th largest company in the 
entire world, even bigger?
    Mr. Witty. As new organizations join us, the organization, 
I hope, becomes better. As new physicians, for example, join--
--
    Senator Warren. The question is not better. We have already 
talked about your business practices. The question is bigger. 
Will it make UnitedHealth bigger?
    Mr. Witty. As we grow, we become larger, yes.
    Senator Warren. Yes; okay.
    So, UnitedHealth is using its own data breach to snap up 
doctors' practices that have been driven to the edge of 
bankruptcy by that same data breach. It is no wonder that 
UnitedHealth told its shareholders that this data breach would 
have ``no material impact on the company's finances.''
    UnitedHealth will stop at nothing to grow bigger, bigger, 
and bigger. As we speak, UnitedHealth is trying to pick the 
bones of Steward Health Care in my home State of Massachusetts, 
which was ruined by private equity and corporate greed. It is 
time for regulators to say ``no'' to these efforts to get 
bigger, and to suck even more health dollars away from patients 
and providers who need them.
    For the sake of our patients, our doctors, our nurses, and 
the American taxpayer, it is time to break up the UnitedHealth 
monopoly.
    The Chairman. The time of my colleague has expired.
    Next in order of appearance would be Senator Johnson.
    Senator Johnson. Thank you, Mr. Chairman.
    Now for a different perspective. The largest financial 
entity in the world is the United States Federal Government, 
which will spend close to $7 trillion this year, and I kind of 
view the 535 members of Congress as the board of directors.
    So, this board of directors has allowed this largest 
financial entity to incur $35 trillion worth of debt. The 
largest financial entity in the world gets hacked all of the 
time. We, last year, according to GAO, we had $236 billion of 
improper payments through all these government programs run by 
the largest financial entity in the world. So again, I just 
want to put a little balance here.
    I will state the obvious. UnitedHealth, you were a victim 
of a crime; correct?
    Mr. Witty. That is correct, sir.
    Senator Johnson. I am actually sympathetic with people who 
are victims of crime. I do not think you went out and sought to 
be hacked. I mean, what I was hoping this hearing would be more 
about is, you know, utilize your experience to figure out what 
went wrong so that other people watching this can try and 
correct it.
    And as we sat down yesterday--I appreciate you taking the 
time meeting with me. Talking about Change Healthcare, there 
was one server that didn't have dual authentication. That was 
the source of the breach, and again, the cyberattackers are 
very sophisticated, and they exploit those weaknesses.
    This is a weakness that is very well known. I mean, most 
hacks occur because of those types of security breaches that 
again--in a large entity, it is hard to police all that. Can 
you just kind of describe, first of all, the history of Change 
Healthcare, how it was built, why you bought it, how it is 
supposed to function?
    Mr. Witty. Senator, thank you for the question. So, Change 
Healthcare grew over about 40 years through a series of its own 
acquisitions and organic growth, to become a network connector 
across the health-care system. It is probably one of four or 
five companies who do the same kind of thing.
    Senator Johnson. And the same kind of thing is processing 
payments; correct?
    Mr. Witty. Process claims, send claims from providers to 
payers, and then send payment back; exactly.
    Senator Johnson. It is a reasonably complex thing to do?
    Mr. Witty. Highly complex.
    Senator Johnson. And you know, with Medicare rules and 
insurance rules, I mean, it is a complex thing to do.
    Mr. Witty. Exactly. And importantly, it is a software and 
network business, not a pipeline business in a physical sense. 
So, when it is attacked, the vulnerability is that the software 
is impacted or encrypted, and that really freezes the whole 
system, which is why this has had such a devastating impact.
    Senator Johnson. So, in this wholly owned subsidiary of 
United you purchased, it had been built up over years through 
private equity. There was either one group or one--I mean, 
describe exactly where the vulnerability was?
    Mr. Witty. Yes. So we were in the process of upgrading the 
technology that we had acquired, but within there was a server 
which I am incredibly frustrated to tell you was not protected 
by MFA. That was the server through which the cybercriminals 
were able to get into Change, and then they led off a 
ransomware attack, if you will, which encrypted and froze large 
parts of the system.
    Senator Johnson. And when your IT people were aware of the 
breach, you were notified immediately, and you contacted the 
FBI within a couple of hours; correct?
    Mr. Witty. All on the same day. So, February 21st, I was 
told. I was at a board meeting. They came in and told me on 
February 21st, and we called the FBI the same day.
    Senator Johnson. But you had probably been breached how 
soon before that?
    Mr. Witty. We think in hindsight--we did not know at the 
time, but as we have gone back and done the forensics, we 
believe they entered probably 9 days before.
    Senator Johnson. In my previous work on Homeland Security, 
I think it averages about a couple of hundred days that hackers 
are actually inside the system, exploring it for the 
vulnerabilities before all of the sudden they are made known.
    So again, these are sophisticated actors here. What was 
your response then? I mean, what did you do?
    Mr. Witty. The minute we knew about this, in fact even 
before I had been briefed, our team had followed the right 
steps and disconnected Change from all other connections, 
because it was critical to prevent the infection affecting any 
other provider or network in the country.
    That worked. We know that did not happen, so we contained 
the blast radius to just Change, and then it----
    Senator Johnson. So you shut down the system?
    Mr. Witty. We shut down the whole thing.
    Senator Johnson. Obviously denying your customers payment, 
and you have admitted that you could have handled that better.
    Mr. Witty. Yes.
    Senator Johnson. And this is--you are dealing with very 
difficult things to do here. But then you established this free 
loan program. In general, I mean what percentage of your 
customers, how many are satisfied with your response to this, 
versus the ones that are still pretty upset with you?
    Mr. Witty. So, Senator, first of all, you are right. We did 
not get it right the first time, in the first week or so. We 
quickly changed that, and I think since then we have had 
extraordinary uptake from folks across the country. I believe, 
certainly judging by the correspondence I get from small 
providers in particular, how grateful they are not just for the 
loan, but for the ease with which it was provided. Usually in 
just hours or overnight, they have been able to be supported.
    And we continue to issue those loans today, even though we 
believe the overall system is back to normal, because we know 
some people have not been paid yet.
    Senator Johnson. Well, thanks for your testimony. Thanks 
for allowing yourself to be subjected to this. Thank you.
    Mr. Witty. Senator, thank you.
    The Chairman. I am going to go to the Senator from Nevada 
in just a second. But I want to also make sure, because you 
have been all over the map with respect to personal 
accountability, and you have consistently downplayed your role 
in this.
    Your head of cybersecurity told us last week about this, 
and we still need to know whether you knew that you did not 
have MFA. Did you know that?
    Mr. Witty. On this server in Change?
    The Chairman. Yes.
    Mr. Witty. No, absolutely not.
    The Chairman. Why not?
    Mr. Witty. Well, so as the company had only recently, 
relatively recently, come into the group, it was in the process 
of being upgraded.
    The Chairman. But why wasn't it the first thing you would 
do?
    Mr. Witty. So, my understanding is that when Change came 
into the organization, there was an extensive amount of 
modernization required, and unfortunately and very 
frustratingly, this server had not had MFA deployed on it prior 
to the attack.
    The Chairman. But you coming in would say, ``We have got to 
deal with this.'' I mean, this is the first server. This is not 
an abstract issue.
    The Senator from Nevada.
    Senator Cortez Masto. Thank you.
    Mr. Witty, let me follow up on some of the line of 
questioning here. You paid a ransomware, correct, to the 
hackers?
    Mr. Witty. That is correct.
    Senator Cortez Masto. How much?
    Mr. Witty. Twenty-two million dollars.
    Senator Cortez Masto. And the information that the hackers 
obtained, was that identifiable patient information?
    Mr. Witty. We believe yes. They exfiltrated PII and PHI, 
yes.
    Senator Cortez Masto. And that is the most personal 
information: health-care information individuals would provide 
to you. Is that correct?
    Mr. Witty. Yes.
    Senator Cortez Masto. And don't you have an obligation to 
protect that information?
    Mr. Witty. We certainly do, and we take that obligation 
very seriously, and of course we are incredibly frustrated by 
this attack.
    Senator Cortez Masto. Then by law, you are required 
actually to protect that information, both State law and 
Federal law; correct?
    Mr. Witty. That is correct, and we take our obligation very 
seriously.
    Senator Cortez Masto. And under that same law, you are also 
required to notify those affected partners and patients that 
their data, their personal data, has been compromised; correct?
    Mr. Witty. Yes, Senator.
    Senator Cortez Masto. And you have not done that yet, is 
that right?
    Mr. Witty. No. We are still working----
    Senator Cortez Masto. How long is that going to take you?
    Mr. Witty. So, we think that will still take several more 
weeks to finish the data analysis, to understand what is there.
    Senator Cortez Masto. And you have been saying several more 
weeks since, what? This attack was how long ago, 69 days ago?
    Mr. Witty. Yes, and thank you for the question. We only 
were able to start this process about a month after the attack, 
when we got the data sent back and we were able to start to 
interrogate it. It is a very complex process. We are trying----
    Senator Cortez Masto. Is it complex because you have so 
much patient data that it is hard to actually identify all of 
it?
    Mr. Witty. No. It is more a complexity of the data 
structure, and making sure that we get it right, and making 
sure that we are notifying people of the correct information.
    Senator Cortez Masto. So, as we sit here today, there are 
many patients who do not know if their health-care information 
has been compromised, so they cannot put protections in place 
to protect themselves against identity theft; is that correct?
    Mr. Witty. So, we have not yet been able to notify people, 
but we have not waited----
    Senator Cortez Masto. So let me jump to something else that 
is happening that I am hearing in my State. Nevada Health 
Centers is a Federally Qualified Health Center with locations 
across the State of Nevada, and they rely on Change Healthcare 
for real-time patient eligibility verification.
    I am hearing, despite portals being back online, that 
critical provider and patient information is often missing or 
mismatched, with nearly 50 percent of payer information being 
inaccurate. Health Centers seeks clarity on when these systems 
will be corrected, but has struggled to get a reliable answer 
from UnitedHealth Group.
    So, I am hoping you can provide that clarity. When will the 
real-time eligibility and benefits verification functions of 
the Change Healthcare network be up to date and accurate?
    Mr. Witty. Thank you for that question. If I may, I will 
come back to you today with that information. I do not have 
that with me right now.
    Senator Cortez Masto. Okay. So, I hope you do, because not 
just my health-care centers, but across the country, many are 
asking this question. And for that reason, you are aware that 
providers must adhere to timely filing deadlines set by 
insurance companies for claim reimbursement.
    If they miss these deadlines, insurers may deny payment, 
leading to delayed patient care and increased provider burden. 
The recent Change Healthcare hack, requiring UnitedHealth Group 
to take its systems down for a week, undoubtedly poses 
challenges for providers in meeting these deadlines.
    Will you commit to extending UnitedHealth Group's filing 
deadlines for any claims affected by the Change Healthcare hack 
and subsequent system outage?
    Mr. Witty. Yes, absolutely.
    Senator Cortez Masto. And will you agree to extend the 
filing deadlines for claims filed before the February 21st 
cyberattack, considering that the appeals processes for these 
claims have been disrupted by UnitedHealth Group's systems 
outage?
    Mr. Witty. Again, we are happy to do whatever is necessary 
to make this impact as minimal----
    Senator Cortez Masto. That would be a ``yes''?
    Mr. Witty [continuing]. As possible for the provider, yes.
    Senator Cortez Masto. That would be a ``yes''? Thank you.
    So let me also address this. I am concerned about the 
lasting effects of UnitedHealth Group's cybersecurity failure 
on the health sectors. Providers that I am hearing from have 
faced dramatic drops in revenue, and are missing out on 
interest from delayed payments.
    In Nevada, one health center reports spending $12,000 every 
week on overtime for staff, who are dealing with the billing 
and eligibility issues caused by this Change Healthcare outage. 
For many small providers in my State, missing just two payments 
could force their foreclosure.
    So my question to you is, what steps will UnitedHealth 
Group take to compensate providers for the administrative costs 
they are incurring due to this cyberattack?
    Mr. Witty. So, thank you very much for the question. First 
and foremost, we continue to make available the interest-free 
loans. And secondly, we are more than willing to engage with 
individual providers on their circumstances as you describe.
    Senator Cortez Masto. Interest-free loans will address 
these administrative issues, or are there conditions upon the 
interest-free loans or burdens that they have to respond to?
    Mr. Witty. There are no conditions on the interest-free 
loans, other than that they would be repaid 45 days after the 
provider has confirmed that they are back to normal.
    Senator Cortez Masto. Okay. Thank you, Mr. Witty.
    Thank you, Mr. Chair.
    The Chairman. I thank my colleague.
    Senator Tillis is next.
    Senator Tillis. Thank you, Mr. Chair, and thank you for 
being here, Mr. Witty.
    I am trying to get--I know people have asked questions 
about your redundancy plan and multifactor authentication. Can 
you give me some sense as to whether or not either internal or 
external audits identified this as a compliance or audit risk 
in the past?
    Mr. Witty. For MFA on this particular----
    Senator Tillis. I have to believe that anybody, any 
qualified internal or external auditor on systems controls, 
would have identified multifactor authentication not being in 
use as a major risk factor. Do you know if there is a record 
out there that management would have been made aware of?
    Mr. Witty. Of this particular server?
    Senator Tillis. Yes.
    Mr. Witty. Not that I am aware of.
    Senator Tillis. Okay. It would be interesting, for the 
record, if we can find any information from either your 
internal audit or external audit that was identified as an 
actionable matter.
    Tell me a little bit about redundancy too. I used to work 
in redundancy, building redundant systems, cutover systems. It 
sounds like it was not a very smooth cutover. So how did that 
not make it through a system audit as well?
    Mr. Witty. Thank you very much for the question. So, I 
agree with you, that it is very frustrating that there was not 
a quick redundancy switchover. The attack----
    Senator Tillis. I mean, you are an information technology 
provider at a large scale.
    Mr. Witty. That is right. So, within Change Healthcare--
which again was a company that only recently had come into our 
organization and was in the process of being upgraded--the 
attack itself implicated both the prime and the backup 
environments.
    And that was partly due to the age of the technology and 
the fact that large amounts of it were not in the cloud. The 
elements which were in the cloud, we were able to bring back 
almost immediately. The elements which were in the older data 
centers and had within them multilayers of historic legacy 
technologies, that was the challenge on the restart and----
    Senator Tillis. Well, I actually brought in--I used to 
bring this too, when I was on Senate Armed Services. I had to 
give up Senate Armed Services to get on Finance, but I always 
brought this book when we had cyberattacks. It is called 
``Hacking for Dummies.'' This is the 5th edition.
    It does not include the nature of the breach that you all 
developed, but this is some basic stuff that was missed. So, 
shame on internal audit, external audit, and your systems folks 
tasked with redundancy. They are not doing their job.
    And as a result, we have a data breach where--I have sat in 
the Judiciary Committee; this is the first meeting I have had 
where we were talking about data privacy, data breach, since I 
have been on Finance. But I really do believe it is your 
problem to fix, and the damage to the consumers' data--you've 
got to keep them whole.
    That enterprise--your entire enterprise is based on the 
movement of data, movement and exchange of data. That is how 
you create value: my health records, the health records of 
people that are moving. So, when you have a breach, it has got 
to be your problem, not my problem.
    And so, everything that you do to keep those folks' 
information, those folks whole for any damage in the breach, I 
think is just a function of doing business. Do you agree with 
that?
    Mr. Witty. I do, sir, and we have leapt in to take full 
responsibility on notification, and we are not waiting for 
individual notification to make available credit protection and 
identitiy theft protection. We have already stood up credit 
protection and identity theft protection for anybody who wants 
it. They can reach us through a 1-800 number or through our 
cyber support.
    Senator Tillis. It raises interesting challenges about 
timeline, et cetera. But we will submit some questions for the 
record about just how long you are willing to make that 
commitment, and how easy it is. I for one do not want--I got a 
notice, you know, on possibly being involved in a data breach. 
It was kind of interesting, saying, ``We will help you with 
your problem,'' and I am thinking, ``No, I will help you with 
your problem. But you are not going to make this difficult for 
consumers, and we will be keeping track.'' And I am talking to 
those folks.
    I am going to take at face value you are going to do it 
right.
    But this--this is not the problem of a person who now may 
have to deal with the consequences of the use of their data. It 
has to be your problem to fix.
    But, Mr. Chair, I just want to bring up that I hope that we 
can get back--if you remember about 3 or 4 years ago, after 
Europe passed the GDPR, which is data privacy, data breach, 
everybody was talking about how Congress needed to act on that. 
Congress has done nothing, in part because it is a 
multijurisdictional issue that wades into Commerce, wades into 
Judiciary; I think there is a third committee as well.
    We are making a huge mistake by not having Federal rules of 
the road on data privacy, data breach, and how these 
enterprises have to mitigate things. We have really got to work 
on it, because now we have a patchwork of over a dozen States 
that are doing it differently, and I think it creates 
distraction and chaos for the businesses that take them away 
from actually protecting our data.
    So hopefully, we can work on this. It is a very critical 
subject, and I am all about making sure that the people whose 
data has been captured are kept whole.
    Thank you.
    The Chairman. Senator Tillis, a couple of very important 
points you make. The last one, in terms of bringing together 
the various committees--it is essential.
    I do not want to leave, though, the other important point 
that you make. Multifactor authentication is vital for 
prevention, but redundancy, which you touched on, basically 
helps the company get back on its feet. This company flunked 
both, and I thank you for that.
    Senator Tillis. Yes. I agree, Mr. Chair.
    The Chairman. Senator Lankford?
    Senator Lankford. Mr. Chairman, thank you. Mr. Witty, 
thanks for being here. And there are a lot of conversations 
happening around this dais. I appreciate our phone call that we 
had a couple of days ago, just to be able to talk through some 
of these things in greater depth.
    I do want to tell you a story getting started; that is, I 
am going to combine several people together just to be able to 
tell you a story. For an Oklahoman who lives in a rural area--
she is in her mid-70s. Several years ago she used to go to her 
local physician, but that local physician practice has closed 
down because of just the administrative burden. They could not 
keep it going.
    So now she drives to the hospital--it is about 30 minutes 
away--to be able to meet with a doctor there. The hospital and 
that physician are on her insurance. She has Medicare 
Advantage, but by the time she actually schedules an 
appointment--she actually lined up the appointment and found 
out, no, they just switched off. They are no longer on Medicare 
Advantage. But they were when she originally scheduled, when 
she originally signed up for the plan.
    Then when she finally goes to the doctor on that, she gets 
there, the doctor needs to run some tests, but she cannot get 
the tests done that day because they have to do a prior 
authorization with the insurance company. So she has to drive 
home, when it is a test that she needs they could do that day, 
but they cannot do that day because they are waiting on prior 
authorization to be able to go through.
    The hard part is, 2 years later, that hospital has just 
stopped taking Medicare Advantage at all, as we have had 
several of our hospitals do in Oklahoma, saying that just the 
realized reimbursement is 20 percent less than Medicare. They 
just cannot keep up with Medicare Advantage because of all the 
prior authorizations and because of all the denials of service. 
So they have just stopped taking Medicare Advantage entirely, 
which for her really puts her in a difficult spot.
    She goes to her local pharmacist that she has gone to for 
years, and finds out that there is pretty remarkable pressure 
on them, and they are going to have a hard time. They are not 
sure they are going to be able to stay open.
    But her insurance company tells her, ``Hey, we want you to 
do mail-order pharmaceuticals,'' but she has pretty complicated 
chronic diseases, and she wants to have somebody that she can 
talk to. I wish this was a story that was not true, but it is.
    And it is the complications, not--you have been engaged, 
and United is engaged in all of those areas, both in the PBMs, 
both in Medicare Advantage. This is not a story just on United. 
This is just a reality that we are facing here, especially in 
rural areas and in my State of 4 million people. Two million 
people live in an urban area, and 2 million people live in a 
rural area.
    So, it is a reality for those folks who live in a rural 
area, those exact challenges that I laid out. I am not asking 
you to answer all of those. I guess I am just--I am just saying 
those so you will hear it, because that really is a reality of 
what is happening on the ground every day in rural Oklahoma, 
and they just want to get health care and want to just be able 
to get access to that.
    I do want to clarify something you and I talked about. It 
is when hospitals and pharmacies will be made whole after all 
of the issues of the reimbursements, when everything is done. 
When is that target time when everyone will be made completely 
whole?
    Mr. Witty. Senator, thank you very much. Just on your first 
comment, if I may----
    Senator Lankford. Sure.
    Mr. Witty. I am 100-percent aligned with the aspiration you 
described there in terms of how we can help modernize the 
system, and clearly that is not for one company but, rather, 
it's a joint obligation of the government and private industry. 
We do need to reduce, for example, burnout of physicians. We 
need to make it easier for seniors, like the way that you 
describe in Oklahoma, to navigate this system. We need to be 
able to provide that help, and we need to make sure that the 
system is timely and responsive in how it helps those folks, so 
that they get access to care as quickly as possible.
    That is what drives every single person at United to try 
and improve, and we are very open to ideas and suggestions of 
how we can improve. That is why, for example, just in the last 
year, we have eliminated 20 percent of all of the prior 
authorization codes which existed a year ago.
    So, I just want to reassure you of our commitment and our 
sentiment to do exactly what you are looking for in terms of 
helping to streamline the system.
    Senator Lankford. It would be very helpful. And I know, as 
we have talked about offline as well, there are families that 
do sign up with a specific plan, because they know their 
physician or hospital is in that plan. And they sign up in 
October or November, but when they make their appointment in 
January or February, they suddenly find out, no, they just 
switched. It switched over in January, though they signed up 
for it in October. They need to know that if they sign up for a 
physician, that physician is going to actually be there.
    Mr. Witty. I certainly agree with you, sir. Provider 
directories are one of the key areas which we all need to try 
and work together to be better at.
    In terms of making whole, we continue to make sure that the 

interest-free loan funding capacity remains available for 
people until they are back to normal, and we will work with 
individual providers on other issues that they are concerned 
about.
    Senator Lankford. What do you think is the date when 
everyone is made whole?
    Mr. Witty. I would hope that that is in the next month or 6 
weeks.
    Senator Lankford. Okay. That would be helpful for all those 
providers.
    You and I can talk later on this one, but any specific 
ideas on the other side of this that the FBI can have? As you 
know, I serve on the Homeland Security Committee as well as 
here on Finance, so I am dealing with both sides of this 
ransomware attack. Are there things that the FBI could have 
done better, things that would have been helpful proactively, 
or information? That would be helpful. So, if any of the folks 
in your company want to be able to pull together a list, then 
we can help work on that side of it as well.
    Mr. Witty. We would be very happy to.
    Senator Lankford. Thank you.
    The Chairman. The time of my friend has expired.
    As reluctant as I am to break up this friendship here, we 
have so many people coming and going. Senator Brown, you were 
next, and then I very much want to get Senator Casey in very 
quickly. But if we kind of keep breaking this up, it is going 
to be bedlam here.
    Senator Brown?
    Senator Brown. Thank you, Mr. Chairman. Mr. Witty, welcome. 
Glad you are here.
    In addition to being a large insurance company, UHG also 
operates a PBM, as you know, Optum Rx, which tells you a lot 
about the problems going on in our health-care system.
    I hear from so many independent pharmacy owners in Ohio who 
are forced to make impossible decisions, including considering 
dropping out of Medicare Part D, even having to close their 
doors entirely. A couple who runs five pharmacies came to me. 
They have shut down because of PBMs--the same story--driving up 
costs through abusive practices like imposing punitive direct 
and indirect remuneration, or DIR, fees on pharmacies.
    Were you aware, Mr. Witty, that in a recent National 
Community Pharmacists Association survey of independent 
pharmacy owners and managers, over one-third reported that they 
are considering closing this year due to financial constraints? 
Are you aware of that?
    Mr. Witty. I am certainly aware of similar research, yes.
    Senator Brown. Okay; thank you. Do you acknowledge that 
PBMs played a significant role in at least some of those 
closures?
    Mr. Witty. So, thank you for the question. Optum Rx does 
not retroactively impose DIR fees under Medicare Part D.
    Senator Brown. Now back to the question. Do you acknowledge 
that PBMs play a significant role in some of those closures?
    Mr. Witty. I do not necessarily believe that to be the 
case. I think that PBMs provide a very significant service and 
a variety of supports to clients who are looking for----
    Senator Brown. Well, sorry to cut you off; I only have 5 
minutes.
    It is clear that DIR fees contribute to local pharmacy 
closures. As I said, I just met with two Ohio pharmacists last 
week forced to close their stores. They are in rural areas, 
five pharmacies in five different communities, where people in 
those communities will have to drive at least 5 or 10 miles.
    They had record sales, but PBM practices meant they cannot 
even break even. It is clear that PBMs, that the PBM your 
company owns is making massive amounts of money. You know that. 
I assume you have probably bragged about that.
    Last year, your PBM reported revenues of $116 billion. So 
it is pretty clear you could lower or eliminate those fees and 
still be making plenty of money. Will you commit today--in 
front of Chairman Wyden and this committee--to lower and, when 
possible, eliminate DIR fees to save community pharmacists in 
Ohio and across the country?
    Mr. Witty. Senator Brown, we have already eliminated 
imposing DIR fees retroactively under Medicare Part D, and 
absolutely----
    Senator Brown. Will you help us, in the industry, convince 
some of your colleagues to do the same?
    Mr. Witty. To the extent that we are able or allowed to do 
that, we will certainly encourage that direction.
    Senator Brown. Thanks. It is clear that a number of PBMs 
are not going to reform on their own. That is why we urgently 
need to pass this legislation, Mr. Chairman, to rein in these 
corporate middlemen, and we need to pass it this Congress.
    Moving on to something Senator Lankford was talking about: 
this cyberattack put a financial burden on the hospitals and 
doctors, pharmacies and health systems in Ohio, due to 
disrupted payments; and particularly, community health centers 
are facing some of the most dire consequences from this attack.
    You know how important community health centers are in 
Pennsylvania and Ohio and Idaho and Oregon. They serve patients 
often most vulnerable. They operate on slim margins. There is a 
health center in my hometown of Mansfield, OH whose revenue 
dropped from an average of $600,000 a week to under $200,000 a 
week due to this attack. Unacceptable, of course.
    Health systems cannot continue to operate like this without 
certainty that they will be compensated for these kinds of 
losses. What is United's plan to compensate providers and 
health systems who are bearing these additional financial 
burdens because of this breach?
    Mr. Witty. So, thank you for the question, sir. In the 
context of the family health center you describe in Mansfield, 
in that situation we have our interest-free loan program. Over 
$2 billion have gone to family health centers like the ones you 
describe. And we would be very happy to reach out to your 
office, and if that particular provider has not yet taken 
advantage of that program, it is still available, and it would 
bridge the gap in the cash flow that you describe.
    Senator Brown. And these loans, though, they will be 
required to pay them back?
    Mr. Witty. Only when they are fully back to normal and all 
backlogs have been cleared and they, not me, but they confirm 
that their cash flow is normalized.
    Senator Brown. They will make the determination of ``back 
to normal''?
    Mr. Witty. Correct, and then they will have 45 business 
days to then start the repayment, so 2 calendar months.
    Senator Brown. And low-interest loans precisely means what?
    Mr. Witty. No interest.
    Senator Brown. No-interest loans?
    Mr. Witty. No interest, no fee.
    Senator Brown. Thank you.
    The Chairman. Senator Casey?
    Senator Casey. Mr. Chairman, thanks very much. And, Mr. 
Witty, good to be with you.
    In public statements, UnitedHealthcare claims that the vast 
majority of services have been restored to pre-cyberattack 
levels. You spoke about the company's efforts to make providers 
whole.
    I continue to hear, however, from providers in Pennsylvania 
who are struggling to serve their patients as they await 
reimbursement for the care they are providing. Dr. Christine 
Meyer, who owns a practice in Exton, PA, in the southeastern 
part of our State, initially looked into taking out a home 
equity loan to keep her practice afloat.
    She reached out to UnitedHealthcare to participate in your 
loan program, but she was only offered $4,000 a month, which 
would cover .8 percent of her monthly expenses. Now, months 
later, she has finally received a more generous loan from 
Optum, but she is worried about the repayment terms.
    She said the terms are unclear, and she is worried that she 
will have to pay back these loans before her practice is fully 
up and running. Would you commit to supporting providers like 
Dr. Meyer by delaying the deadline for the loan repayment until 
the backlog of claims has been cleared, regardless of the time 
frame?
    Mr. Witty. Senator Casey, thank you for the question. Let 
me first off apologize to Dr. Meyer for the delay in getting 
the right level of loan capacity to them. And in the effort to 
move quickly here, we recognize we did not always get it right 
at the very beginning of this process.
    I think we have improved our processes dramatically, and 
that is why I believe she would have been able to get the kind 
of full loan she has. I would like to absolutely confirm to you 
and Dr. Meyer that we have no intention of asking for loan 
repayment until after she determines that her business is back 
to normal, and even then, we would not look for repayment until 
45 business days, 60 calendar days after that, and there would 
be no interest and no fee associated with that loan.
    Senator Casey. So it would be a determination she makes?
    Mr. Witty. That is absolutely right.
    Senator Casey. And second, I wanted to ask about the risk, 
especially in the context of children and seniors, the obvious 
risk when health care or financial information is breached. In 
the context of a child, the child's data is stolen. It can be a 
blank slate for cybercriminals to open up bank accounts and 
apply for loans, and it can take, obviously years, if not 
longer, to repair the damage.
    For seniors, for older adults whose rates of victimization 
from scams has been skyrocketing in recent years, a data breach 
means even more of their information is available to scammers 
to use against them in the future. UnitedHealthcare still has 
not notified any victims of this cyberattack.
    It has been more than 2 months, but according to the 
company's website, it will take ``several months'' to identify 
and notify impacted customers and individuals. I think it is 
clear that if United had stronger defenses like multifactor 
authentication, then this could have gone very differently.
    At the same time, United is growing and expanding, and it 
is lacking adequate and protective cybersecurity infrastructure 
to secure people's most private information. So I would ask you 
this--and two questions. One is in the context of a parent. 
Parents who are worried about their child's personal and 
private health information being out there in the world for the 
rest of their lives, what would you say to those parents?
    Mr. Witty. Senator Casey, first off, I am very sorry that 
this situation has happened, and that there has been a data 
theft. We are working incredibly hard to get that information 
and working with regulators to get notification as fast as 
possible.
    We have also done everything we can to try and minimize the 
possibility of that data leaking out at all. I just want to 
reassure any parent, any individual, already today, prior to 
notification, anybody in America can call us or come onto our 
cyber support website for Change, and already this service is 
available to provide 2 years' credit protection, 2 years' 
identity theft protection.
    It is as simple as making the call to 1-866-262-5342. If 
you ring that number, within the first few seconds of that, 
folks will offer those services. It is a very straightforward 
thing to do, available to anybody.
    Senator Casey. Thanks. I am out of time, but I will submit 
one question for the record.
    Thank you.
    The Chairman. Senator Casey, before you leave, I just 
appreciate your standing up for families, and we are going to 
have some more discussion of this, because I happen to think, 
Mr. Witty, credit monitoring is the ``thoughts and prayers'' of 
data breaches.
    This is absolutely inefficient, and I am going to ask some 
more additional questions here shortly.
    Senator Hassan?
    Senator Hassan. Thank you very much, Mr. Chairman and 
Ranking Member Crapo, for this hearing, and thank you, Mr. 
Witty, for being here today.
    Following the February cyberattack on your subsidiary 
company, I heard from New Hampshire hospitals that saw nearly 
all of their revenue disappear overnight. You and I 
subsequently had a series of discussions about the need for 
UnitedHealth to provide financial assistance to hospitals under 
fair terms.
    While this should not have been necessary in the first 
place, I appreciated your work to change the terms of 
UnitedHealth's assistance program to provide fair relief 
options to these hospitals during what was an unprecedented 
crisis. But there is a long road ahead to return to normal 
operations.
    So, I have a couple of questions, and I am hoping we can 
get through them. Let me start by following up on a question 
that Senator Cortez Masto asked. In UnitedHealth's April 22nd 
press release, the company stated that personal information for 
``a substantial proportion of people in America,'' millions of 
families, was likely obtained by cybercriminals in the attack 
on your subsidiary company.
    Under HIPAA, covered entities whose data have been breached 
are required to notify individuals and the HHS Secretary within 
60 days of when health information is known or reasonably 
believed--and I am emphasizing those two words, ``reasonably 
believed''--to be exposed in a hack.
    In other words, when in doubt, you have to notify people 
who may have been affected by the breach. However, you have 
just testified that UnitedHealth has not yet notified 
individuals or the HHS Secretary that sensitive health 
information was compromised.
    To meet your HIPAA obligations, you need to at least send 
preliminary notifications to individuals so that they can take 
protective actions like monitoring their bank accounts, 
changing passwords, and enrolling in the credit monitoring 
system that UnitedHealth Group has set up.
    When specifically will UnitedHealth send this initial 
notification to all possibly affected people, and will the 
notice include information about the credit monitoring that you 
are offering?
    Mr. Witty. Senator, thank you for the question. Could I 
also thank you for the way you advocated for the hospitals and 
helped us understand where we needed to improve our terms and 
conditions? I appreciated that.
    In regard to your question, this is our top priority, to go 
as fast as we can to understand this. Of course, what we are 
trying to get here is to make sure that the information and the 
people we communicate with are right, first and foremost. We 
are working with regulators to understand how best to do that.
    We were held up in the process because it took time to get 
the original data set back. We only got hold of that in mid-
March. We are working on that, and we are working with 
regulators on how to do exactly as you described.
    Senator Hassan. All right. So let me just--I am going to 
push you a little bit on this, because the attack happened on 
February 21st. The HIPAA deadline for reporting to the agency 
and to individuals was April 21st. It is now May 1st. Ten weeks 
is way too long for millions of Americans to not know that 
their records may be available to criminals on the dark web.
    So I really urge you to immediately notify any families 
that could have been affected, so that they can take proactive 
steps, and I also urge you to use UnitedHealth's substantial 
resources to do more for patients who were exposed in this 
hack, including by offering comprehensive identity protections 
to individuals beyond the 2 years of credit monitoring that you 
are offering right now, to Senator Wyden's point.
    Second question: in cybersecurity, a single point of 
failure refers to a piece of IT infrastructure that if it 
fails, can lead to the breakdown of an entire critical system, 
such as payments to health-care providers. Health-care 
providers want to have contingency plans to be better prepared 
for system failures.
    Some in New Hampshire have told me that they are no longer 
comfortable with the risk of relying on a single system for 
processing their payments. Yet UnitedHealth Group includes 
exclusivity terms in at least some of its Change Healthcare 
contracts. These terms prohibit providers from working with 
other companies that process health-care payments.
    So, is it true that your contracts include exclusivity 
clauses?
    Mr. Witty. So the legacy, some of the legacy Change 
Healthcare contracts did, and we are releasing counterparties 
from those provisions so that people can indeed adopt redundant 
pathways.
    Senator Hassan. Okay. So I think it is important that you 
make sure that future contracts do not have these exclusivity 
terms, because they can effectively create single points of 
failure.
    And I guess the next piece of this, I think you have 
answered. So, are you agreeing right now you will not use 
exclusivity clauses in future contracts?
    Mr. Witty. Senator, that is right. We agree with you that 
having business redundancy is an important backup to 
technological risk.
    Senator Hassan. Okay. Thank you very much.
    Thank you, Mr. Chair.
    The Chairman. Thank you, Senator Hassan. And I noted in the 
discussion in preparing for this hearing, that you were one of 
the first to kind of blow the whistle on some of these major 
issues. I commend you and look forward to working with you.
    This committee is going to be actively involved, and we are 
going to make a bipartisan effort, which has been a forte of my 
colleague from New Hampshire. I look forward to working with 
her and all of our colleagues.
    Senator Warner?
    Senator Warner. Thank you, Mr. Chairman. I appreciate you 
and the ranking member holding this hearing. As you know, 
November 22nd, we put out a white paper on the need to have 
some level of overview of the people in charge, in terms of 
cyber in health care, and I would love to submit for the 
record----
    The Chairman. Without objection, Senator Warner's 
submission will be made part of the record.
    [The chart appears in the appendix on p. 46.]
    Senator Warner [continuing]. This chart, which indicates, 
frankly, cyber in health care is dealt with by 4 separate 
secretariats and about 12 different entities, and I think this 
lack of clarity is one of the challenges. I feel very 
strongly--and I appreciate that the chairman has already 
alluded to this, and I want to hear from you, Mr. Witty.
    I know we discussed this when we met individually: no 
industry likes minimum standards. But just as we have put, in 
energy and in finance, minimum cybersecurity standards, I think 
we need those minimum standards in health care as well. I think 
you tend to agree. If we were to put those minimum standards in 
place, I would want to make sure particularly--whether we are 
talking about Change or we are talking about big United--that 
there be transparency in those standards. Can you speak to this 
subject?
    Mr. Witty. Senator Warner, thank you very much. Yes. 
Certainly, I do think we are supportive of a direction of 
travel which moves toward minimum standards. I think today 
there is a blend of guidance, some standards and others, and I 
think there needs to be clarity within that. As you rightly 
say, there are a mix of different oversight agencies.
    I think that is--as you think about smaller and medium-
sized organizations across health care, it is difficult 
oftentimes to navigate some of those things. So I do think a 
refreshed view of all of that--I think minimum standards do 
make sense. We would be very, very happy to engage in any 
lessons learned from this with you on that.
    Senator Warner. And one of the things I think we need is--
you know, people would not be surprised if an individual 
provider was attacked or the United parent, being a huge 
entity. But you know, my understanding of Change is, in effect 
they were the rails that folks did not understand allowed the 
doc or the insurer or provider to kind of communicate 
information better.
    I think if we think about these minimum standards, it has 
to be all the way up and down the food chain. You cannot just 
check a box and say, ``Well, as a provider, I'm covered.'' We 
have to go trace back through that whole supply chain in a way 
that----
    Again, quite honestly, I am not sure we have enough 
transparency in the system overall. I also have said this was a 
multifactor authentication problem. You guys are the biggest in 
the business, and the fact that--I know you had acquired 
Change. You were 2 years into the acquisition, and you still 
had not put the type of standards that United corporate would 
already have in place into Change. Why was it taking so long?
    Mr. Witty. Senator, thank you for that question. That is 
very much still what we are trying to dig through, exactly why 
that server had not been protected by multifactor 
authentication. I am as frustrated as anybody about that fact, 
and we are working to try and understand exactly why it was not 
covered at the time.
    Senator Warner. Mr. Chairman, this is one of those areas 
where we do not have, I think, resilience. I mean, I have 
providers that have not only gone through literally weeks of 
not being able to have payments made and lost such faith in 
Change that they are now talking about getting a new provider, 
and that adds more and more weeks.
    In the meantime, patients, providers, and others are not 
getting their payments made. So I think we need to look not 
only at a minimum standards system, but also how we build 
resiliency into this system.
    I think the whole business model here, for any entity that 
is providing in effect the connections--from the telecom guy, 
as I used to be--those connections between docs, providers, 
insurers, there has to be a backup system in place. And whether 
that means within a single provider like Change Healthcare you 
have a backup system, or whether the whole business model has 
to change, so that whoever you sign up, you have a backup in 
reserve. Because without that, we have the kind of crisis that 
the system has presented here.
    Mr. Witty. So, Senator----
    Senator Warner. You said you were going to try to change 
that model. Can you speak to that for a moment? I know my time 
is running out.
    Mr. Witty. So, Senator, I certainly agree with that 
sentiment, which is, we would encourage people to have backup 
systems. Those providers who had two alternatives, they were 
able to fail across to theirs backups and were able to carry on 
without interruption essentially.
    Some did not have those backups. We need to work with those 
providers to make that possible, and help them to be able to 
have that second pipeline, if you will, or that second rail, 
which would allow them to have failed across to their backups 
if there had been a technology failure on the first system.
    Senator Warner. Well, I know, Mr. Chairman, you have wanted 
to take on this issue, and I look forward to working with you. 
I know Senator Casey is interested, but I think this is a time 
that is well overdue. We were just waiting for a crisis like 
this to happen, that we knew was going to happen. Now I think 
we need to act.
    The Chairman. I think those points are well taken, Senator 
Warner, and I think that there is an opportunity to link up a 
number of these issues. As I understand it, your proposal is 
essentially a Medicare-related kind of effort. We have begun 
working--the Finance Committee staff, which is available, of 
course, to all of the members, because we have jurisdiction 
over the HIPAA security rule as well, which gives us a chance 
to look at some of these issues relating to enforcement and 
standards and accountability.
    And I think your point as it relates to kind of resiliency 
allows us--and we have started it this morning--to kind of walk 
through how all of this actually works. I mean, you cannot walk 
into a coffee shop in most of America and talk about 
multifactor authentication. I mean, everybody would just kind 
of look at you like, what planet have you descended from?
    But that is all about prevention. But Senator Tillis came 
in and gave us a chance to make a link between prevention and 
getting everybody up and running again quickly, which is what 
the redundancy effort is all about. So, as we link up these 
issues and work in a bipartisan way, there is lots to do, and I 
look forward to working with my colleague.
    All right. Let's see. Next, we have Senator Barrasso.
    Senator Barrasso. Thanks, Mr. Chairman.
    Thanks for being with us today.
    Since the Change Healthcare cyberattack, I have heard from 
hospitals, providers all across Wyoming, and I am sure you have 
heard from people all across the country. Sheridan Memorial 
Hospital, Sheridan, WY shared with me how the attack has 
impacted them and their patients. So, it took 26 days for the 
claim processing to be restored at Sheridan Memorial.
    Like thousands of other hospitals, they experienced 
financial hits that are going to take them months from which to 
recover. Over the 26 days, they were delayed in filing 17,000 
claims, resulting in about $20 million in unpaid services.
    Rural hospitals all across Wyoming and the U.S. provide 
access to essential health services. As you know, they 
represent the most financially vulnerable hospitals, because 
when a hospital closes, it is usually a rural hospital.
    So, 50 percent of rural hospitals are already operating 
right now in the red. This breach may send some of them into a 
financial spiral from which they cannot come back, and those 
communities are often rural, frontier areas. There is not 
another hospital nearby. So how are you prioritizing the 
processing of claims?
    Mr. Witty. Senator, thank you very much for the question, 
and let me say how sorry I am to hear of the kind of pressure 
that you just described. And please be assured we are working 
everything we can to make sure that we are as responsive as 
possible, not just with claims clearance, but also to make sure 
that there is loan program availability, particularly for rural 
hospitals and family health centers.
    About a third of the $6.5 billion we have issued has gone 
to those types of organizations. If there are specific 
hospitals within Wyoming that have not yet connected with us, I 
would encourage them to do so.
    Claims processing is broadly back to normal, so we believe 
most of the backlog on claims processing is mostly back. Not 
like--obviously, I cannot assert for 100 percent, but I think 
broadly, where we still have lag is payment on those claims. So 
for example, if a claim is submitted to UnitedHealthcare, our 
insurance company, for payment, we will pay instantly.
    But not all payers are paying instantly. So some may be 
paying as normal, 30 days after claim receipt. That would 
explain why you are continuing to see that delay. We are 
committed to maintaining that interest-free loan capacity for 
folks until they have gotten through this cash-flow challenge.
    Senator Barrasso. Yes, because we want you to make sure you 
are specifically prioritizing these rural and financially 
vulnerable hospitals, because they need to keep their doors 
open, and they are the only source of supply.
    I heard there has been a lot of discussion about two-factor 
verification today. We have a small community hospital. They 
have a health fair I tend to try to get to every year in 
Kemmerer, WY, a town of 2,500 people. In 2023, they spent 
nearly $1 million on cybersecurity. It is evident from how much 
hospitals like South Lincoln County Hospital spend that 
hospitals take cybersecurity very seriously.
    You know, Change Healthcare's commitment to cybersecurity, 
it is not as clear. We have had every--I really think just 
about every person here asked those questions, you know?
    I have heard the responses. You know, to me it seems like 
an excuse. South Lincoln Medical Hospital in Kemmerer even has 
this multifactor authentication. They are operating in the red, 
and Change Healthcare was established in 2007. This is a 
hospital that was established in 1961, and this is a system 
that has been already updated. So did you lack the financial 
resources to implement a multifactoral authentication system? I 
am just not sure why you have not had this in place yet?
    Mr. Witty. Senator, thank you for the question. Like you, I 
am very disappointed and frustrated that this particular server 
did not have MFA installed. Change Healthcare came into our 
group a little over a year and a half ago. We have been 
upgrading their technology since we acquired it.
    You are right. They were established in 2007, but some of 
the legacy systems in that company go back 40 years. We had 
been working to improve those, and unfortunately, we have 
discovered a server which was not covered by MFA, and as a 
result was exploited.
    Senator Barrasso. So have you implemented the requirement 
since the breach?
    Mr. Witty. Oh, absolutely. So we have a policy at 
UnitedHealth Group for MFA on external services. We are using 
external support to ensure we have all those in place.
    We run continuous penetration tests to make sure that they 
are active. But in this particular case, this is a very 
frustrating situation which we are continuing to try and 
investigate, to understand why it was like it was.
    Senator Barrasso. You know, I practiced orthopedic surgery 
in Wyoming for 25 years. We had a small group practice, five to 
six physicians, and the small group practices are getting hit 
as well, in addition to the larger practices. Do you have any 
plan to change policies, to ensure that providers are not 
financially on the hook in the future?
    Mr. Witty. We certainly--so I think importantly we are 
providing really unlimited loan support for folks to get 
through this cash-flow situation, and of course we are always 
willing to talk to providers on a case-by-case basis if there 
are other issues that need to be addressed.
    Senator Barrasso. Thank you, Mr. Chairman.
    The Chairman. Senator Barrasso, before you go, I want to 
associate myself with your remarks, because this is so 
important as it relates to these small families. And we have 
been at it for about, you know, 2 hours, and I think you touch 
on what I regard as one of the key areas, and we have just 
heard excuse after excuse this morning from Mr. Witty.
    And you know, the fact is that the first server that was 
hacked did not have multifactor authentication, and Mr. Witty's 
head of cybersecurity knew about it. So we have to get to the 
bottom of it.
    This is going to be a completely bipartisan effort. We have 
not had any Senators saying let's get a Democratic bill or a 
Republican bill. We are going to do this together. I very much 
appreciate the important issues you have raised.
    Senator Barrasso. Thank you, Mr. Chairman.
    The Chairman. Let's see. Senator Bennet is next.
    Senator Bennet. Thank you, Mr. Chairman. Thank you, Mr. 
Witty, for being here today. I have similar issues that I want 
to talk about in terms of Colorado, and I am very grateful that 
the chairman and ranking member have held this hearing.
    Mr. Witty, I appreciate the initial efforts that UHG has 
made to accelerate payments and to offer some financial 
assistance. This is, obviously, affecting cash flows all across 
the State. We have patients in Colorado who are continuing to 
need care, and since the hack, my office has been working with 
offices all over the State. They are still 2 or 3 months away 
from their normal cash flow, and they are already, as you know, 
operating on a shoestring as it is. So, on top of what they are 
dealing with, the normal reimbursement process has yet to come 
back online.
    One Critical Access Hospital in Colorado has $1.5 million 
in outstanding payments that are receivable. That is half of 
their total monthly revenue. Their ability to pay their doctors 
and nurses and other staff is at risk as a result of this. So, 
their operation is at risk.
    It is not just hospitals. Pharmacies like Good Day Pharmacy 
in Loveland, CO have been forced to pass on the cash piece of 
medication payments to patients, some of which cost over 
$1,000, for over 30 days.
    Some Coloradans, understandably, cannot afford that 
expense, and they have not gotten their medicine. They have 
been left empty-handed as a result of that. They are unable to 
pay their bills. They cannot do it. They cannot pay it online, 
and some autopayments have stopped.
    This single attack--and I know you have heard this today, 
but one more State. This single attack has kicked off a 
cascading series of crises that are unmasking some deep 
vulnerabilities in the core of our health-care system. Colorado 
practices and hospitals have been left to pick up the pieces, 
covering the cost of someone else's cybersecurity failure.
    So I wonder what you can say--maybe in addition to what 
Senator Barrasso asked you about--about what cost you think you 
might be responsible for here, and how you are thinking about 
those challenges?
    Mr. Witty. Senator, thank you very much for the question. I 
also share your concerns for the situation in Colorado, and I 
am very sorry for the disruption that has been caused there. We 
are working very hard to fix those technical solutions as fast 
as possible.
    Let me reassure you that our financing capacity remains in 
place. So for example, in the hospital that still has $1.4 
million, I think you said, of issue, we will reach out to your 
office to connect with those folks to ensure that they have the 
support to bridge them through until they are back to normal.
    We are more than willing to keep that support in place, if 
that is a month or 2 months or 3 months, and that would be 
interest-free, no-cost loans to that hospital.
    Senator Bennet. Well, I appreciate that, Mr. Witty. We will 
take you up on that. How about the costs--is there something to 
do about the costs on a going-forward basis, to deal with the--
I mean, how are we going to avoid having this happen again in 
the future?
    Mr. Witty. So, that is a very good question. I think we all 
have to take--we are clearly trying to take the responsibility 
in this attack. We are also trying to learn from it.
    We want to make sure we share all of those learnings. We 
are trying to be as open as we can be on the things we are 
learning, and we will continue to do that as our investigations 
continue to pursue any other understandings here. But the 
attacks we are under are sustained. They are going up; they are 
not going down.
    The attacks are becoming more and more sophisticated, and 
the levels of technology that we are going to need to protect 
against those attacks will continue to have to be elevated. And 
that is going to be a challenge, I think, for many participants 
in the system to keep up with the pressure, which is why I 
think it is also important that we focus on how we reduce the 
attack rate, and making sure that the number of attacks which 
come into the health system, and more broadly into the country, 
begins to drop. It is simply escalating, and I think the 
probability of other breaches in other parts of the health-care 
environment must be high, given the pressure that the system is 
under.
    Senator Bennet. Thank you.
    Thank you, Mr. Chairman.
    The Chairman. I thank my colleague.
    Next is Senator Young, I believe, and then Senator Carper.
    Senator Young. Thank you, Mr. Chairman. Mr. Witty, good to 
see you. Thank you for making yourself available to me and my 
office in the back end of these attacks.
    Health-care entities and devices are increasingly connected 
to the Internet and other health-care facility networks to 
provide features that manage administrative functions, increase 
efficiency, or improve the ability of health-care providers to 
treat patients. We of course have to have confidence these 
systems and tools can be used safely and securely, in order to 
reduce risks and vulnerabilities for patients and providers. 
There remain some unanswered questions and lessons to be 
learned from this attack. You have acknowledged that.
    Mr. Witty, one work-around for payers and providers, which 
we discussed, was to move to a different clearinghouse, 
including Change Healthcare's competitors. How long could a 
transition take for a provider to be fully up and running with 
a new vendor?
    Mr. Witty. Senator, thank you for the question. That can 
be, I think, within just a few days. I can come back on really 
a more educated assessment of that. But I would say a few days 
to a week or so.
    Senator Young. Okay; that is okay. That gives me a rough 
estimate. Is Change Healthcare helping with these transitions?
    Mr. Witty. Yes. In fact, we recommended and diverted 
clients to as many alternative competitors as possible, and we 
will continue to encourage clients to have a backup system in 
place--so, to have at least two alternative channels in case 
there were future attacks in the system.
    Senator Young. And I know this has already been covered a 
bit, but to confirm, there has been reporting of exclusivity 
clauses between Change Healthcare and its clients. Will any 
exclusivity clauses be enforced, and what should providers be 
aware of if they transition to a new provider?
    Mr. Witty. Senator, you are quite right that the legacy 
Change Healthcare contracts indeed did have exclusivity 
clauses. We have waived those, and we would not intend to 
enforce them because we want to make sure people have backup 
capabilities in place.
    Senator Young. All right; thank you.
    Tulip Tree Family Health Care is a community health center 
in the southern part of my State. It is unable to switch 
clearinghouses. They indicated it is a time-sensitive process 
for their billing department, which has two people, and 
connecting to the new system could put their cyber liability 
insurance at risk, since it has not been guaranteed secure.
    They have turned to 100-percent paper submission of claims 
by mail, incurring all kinds of overtime expenses and 
significant postage costs for a small health-care center that 
tries to provide the most they can for their patients.
    Tulip Tree learned about the attack from the national news. 
Do you have a notification process in place, sir?
    Mr. Witty. That is a very good question, and that is one of 
the areas where I think we need to figure out how to 
communicate, not just for companies, but for government. We saw 
the same thing in COVID. It was very difficult to communicate 
with providers across the system.
    In this particular attack, our customer files were 
compromised in the attack. So they were encrypted, which made 
it very difficult for us to reach out directly to those 
clients. I would say in this particular situation you 
described, we would love to reach out to your office, 
understand who that clinic is, and if we can help them in a 
technical transition, or if they need financial support during 
the bridge to the new supplier, we would be happy to help.
    Senator Young. And you did mention that those mechanisms 
you have created provide that financial bridge. I am encouraged 
by that. How are you more broadly disseminating information to 
providers, particularly you know, these small safety-net health 
centers like Tulip Tree?
    Mr. Witty. Again, thank you for the question. So we have 
used everything from our UHG insurance provider bulletin, which 
goes to a million physicians across the country. We have used 
social media. We have sent something like 700,000 emails to a 
variety of different provider addresses. We have tried to use 
every channel. We have worked with all of the key medical 
associations to encourage associations to get the word out to 
pharmacies, to providers, and others. And of course we have 
been running regular national telephone calls for technology 
leaders across all of the organizations, and encouraging them 
to spread the word in their region--so for example, large 
hospitals, encouraging them to spread the word.
    But I do think communication to providers, whether it is a 
cyber situation or a pandemic situation, I think that is an 
area which repeatedly comes up as an area for opportunity.
    Senator Young. Thank you for answering my questions, Mr. 
Witty.
    I guess the only other thing I would say is, you know, you 
will have all manner of lessons learned, including that there 
may be limitations under existing law to being able to respond 
to these sorts of attacks and serve your clients optimally. To 
the extent those lessons are learned, I ask that you 
communicate that information to my office and to this committee 
so that we might consider changing the law.
    Mr. Witty. Thank you.
    Senator Young. All right.
    Thank you, Mr. Chairman.
    The Chairman. I thank my colleague, and I look forward to 
working with him. We have had a very good bipartisan effort, 
and my colleague has had a great interest in national security 
issues.
    I am really struck by how little we know about the data 
that could involve our service personnel. So I look forward to 
working with him.
    Okay. Senator Carper?
    Senator Carper. Mr. Chairman, and to our ranking member, 
thanks for pulling this together today. And, Mr. Witty, thank 
you for taking the time to talk with me earlier this week and 
for your testimony today.
    Among the things that I shared with you were some of the 
tools that guide me in my life in this role, and in other roles 
that I have been privileged to serve. But one of my guiding 
principles is, everything I do, I know I can do better. I 
think, everything I do, I know I can do better.
    I think that is true for all of us: our striving for 
perfection. No, we're not going to get there, but at least that 
is our goal. Another one of my guiding principles is to treat 
other people the way I want to be treated--the golden rule.
    And I always try to put myself into other people's shoes, 
whether you happen to be a constituent, whether you happen to 
be a patient, whether you happen to be a practitioner or a 
provider, put myself in their shoes and let that help guide me.
    The other thing I mentioned to you yesterday is, this is a 
shared responsibility; the idea of shared responsibility. It's 
clearly an obligation that you and your colleagues have, but 
there is a role for government, and there is a role for others 
to play. But there is a shared responsibility.
    One of the things I mentioned yesterday--I quoted Abraham 
Lincoln. He was asked, ``What is the role of government?'' And 
he said, ``The role of government is to do for the people what 
they cannot do for themselves.'' And there is State government, 
county, local government, and we have the Federal Government, 
so there is probably a role for all of us to play.
    We are proud in Delaware--about a million people in 
Delaware. We are about 100 miles from north to south, 50 miles 
from east to west. I cover my State like a glove every week, 
just about every week. And it is something I love to do, and it 
is easy to do.
    But we have heard from constituents, families, people who 
have been not just disadvantaged, but really hurt, really 
potentially put in harm's way. We heard from practitioners and 
providers in a real way, in a human way, on the phone and in 
person. So for us, this is very real.
    But thinking a lot in terms of the role of government--
since we are the government, the Federal Government--the role 
of government here, what might be one or two of the roles that 
we could play, should play?
    Mr. Witty. Well, Senator Carper, thank you very much for 
the question and your comments. I think there are maybe two 
areas I would suggest. One is helping the health-care system 
think through what the minimum standard, what the right level 
of system protection and redundancy is, to try and guard 
against the impacts of future attacks.
    And then the second is to see what further can be done, 
what more can be done, to reduce the attack velocity that is 
coming at the U.S. health-care system from cybercriminals and 
other possible actors. So, I would maybe suggest those two 
areas for thought.
    Senator Carper. Okay; thanks.
    This attack was, as I understand it, maybe the worst of its 
kind against our health-care system and the people in that 
system. But the ramifications remain widespread. It is clear 
that Change Healthcare was not prepared for this attack.
    I do not know if it is possible to actually be prepared, 
fully prepared, for an attack of this nature. But you shared 
with me yesterday that the attacks are ongoing, and they are 
becoming more frequent, and the people who are launching these 
attacks are not stupid, and they are not getting any dumber, 
unfortunately.
    But it is clear that Change Healthcare was not prepared for 
this attack. The lack of basic cybersecurity measures left our 
health-care providers and their patients vulnerable to 
disruptions in care, and sensitive data and personal 
information being stolen. And like my colleagues, I have heard 
from, as I said earlier, providers, we have heard from 
practitioners, we have heard from families and individuals 
throughout our State who were directly impacted from this 
attack. One individual we talked to was unable to receive her 
insulin prescription for several days because of significant 
pharmacy delays, and that is not acceptable for any of us.
    But, Mr. Witty, why do you think it took so long for your 
system to get back up and running, and why are many pharmacies 
still offline today?
    Mr. Witty. Senator, again, thank you for the question, and 
I am very sorry to hear of the situation of the patient who was 
waiting for their insulin. We have tried to make clear that we 
would honor any prescriptions which were filled with the 
pharmacists uncertain of what the reimbursement status was.
    But perhaps that also emphasizes the challenges of 
communicating across such a wide group of providers. The speed 
of recovery of our systems was really determined by the way the 
attack encrypted large parts of the environment. To ensure that 
the system, when it was brought back online, garnered the 
confidence of all other participants in the environment, that 
it was safe to reconnect to--and remembering that Change 
Healthcare is a big connecting system--we really built the 
environment from scratch.
    So we did not resuscitate large parts of the old 
environment, which could have brought with it the risks and the 
suspicion of infection, and would have led to, I think, people 
not being willing to reconnect at all. We spent a lot of time 
rebuilding from scratch, and then having third-party 
organizations test, scan, penetrate it to make sure it was 
super-robust before it came back.
    But unfortunately, that took time. And the consequence of 
the way the attack impacted the first system, and then the 
commitment to bring back a better, clean system, was the 
explanation.
    Senator Carper. My time has expired.
    The Chairman. I thank my colleague.
    Just a few additional questions I am not clear on. Apropos 
of the patients--the real victims, in my view, of your 
negligence--Equifax, for the people who had their information 
stolen, sent the individuals $5. How are you going to go about 
compensating people for their stolen data, and do you think 
that is right, to give people $5?
    Mr. Witty. Mr. Chairman, we are working hard to get that 
notification as soon as possible and to understand who is 
potentially impacted. But in the meantime, we have not stood by 
to wait for that.
    We have already put in place services, call centers to help 
people understand the situation, if they need advice, support, 
and also to make sure that they already can access--and for 
anybody, actually whether their data is in this or not. Anybody 
in America can access credit protection and identity theft 
protection for the next 2 years. It is very easy to do.
    The Chairman. Yes. Identity theft and protecting against it 
is something I am very supportive of. But I also am very 
hawkish on protecting people's private medical data.
    When I saw Equifax giving people $5--and this happened very 
recently--I wanted to know from you all whether you thought 
that was reasonable. How are you going to go about it? I mean, 
do you envision sending out $5 checks too?
    Mr. Witty. Mr. Chairman, at this time, I do not. I feel as 
if the important thing here is to reassure people that, (a) we 
are doing everything we can to try and ensure the data does not 
in fact leak; and (b) that we would make sure that their data, 
that their situation is protected through the services that we 
have already made available and are available to anybody in the 
country.
    The Chairman. Let us also get on the record one of the 
questions that Senator Menendez touched on with respect to 
doctors, because for a lot of us, particularly representing 
small communities in our States--and Oregon, much of Oregon, 
you know, is rural. Senator Barrasso was talking about that as 
well.
    Our physicians are very much at risk. They owe you for 
these loans, and I am concerned that these loans are going to 
give you valuable financial information that, based on the 
company's history, is going to be used to gobble up lots of 
other small providers across the country.
    As you know, I asked you about what was going on in Oregon, 
and Senator Warren touched on it as well. So this is not a 
hypothetical question for your company, because your company is 
buying these people up hand over first.
    So I would like to see, at a minimum, a firewall 
established so that you cannot use the data from these doctors 
that were gleaned from the loan process to go out and buy out 
more doctors, because that is the last thing we need in 
America. Will you support that?
    Mr. Witty. Chairman Wyden, so, first of all, I do support 
that. I think that is a good idea and a good recommendation. 
But second, I also just want to reassure you, we have not asked 
for any loan repayment yet from anybody, and we will be guided 
by the providers' confirmation that their cash flow is back to 
normal.
    So, it will be under their guidance that that conversation 
would begin. But your suggestion, I think, is a good 
suggestion. And while I am very confident we would never take 
advantage of that information, to be absolutely clear, I am 
happy to put in place the process you just described.
    The Chairman. So, we have been at it for more than 2 hours 
now, and there is a lot we do not know. There is a lot that the 
American people do not know. We do not even know what data was 
stolen, and I am not convinced that we are going to find that 
out any time soon, and may never find it out.
    And this data, as I said several hours ago, can reveal 
abortions, mental health conditions, sexually transmitted 
infections, and more. And I just want to see evidence that the 
company is willing, because this company is so big--and we 
heard my colleagues talk about ``too big to fail.''
    I think they were, frankly, more eloquent than I was a 
couple of hours ago. But I think companies that are so big have 
an obligation to protect their customers and to lead on this 
issue. In much of what I have read about this, you are kind of 
saying to the American people, ``You should feel lucky that we 
are big.''
    Well, I think that a lot of Americans today do not buy 
that. And I think that your company, on your watch, let the 
country down--and these millions of people--on both the 
prevention side, which is what two-factor authentication, 
multifactor authentication is all about, and on getting us back 
and going. We still have questions about getting it back and 
going, and that is redundancy.
    So there is a lot of heavy lifting to do. And I want you to 
know that this is the area that I have tried to kind of 
concentrate on over the years in public service. I was director 
of the senior citizens group.
    This is one of the most important issues I have taken on, 
because I think the intersection of health policy, economics, 
and national security is now front and center, and I am all in 
on this. This is one of the most important fights that I have 
taken on, because what worries me is all these people who are 
professionals in the field say, ``Shoot, this is an example to 
the bad guys of what they can accomplish.''
    And you are going to have to be much more active and much 
more forthcoming in terms of these kinds of specific issues 
that we have talked about today, if we are going to turn this 
around.
    So, with that, the Finance Committee is adjourned.
    [Whereupon, at 11:15 a.m., the hearing was concluded.]

                            A P P E N D I X

              Additional Material Submitted for the Record

                              ----------                              


                Prepared Statement of Hon. Mike Crapo, 
                       a U.S. Senator From Idaho
    Thank you, Mr. Chairman, and thank you, Mr. Witty, for being here 
today.

    On February 21, 2024, UnitedHealth Group learned that its 
subsidiary, Change Healthcare, was likely the victim of a cyberattack 
launched by ``a suspected nation-state-associated cybersecurity threat 
actor.''

    In response, Change, the Nation's largest health-care 
clearinghouse--which processes $1.5 trillion in medical claims 
annually--disconnected all of its systems to prevent the hackers from 
obtaining additional data.

    The fallout from this unprecedented attack has affected the entire 
health-care sector. By crippling Change's functionality, the hackers 
left providers unable to verify patients' insurance coverage, submit 
claims and receive payments, exchange clinical records, generate cost 
estimates and bills, or process prior authorization requests.

    In the immediate aftermath of the attack, many providers had to 
rely on reserves to cover the resulting revenue losses. An American 
Hospital Association survey found that more than 90 percent of 
hospitals were financially impacted by the cyberattack, with more than 
70 percent reporting that the outage had directly affected their 
ability to care for patients.

    More than 2 weeks after the cyberattack was announced, the 
Department of Health and Human Services released a public statement and 
guidance related to the incident. On March 9th, the Centers for 
Medicare and Medicaid Services made accelerated and advance payments 
available to impacted Medicare providers. The administration's delay 
exacerbated an already uncertain landscape, leaving providers and 
patients with reasonable concerns about access to essential medical 
services and lifesaving drugs.

    While the February hack on Change was by far the most disruptive 
cyberattack on the health-care industry to date, it was certainly not 
the first. According to a report by the Federal Bureau of 
Investigation, the health-care sector experienced more ransomware 
attacks than any other critical infrastructure sector in 2023.

    In addition to the processing and revenue issues experienced by 
providers, patients' private identification and health-care information 
was obtained by malicious actors during the breach.

    Unfortunately, personal health-care data has become increasingly 
attractive to cybercriminals, who seek to use that information for 
blackmail or identity theft. For patients, the emotional and financial 
effects of leaked private information can have a devastating impact for 
years.

    Although many of Change's functions have now resumed, trust in the 
security of its platforms needs to be rebuilt. We owe it to American 
patients and to our front-line health-care providers, from health 
systems to clinicians to community pharmacies, to ensure that this does 
not, and cannot, happen again.

    Today's hearing offers a valuable opportunity to learn from 
United's experience so we can better protect against, and quickly react 
to, future cyberattacks. Gaining a deeper understanding of how the 
hackers infiltrated Change will help identify and address gaps in our 
existing cybersecurity infrastructure. Evaluating steps taken by United 
in response to the attack, from disconnecting its platforms to 
notifying law enforcement, will offer lessons on how to build a more 
resilient and collaborative health-care system moving forward.

    We must also assess the response of the Federal Government, which 
plays a critical role in these efforts. HHS has a responsibility to 
serve as a central hub for coordination, convening insights from other 
branches of government and the private sector to deploy timely 
information about active threats, as well as best practices to deter 
intrusions and resources should an attack occur.

    Thank you, Mr. Witty, for being here to discuss building a more 
secure, resilient and responsive health care system.

                                 ______
                                 
                   Submitted by Hon. Mark R. Warner, 
                      a U.S. Senator From Virginia
                      
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]

                  Submitted by Hon. Elizabeth Warren, 
                   a U.S. Senator From Massachusetts

                     Congress of the United States

                          Washington, DC 20515

                             April 29, 2024

The Honorable Gary Gensler
Chair
U.S. Securities and Exchange Commission
100 F Street, NE
Washington, DC 20549

Dear Chair Gensler:

We write to request that the Securities and Exchange Commission (SEC) 
conduct an investigation of reports that ``UnitedHealth Group, Inc. 
Chairman Stephen Hemsley and three senior executives netted a combined 
$101.5 million from stock sales'' made over a 4-month period between 
the time when UnitedHealth officials reportedly learned of a Department 
of Justice (DOJ) antitrust probe of the company and when the probe was 
first publicly reported.\1\
---------------------------------------------------------------------------
    \1\ Bloomberg News, ``UnitedHealth Chair, Executives Sold $102 
Million in Stock Before US Probe Became Public.'' John Tozzi and Anders 
Melin, April 11, 2024, https://www.
bloomberg.com/news/articles/2024-04-11/unitedhealth-unh-executives-
sold-stock-before-us-probe-became-public.

The reports regarding these trades reveal a disturbing fact pattern, 
indicating that ``UnitedHealth Group . . . received notice on October 
10, 2023, of the Department of Justice (DOJ) `non-public antitrust 
investigation into the company,' according to a message distributed on 
October 24th by Rupert Bondy, an executive vice president and chief 
legal officer of UnitedHealth Group.''\2\ This investigation was first 
publicly reported on February 26, 2024,\3\ and appeared to be confirmed 
by other outlets soon after.\4\ UnitedHealth made no public 
confirmation of this investigation in its 2023 Annual Report or its 
most recent SEC filings.\5\
---------------------------------------------------------------------------
    \2\ The Examiner News, ``Justice Department Probing UnitedHealth/
Optum Over Antitrust Concerns; Local Layoffs Enacted, More Forecast,'' 
Adam Stone, February 26, 2024, https://www.theexaminernews.com/justice-
department-probing-unitedhealth-optum-over-antitrust-concerns-local-
layoffs-enacted-more-forecast/.
    \3\ Id.
    \4\ Wall Street Journal, ``U.S. Opens UnitedHealth Antitrust 
Probe,'' Anna Wilde Matthews and Dave Michaels, February 27, 2024, 
https://www.wsj.com/health/healthcare/u-s-launches-antitrust-
investigation-of-healthcare-giant-unitedhealth-ff5a00d2.
    \5\ UnitedHealth, Q1 Form 8-K Related to Earnings Release, April 
16, 2024, https://www.
unitedhealthgroup.com/content/dam/UHG/PDF/investors/2024/UNH-Q1-2024-
Form-8K.pdf; UnitedHealth Group, ``UnitedHealthGroup Reports 2023 
Results,'' January 12, 2024, https://www.sec.gov/Archives/edgar/data/
731766/000073176624000023/a2023q4exhibit991.htm.

But earlier this month, Bloomberg News reported that four top 
executives at UnitedHealth sold stock in the time period prior to the 
---------------------------------------------------------------------------
public reports of the investigation:

        On October 17th and December 5th, [UnitedHealth Chairman 
        Stephen] Hemsley exercised a portion of his stock options set 
        to expire in 2024. He sold the shares he'd acquired the same 
        day, netting him $84.9 million. . . . Brian Thompson, CEO of 
        the UnitedHealthcare insurance unit, on February 16th exercised 
        options and sold shares, netting him $15.1 million. . . . Days 
        later, Chief Accounting Officer Tom Roos sold shares worth 
        about $450,000. Chief People Officer Erin McSweeney on October 
        16th exercised options and offloaded shares for a net gain of 
        $1.09 million.\6\
---------------------------------------------------------------------------
    \6\ Bloomberg News, ``UnitedHealth Chair, Executives Sold $102 
Million in Stock Before US Probe Became Public.'' John Tozzi and Anders 
Melin, April 11, 2024, https://www.
bloomberg.com/news/articles/2024-04-11/unitedhealth-unh-executives-
sold-stock-before-us-probe-became-public.

The timing of these trades--which occurred between ``a week after 
[UnitedHealth] . . . reportedly received notice of the Justice 
Department probe, and . . . the day before Bloomberg News and others 
published stories about the investigation''--raises numerous 
questions.\7\ When UnitedHealth's stock value fell by 5.2 percent 
immediately after the published reports of the investigation, there was 
``no indication that the trades were executed according to scheduled 
trading plans in filings related to the transactions,'' and the trades 
occurred at a time when ``[t]ypically a company's general counsel would 
declare a blackout period barring trading in light of a sensitive 
investigation.''\8\
---------------------------------------------------------------------------
    \7\ Id.
    \8\ Id.

Federal law bars individuals from ``purchasing or selling a security 
while in possession of material nonpublic information'' \9\--in this 
case, reportedly, a DOJ investigation of the company. Violation of 
these laws may subject individuals to civil penalties ``three times the 
amount of the profit gained or loss avoided'' and criminal penalties up 
to $5,000,000 and 20 years imprisonment.\10\ Moreover, in addition to 
questions about these individuals' trades, if UnitedHealth was aware of 
this investigation and failed to disclose it in public filings, it 
raises concerns about whether the company has met the requirements of 
SEC's Regulation S-K rule.\11\ Given these concerns, we ask that the 
SEC conduct a review of this matter, including a review of:
---------------------------------------------------------------------------
    \9\ Insider Trading Sanctions Act of 1984, Public Law 98-376.
    \10\ 15 U.S.C. 78u-l); 15 U.S.C. 78ff.
    \11\ Securities and Exchange Commission, Regulation S-K (17 CFR 
part 229).

    (1)  Was the existence of a DOJ investigation of UnitedHealth a 
materially important matter, and if so, was it appropriately disclosed 
by company officials?
    (2)  Which individuals at UnitedHealth were involved in stock 
trades between the time that the company became aware of the DOJ 
investigation, and the time that this investigation became public?
    (3)  Were these trades made by individuals who had access to 
material, nonpublic information, and if so, did these trades represent 
a violation of insider trading law?
    (4)  Were these trades made under and consistent with any 10b5-1 
plans or any other trading plans that covered the individuals involved?
    (5)  Were the planned trades disclosed to and approved by 
appropriate individuals at UnitedHealth?
    (6)  Was the company at any time under a trading blackout period 
related to the investigation or its public reporting, and if so, were 
any trades made during this blackout period?

Thank you for your prompt attention to this matter.

            Sincerely,

Elizabeth Warren                    Jake Auchincloss
United States Senator               Member of Congress

Edward J. Markey                    James P. McGovern
United States Senator               Member of Congress

Ayanna Pressley                     Richard E. Neal
Member of Congress                  Member of Congress

Stephen F. Lynch                    Seth Moulton
Member of Congress                  Member of Congress

Lori Trahan                         Rashida Tlaib
Member of Congress                  Member of Congress

Katie Porter                        Summer Lee
Member of Congress                  Member of Congress

Patrick K. Ryan                     Mark Pocan
Member of Congress                  Member of Congress

Betty McCollum                      Pramila Jayapal
Member of Congress                  Member of Congress

Val Hoyle
Member of Congress
                  Prepared Statement of Andrew Witty, 
              Chief Executive Officer, UnitedHealth Group
                              introduction
    Good morning, Chairman Wyden, Ranking Member Crapo, and members of 
the committee. Thank you for the opportunity to testify here today. My 
name is Andrew Witty. I serve as chief executive officer of 
UnitedHealth Group, a health-care and well-being company founded 50 
years ago in Minnesota.

    Our mission is to help people live healthier lives and help make 
the health system work better for everyone. My colleagues include 
doctors, nurses, engineers, scientists--experts and caregivers in 
nearly every discipline of modern medicine.

    Together, we are working to help enable our health system's 
transition to value-based care and are empowering physicians and their 
care teams to deliver more personalized, high-quality care that 
delivers better outcomes at a lower cost.

    We pursue these objectives through our two distinct and 
complementary businesses, UnitedHealthcare and Optum.

    UnitedHealthcare provides a full range of health benefits, serving 
individuals, small businesses, large companies, labor unions, 
universities, and hospitals. More seniors choose our Medicare Advantage 
offerings, and more employers choose our benefits plans than any other 
company. And we partner with more than 30 States to serve individuals 
and families through Medicaid.

    Optum offers a full spectrum of health services, bringing together 
clinical expertise, technology and data to advance integrated, patient-
centered care; make clinical, administrative, and financial processes 
simpler and more efficient; and connect patient care across the 
continuum, including pharmacy, medical, and behavioral care.

    Change Healthcare is now part of Optum, and works across the health 
system to enable information, claims and payments to flow quickly and 
accurately between physicians, pharmacists, health plans, and 
governments.
                            today's hearing
    I appreciate the committee's interest in the recent cyberattack on 
Change Healthcare. The cyberattack was unprecedented, as the criminals 
who perpetrated it caused incredible disruption across the health-care 
system.

    From pharmacists having to manually submit claims to the rural 
family medicine practice struggling to make payroll--the impacts of an 
attack by organized criminals, no matter how temporary, were real.

    As a result of this malicious cyberattack, patients and providers 
have experienced disruptions and people are worried about their private 
health data. To all those impacted, let me be very clear: I am deeply 
sorry.

    From the moment I learned of the intrusion, I felt a profound sense 
of responsibility to do everything we could to preserve access to care 
and support our customers and clients. Our response and reaction to 
this attack has been grounded in three principles: to secure the 
systems; to ensure patient access to care and medication; and to assist 
providers with their financial needs.

    We have been working 24/7 from the day of the incident and have 
deployed the full resources of UnitedHealth Group on all aspects of our 
response and restoration efforts. I want this committee and the 
American public to know that the people of UnitedHealth Group will not 
rest--I will not rest--until we fix this.

    We know there is more to be done, and we appreciate the ongoing 
efforts of our customers, employees, and government partners--
especially CMS and HHS--who have offered great support as we continue 
these efforts together.

    Cyberattacks continue to increase in frequency and significance, 
with one analysis calculating that in 2023, cybercriminals collected an 
all-time high of over $1 billion in ransom.\1\ Our company alone repels 
an attempted intrusion every 70 seconds--thwarting more than 450,000 
intrusions per year. These criminals continue to adapt and develop more 
sophisticated and malicious methodologies, and they have increasingly 
targeted critical infrastructure, including schools, government 
agencies, and the health-care sector. These adversaries are willing to 
attack everything from community hospitals to pharmacies to networks 
like ours that enable the information exchange necessary to provide 
care.
---------------------------------------------------------------------------
    \1\ Chainalysis, The 2024 Crypto Crime Report, at 11 (February 
2024), https://bit.ly/49TCvQ5.

    I would not wish a cyberattack on anyone. That is one reason why, 
as chief executive officer of UnitedHealth Group, I have strongly 
committed our organization to work with law enforcement, policy makers, 
and industry participants to help prepare for and recover from the 
impact of the hundreds of other attacks that continue to be perpetrated 
across so many facets of America's critical infrastructure each year, 
and to collectively strengthen our cybersecurity resiliency to these 
evolving threats.
                         the ransomware attack
    On the morning of February 21st, a cybercriminal calling themselves 
ALPHV or BlackCat deployed a ransomware attack inside Change 
Healthcare's information technology environments, encrypting Change's 
systems so we could not access them.

    Our response was swift and forceful. Not knowing the entry point of 
the attack at the time, we immediately severed connectivity with 
Change's data centers to eliminate the potential for further infection. 
While shutting down many Change environments was extremely disruptive, 
it was the right thing to do.

    We secured the perimeter of the attack and prevented malware from 
spreading beyond Change to the broader health system.

    It worked. There has never been any evidence of spread beyond 
Change--not to any external environment and not to Optum, 
UnitedHealthcare, or UnitedHealth Group.

    Within hours of the ransomware launch, we contacted the FBI and 
remain in regular communication. We shared critical information, 
including details about the intrusion, the method of attack, Indicators 
of Compromise (IOC) and other information that would assist in their 
investigation. We are grateful for the FBI's work on this matter and 
the support they have provided, and we will continue to share 
information that will enable law enforcement to pursue, capture and 
bring these criminals to justice.

    We are working tirelessly to uncover and understand every detail we 
can, which we will use to make our cyber defenses stronger than ever. 
We are committed to sharing accurate answers safely, appropriately and 
responsibly.

    Cyber experts continue to investigate the incident. While we will 
learn more and our understanding may change, here's what I can share 
today. On February 12th, criminals used compromised credentials to 
remotely access a Change Healthcare Citrix portal, an application used 
to enable remote access to desktops. The portal did not have 
multifactor authentication. Once the threat actor gained access, they 
moved laterally within the systems in more sophisticated ways and 
exfiltrated data. Ransomware was deployed 9 days later.

    As we have addressed the many challenges in responding to this 
attack, including dealing with the demand for ransom, I have been 
guided by the overriding priority to do everything possible to protect 
peoples' personal health information.

    As chief executive officer, the decision to pay a ransom was mine. 
This was one of the hardest decisions I've ever had to make. And I 
wouldn't wish it on anyone.
                        protecting patient data
    As we continue our investigative efforts, we are also working to 
understand the full scope of impacted patient, provider, and payer 
information. As we have previously confirmed, based on initial targeted 
data sampling to date, we found files containing protected health 
information (PHI) and personally identifiable information (PII), which 
could cover a substantial proportion of people in America. So far, we 
have not seen evidence of exfiltration of materials such as doctors' 
charts or full medical histories among the data.

    Given the ongoing nature and complexity of the data review, it is 
likely to take several months of continued analysis before enough 
information will be available to identify and notify impacted customers 
and individuals, partly because the files containing that data were 
compromised in the cyberattack. Our teams, along with leading external 
industry experts, continue to monitor the internet and dark web to 
determine if data has been published.

    We will, of course, comply with legal requirements and provide 
notice to affected individuals, and have offered to our customers and 
clients to provide notice on their behalf where it is permitted. We are 
working closely with HHS's Office of Civil Rights to make sure our 
notice is effective, useful, and complies with the law.

    Rather than waiting to complete this review, we are providing free 
credit monitoring and identity theft protections for 2 years, along 
with a dedicated call center staffed by clinicians to provide support 
services. Anyone concerned their data may have been impacted should 
visit changecybersupport.com for more information.
                 our response and restoration progress
    We continue to make substantial progress in restoring Change 
Healthcare's impacted services, guided first and foremost by our 
commitment to protect personal information and the three principles I 
spoke of earlier: to secure the systems; to ensure patient access to 
care and medication; and to assist providers with their financial 
needs.
1. Securing the Systems and Restoring Them Safely
    As I noted, we promptly severed connectivity to the Change 
environments and established a perimeter, thereby quarantining the 
threat and preventing further damage.

    By the afternoon of February 21st, experts from Google, Microsoft, 
Cisco, Amazon, and others were en route to Change's Nashville Central 
Command Operations Center, where they joined security teams from 
Mandiant and Palo Alto Networks. We are exceedingly grateful for their 
support.

    Together with our Change Healthcare colleagues, they immediately 
began the around-the-clock and enormously complex task of safely and 
securely rebuilding Change Healthcare's technology infrastructure from 
the ground up. The team replaced thousands of laptops, rotated 
credentials, rebuilt Change Healthcare's data center network and core 
services, and added new server capacity. The team delivered a new 
technology environment in just weeks--an undertaking that would have 
taken many months under normal circumstances.
2. Ensuring Patients' Access to Needed Care
    We have prioritized our restoration efforts on systems and networks 
that are most critical to access to care: pharmacy, provider payments 
and claims.

    Pharmacy Services: So that we could ensure, as much as possible, 
continued access to medication, we immediately prioritized restoring 
our pharmacy networks to be certain that patients could get the 
prescriptions they needed. By March 7th, 99 percent of pre-incident 
pharmacies were able to process claims, and today, it is just a 
fraction of a percent below normal service levels.

    Medical Claims: Medical claims across the health system are now 
flowing at near normal levels as systems come back online or providers 
switch to other methods of submission. We realize there are a small 
number of providers who continue to be adversely impacted. We are 
working with them to find alternative submission solutions and will 
continue to provide them with financial support as needed.

    Payments: Payment processing by Change Healthcare, which represents 
about 6 percent of all payments, is at approximately 86 percent of pre-
incident levels and is increasing as additional functionality is 
restored.
3. Payer and Provider Support
    In the days after the ransomware attack, we worked quickly to find 
alternative channels or workarounds for payers and providers within the 
networks facilitating the near-instant transmission of information 
across the health system so that transactions could flow. This involved 
pushing volume to Change Healthcare's competitors to allow the system 
to regain functionality as quickly as possible, and we are grateful for 
their assistance.

    We also immediately recognized that many providers would be 
affected by the disruption in claims and payments flows, so we worked 
quickly to get funds into the hands of providers who need it. To this 
end, UnitedHealthcare accelerated more than a billion dollars in claims 
payments to immediately infuse providers with liquidity.

    For claims not covered by UnitedHealthcare, we set up a Temporary 
Funding Assistance Program offering no-cost, no-interest loans to any 
provider who needed it. We harnessed the strength of our nationwide 
payments network--the same network we used in 2020, during the 
pandemic--to disburse billions of dollars in a matter of days of 
Federal CARES Act funding to providers on behalf of HHS.

    As of last Friday, April 26th, UnitedHealth Group has advanced more 
than $6.5 billion in accelerated payments and no-interest, no-fee loans 
to thousands of providers. About 34 percent of these loans have gone to 
safety-net hospitals and Federally Qualified Health Centers that serve 
many of the patients and communities at the highest risk. While some of 
our early estimates of providers' potential gaps did not address their 
full need given our lack of visibility into their claims flow, we 
quickly adjusted.

    We are committed to providing this financial assistance for 
providers for as long as it takes to get their claims and payments 
flowing at pre-incident levels. If there are providers or payers in 
your States who need help, please put us in touch with them. We pledge 
to do everything in our power to fix their system or underwrite their 
cash flow, simple as that.
                            policy solutions
    The Change Healthcare attack demonstrates the growing need to 
fortify cybersecurity in health care. I look forward to working with 
policymakers and other stakeholders to bring our experience to bear in 
helping develop strong, practical solutions.

    We support mandatory minimum security standards--developed 
collaboratively by the government and private sector--for the health-
care industry. Importantly, these efforts must include funding and 
training for institutions that need help in making that transition, 
such as hospitals in rural communities.

    We also support efforts to strengthen our national cybersecurity 
infrastructure, including greater notification to law enforcement and 
standardized and nationalized cybersecurity event reporting.
                               conclusion
    In closing, I want to say again to all those impacted, I am deeply 
sorry.

    I also want to express my sincerest thanks to our customers, who 
along with so many of our colleagues, stepped up to help our health 
system continue to serve all who depend on it during this difficult 
time. And I would like to extend my appreciation to our partners in 
government and in the private sector for the tremendous assistance they 
have provided throughout.

    Fighting cybercrime is an enormous task and one that requires us 
all--industry, law enforcement, and policymakers--to come together.

    I look forward to answering your questions today and to sharing our 
learnings so that everyone can better protect themselves from future 
attacks.

                                 ______
                                 
           Questions Submitted for the Record to Andrew Witty
                 Questions Submitted by Hon. Ron Wyden
    Question. You testified that UHG had a policy, before the hack, 
requiring multifactor authentication for externally facing systems. You 
also testified that the server that was initially hacked did not have 
MFA enabled.

    Was that server in violation of your MFA policy, or did UHG's 
policy permit legacy external servers to not utilize MFA?

    Answer. UHG and Change Healthcare policies require MFA on external-
facing applications. We acquired Change Healthcare in an acquisition in 
late 2022. The server at issue was a legacy Change Healthcare server, 
and our team was working to bring this server up to UHG's standards.

    As Mr. Witty testified, UHG continues to strengthen its defenses 
against cyberattacks in significant ways, and we will continue to work 
to ensure that MFA is broadly deployed on externally facing 
applications. We seek to improve security controls over time through 
continuous monitoring and assessment, working in partnership with 
leading external cybersecurity firms such as PwC, TAG Cyber, and 
Mandiant to improve capabilities and enhance best practices.

    Question. Please detail the steps taken by UHG and Change 
Healthcare, prior to the hack, to plan for ransomware, including to 
ensure that the company could quickly restore IT services if the 
company needed to rebuild its infrastructure from scratch.

    Answer. UHG has a robust information security program with over 
1,300 people and approximately $300 million in annual investment. UHG 
successfully defends against attempted cyber intrusions every 70 
seconds--equal to more than 450,000 thwarted intrusions per year. UHG 
manages cybersecurity and data protection through a continuously 
evolving framework that accounts for the ever-changing cyberthreat 
landscape. This framework includes an incident management and response 
program that continuously monitors the Company's information systems 
for vulnerabilities, threats, and incidents; manages and takes action 
to contain incidents that occur; remediates vulnerabilities; and 
communicates the details of threats and incidents to management, 
including the chief digital and technology officer and chief 
information security officer, as deemed necessary or appropriate.

    In particular, UHG, Optum, and Change Healthcare have numerous 
policies and procedures related to consumer privacy, cybersecurity, and 
incident response. For example, the Optum Cybersecurity Incident 
Response Plan is a guide to responding to security and privacy 
incidents. The plan sets forth roles and responsibilities and a 
framework for incident response comprising preparation; detection and 
analysis; containment, eradication, and recovery; and post-security 
incident activity.

    To ensure we are constantly assessing and improving our 
capabilities, we collaborate closely with key technology partners to 
mutually share information about cybersecurity threats and best 
practices. Additionally, we retain and employ services from external 
security firms to review our operating capabilities, enhance our 
strategic plans, and provide immediate, force-multiplying rapid-
response and forensics services.

    Question. Please identify the steps taken by UHG's board of 
directors, in the 2 years before the hack, to assess the company's 
exposure to ransomware, and to ensure that the company had mitigated 
this source of cyber risk.

    Answer. UHG has a deeply experienced board of directors who oversee 
the program and bring broad-based skills in risk management, including 
cybersecurity. UHG's Audit and Finance Committee oversees cybersecurity 
risks, and the members have experience with organizations that face 
significant cybersecurity risks.

    The UHG board stays up to date on the threat posed by ransomware, 
specifically, through recurring cybersecurity reports delivered by 
UHG's Enterprise Information Security (EIS) team. These reports 
emphasize the significance of the threat posed by ransomware attacks 
(particularly in relation to health-care organizations) and outline 
UHG's efforts to combat this threat in the areas of prevention, 
detection, and response. In addition, the Audit and Finance Committee 
covers cybersecurity as a topic at each regularly scheduled quarterly 
meeting.

    Mandiant now serves as an advisor to the Audit and Finance 
Committee of the board. Cybersecurity is already a standing agenda 
item, and Mandiant will have a seat at the table going forward for 
those discussions. Mandiant has a deep knowledge of the company, along 
with broad knowledge and visibility of threats facing the health-care 
industry.

    Question. Did the ransomware deployed against Change Healthcare's 
systems only infect systems running Microsoft Windows, or did it also 
infect systems running other operating systems?

    Answer. The ransomware deployed by the threat actor infected Change 
Healthcare's Windows and ESXi systems.

    Question. Did the hackers gain access to Change Healthcare's ``Tier 
0'' servers, including the company's Active Directory server, which is 
used to centrally manage accounts across an enterprise?

    If yes, please detail the steps the hackers took to gain access to 
and control of these high-value servers.

    Answer. The threat actor gained access to Change Healthcare's 
Active Directory server after using privilege escalation techniques.

    Question. In response to a question from the chairman about whether 
the hackers stole data pertaining to U.S. Government employees, Mr. 
Witty testified that ``what we've been able to identify is indeed that 
a substantial proportion of people across the country's data could be 
implicated here. We do believe there will be members of the armed 
forces and the veterans. . . .'' Mr. Witty also said he would 
prioritize providing in writing an assessment of the number of military 
personnel affected. It has been over a week since the hearing:

    How many Americans had their data stolen?

    How many U.S. Government employees had their data stolen?

    How many members of the U.S. military had their data stolen?

    What was the nature of the medical, financial, and other 
information stolen?

    Answer. Based on initial targeted data sampling to date, the 
company has found files containing protected health information 
(``PHI'') or personally identifiable information (``PII''), which could 
cover a substantial proportion of people in America. Based on this 
limited sampling, it appears that the exfiltrated data includes 
transactional claims data, which may involve details about treatments, 
payments, and balances. Any PHI or PII impacted by the cyberattack will 
likely vary by individual. For example, depending upon the 
circumstances, the data may include health insurance member numbers, 
diagnostic and treatment codes, and provider identities, as well as 
payments and balances. There may also be PII, such as full names, dates 
of birth, addresses, social security numbers, or other types of data. 
At this time, we have not seen evidence of exfiltration of more 
detailed materials like doctors' charts or medical histories among the 
data, which could change based on the ongoing investigation.

    Given the ongoing nature and complexity of the data review, it will 
take additional analysis before enough information will be available to 
identify specific impacted customers and individuals. UHG has deployed 
a team of internal and external experts to conduct a comprehensive 
analysis of the data involved in this cyberattack.

    Question. According to your testimony, ``On the morning of February 
21st, a cybercriminal calling themselves ALPHV or BlackCat deployed a 
ransomware attack inside Change Healthcare's information technology 
environments, encrypting Change's systems so we could not access 
them.'' That was over 12 weeks ago. Under the Health Insurance 
Portability and Accountability Act, Change Healthcare is responsible 
for notifying the Secretary (through the Office of Civil Rights breach 
portal) if it is a covered entity or the relevant covered entity or 
business associate of a breach within 60 days of the discovery of a 
breach.

    In your role as a covered entity and business associate, have you 
notified other covered entities or business associates?

    Have you notified the Secretary officially with a breach report as 
required by HIPAA? If not, by what date will UnitedHealth Group submit 
a breach notification to the Department of Health and Human Services 
Office of Civil Rights?

    By what date will UnitedHealth Group notify the millions of 
Americans impacted by this breach?

    Answer. UHG is continuing our discussions with the HHS Office for 
Civil Rights about how appropriate notice can be made to regulators, 
customers, and affected individuals, and OCR has been supportive of 
Change Healthcare's offer, on behalf of the covered entities, to take 
on the obligations to provide individual notification, regulatory 
notification, and media notification, consistent with applicable law.

    UHG is working as quickly as possible to develop a complete and 
accurate assessment of the individuals impacted by this cyberattack. 
Given the ongoing nature and complexity of the company's data review, 
the company expects that it will take additional analysis before enough 
information will be available to identify affected customers and 
individuals. UHG has deployed a team of internal and external experts 
to conduct a comprehensive analysis of the data involved in this 
cyberattack. The process of analyzing the dataset that was made 
available to the company by the FBI is complex and requires significant 
compute resources because it requires unpacking and unzipping many 
layers of files within the dataset in order to identify the individuals 
whose data may be impacted. This takes time, and it must be done 
extremely methodically. UHG is working as quickly and accurately as 
possible and will keep the committee and the public posted on its 
progress.

    UHG is not waiting to complete its data review and notifications--
the company is offering a robust set of protections and support 
services to any individual concerned that they are affected. These 
services include free credit monitoring and identity theft protections 
for 2 years and a dedicated call center that can connect individuals 
with trained clinicians. Any individual concerned that their data has 
been impacted should visit changecybersupport.com or call 1-866-262-
5342 to find more details regarding the support services that UHG is 
making available.

    Question. Beyond 2 years of credit and identity monitoring, what 
will UnitedHealth Group offer to compensate the patients who had their 
care disrupted and information stolen?

    Answer. In addition to free credit monitoring and identity theft 
protections for 2 years, UHG has also created a dedicated call center 
staffed by clinicians to provide support services. Any individual 
concerned that their data has been impacted should visit 
www.changecybersupport.com or call 1-866-262-5342 to find more details 
regarding the support services that UHG is making available.

    The company, along with leading external industry experts, 
continues to monitor the Internet and dark web to determine if data has 
been published. There were 22 screenshots, allegedly from exfiltrated 
files, some containing PHI and PII, posted for about a week on the dark 
web by a malicious threat actor. No further publication of PHI or PII 
has occurred at this time. To date, the company has not seen evidence 
of exfiltration of materials such as doctors' charts or full medical 
histories among the data.

    Furthermore, through Optum Rx, UHG notified network pharmacy 
partners and pharmacy associations that we would reimburse all 
appropriate pharmacy claims filled with the good faith understanding 
that a medication would be covered. For patients who could not use 
their coupons during the Change Healthcare outage, the company has been 
and will continue to contact those patients and honor their coupons to 
ensure that the patients are reimbursed for their out-of-pocket 
medication expenses.

    Question. Beyond Optum's Temporary Funding Assistance Program for 
Providers, what will UnitedHealth Group offer to compensate providers 
who have had to incur greater business expenses and worry because of 
this breach?

    Answer. The company's restoration and remediation efforts focused 
on protecting patients and helping providers, and the company made 
substantial efforts to ensure that any providers suffering from the 
impact of the attack are able to continue operating. As of May 15th, 
approximately $7 billion has been advanced to providers, with 34 
percent of the total funds getting routed to safety-net hospitals and 
Federally Qualified Health Centers serving many of the patients and 
communities at the highest risk. More than 14,000 unique Taxpayer 
Identification Numbers (TINs) have received funds through the temporary 
funding program.

    To the extent providers have incurred other costs associated with 
the attack, UHG is committed to reviewing their issues and working to 
resolve their concerns on a case-by-case basis.

    Question. Which external companies performed Change Healthcare's 
HITRUST audits over the past 5 years, and did these audits identify 
Change Healthcare's failure to use MFA?

    Answer. The HITRUST Framework (HITRUST CSF) provides a 
comprehensive approach to managing cybersecurity risks related to 
sensitive data and assuring regulatory compliance. Organizations across 
sectors use this common security framework to evaluate their security 
posture. UHG leverages the HITRUST CSF framework, among other things, 
to measure the company's standard of security maturity, prioritize 
future enhancements, and improve its security controls over time 
through continuous monitoring and assessment. UHG maintains HITRUST CSF 
certifications across many of its applications, including certain of 
Change Healthcare's systems. These standards provide sophisticated risk 
frameworks that UHG applies to many different aspects of its business. 
UHG works diligently and on an ongoing basis to implement these 
frameworks, including their risk management controls, and to ensure 
that its security protocols meet or exceed these standards. Both UHG 
and Change Healthcare have had regular assessments by external and 
internal parties.

    Question. Why was Change Healthcare's backup infrastructure not 
segregated from the rest of the company's infrastructure, which would 
have prevented the ransomware from also infecting the backup systems?

    Had this issue been identified by any previous audits?

    Answer. UHG had significant contingency and backup infrastructure 
across UHG's systems in place prior to the incident. Beyond backups, 
critical Change Healthcare services had redundancy across servers and 
across separate data centers. That redundancy is designed to ensure 
continuity of the service in the event a single server or single data 
center goes off line. The ransomware deployed by the threat actors 
affected many of Change Healthcare's systems. At the time of the 
incident, UHG was in the process of upgrading some of Change 
Healthcare's systems, including primary and redundant servers.

    To be clear, after the incident, Change Healthcare was able to use 
backups dated prior to the incident. Those backups were used to restore 
service in an environment that was newly built after the incident, in 
order to be certain that the new systems would be clean and safe for 
use by the company and clients. This took significant investment and 
effort across the UHG enterprise, as returning each service to 
production required key rotation, credential rotation, restoration, 
remediation, scanning by at least two different vendors, security 
testing, and validation.

    In a matter of weeks, UHG had replaced thousands of Change 
Healthcare laptops, rotated credentials, rebuilt the data center 
network and core services, and added new server capacity. UHG 
effectively built a brand-new functioning data center and workforce. In 
addition, UHG reissued around 11,000 clean devices to Change Healthcare 
employees and contractors, the majority of which were delivered 
globally over a 2-week period. At the same time, UHG was able to use 
Optum's back-up system to help some providers carry on without 
interruption. UHG also rerouted some clients to competitors after the 
incident and is now encouraging clients to have at least two 
alternative channels in case of any future interruptions.
               Questions Submitted by Hon. Chuck Grassley
    Question. Last month, I wrote to the Department of Health and Human 
Services Secretary Becerra regarding protecting critical infrastructure 
within the health-care sector. In that letter, I highlighted the need 
for a strong relationship between public and private partners to ensure 
the safety of U.S. critical infrastructure systems. I also inquired 
about legacy information technology systems. Cyberattacks on our 
health-care system not only have severe impacts on the United States 
economy but put lives at risk.

    Has UnitedHealth Group taken every available action to immediately 
remove memory safety risks in its IT and software?

    Answer. UHG has a robust information security program with over 
1,300 people and approximately $300 million in annual investment. UHG 
successfully defends against attempted cyber intrusions every 70 
seconds--equal to more than 450,000 thwarted intrusions per year. UHG 
manages cybersecurity and data protection through a continuously 
evolving framework that accounts for the ever-changing cyberthreat 
landscape. This framework includes an incident management and response 
program that continuously monitors the company's information systems 
for vulnerabilities, threats, and incidents; manages and takes action 
to contain incidents that occur; remediates vulnerabilities; and 
communicates the details of threats and incidents to management, 
including the chief digital and technology officer and chief 
information security officer, as deemed necessary or appropriate.

    In particular, UHG, Optum, and Change Healthcare have numerous 
policies and procedures related to consumer privacy, cybersecurity, and 
incident response. For example, the Optum Cybersecurity Incident 
Response Plan is a guide to responding to security incidents. The plan 
sets forth roles and responsibilities and a framework for incident 
response comprising preparation; detection and analysis; containment, 
eradication, and recovery; and post-security incident activity.

    Question. My understanding is Change Healthcare touches one in 
three medical records in the United States. I would like to better 
understand how Change Healthcare stores and manages patient data.

    How does Change Healthcare manage and store patient data?

    Where is the data stored?

    Is it stored by a third party?

    At any point through processing, coding, storing, et cetera, is 
patient data ever sent overseas? Please be more specific than what you 
provided at the hearing.

    Answer. UHG has a robust information security program with over 
1,300 people and approximately $300 million in annual investment. UHG 
successfully defends against attempted cyber intrusions every 70 
seconds--equal to more than 450,000 thwarted intrusions per year. UHG 
manages cybersecurity and data protection through a continuously 
evolving framework that accounts for the ever-changing cyberthreat 
landscape. UHG's framework allows the company to identify, assess, and 
mitigate the risks, and assists UHG in revising its policies and 
proactive safeguards to protect its systems and customer and patient 
information.

    UHG and its subsidiaries rely in certain circumstances on third-
party service providers to process, store, and transmit data and 
information. It may be stored on servers owned and managed by UHG or by 
third-party vendors, or in cloud services owned and managed by third-
party vendors.

    UHG requires third-party service providers to handle data and 
information in accordance with its data privacy and information 
security requirements and applicable Federal and State laws. U.S. 
customer data may be processed or accessed outside the United States in 
accordance with UHG's data protection policies. Accordingly, UHG 
engages with its third-party service providers to identify and 
remediate vulnerabilities, to monitor system upgrades to mitigate 
future risk, and to understand that the third-party service providers 
employ appropriate and effective controls and continuity plans for 
their systems and operations.

    Question. According to the Federal Bureau of Investigation, there 
were 249 ransomware attacks against the health-care industry in 2023.

    Has UnitedHealth Group experienced another cyberattack since 
February 21st? You indicated during the hearing you would have to get 
back to me, so please provide more specifics.

    Answer. We are not aware of another ransomware attack after the 
attack claimed on February 21, 2024 by the ALPHV/BlackCat Group.

    Question. Has any State or Federal agency asked you not to publicly 
discuss Blackcat/ALPHV's access to protected health information? If so, 
who?

    Answer. Within hours of the ransomware launch, we began cooperating 
closely with law enforcement, and we continue to work with State and 
Federal agencies to respond to the attack. We are not aware of any 
State or Federal agency asking any individual at UHG to withhold 
information from patients and providers about potentially compromised 
protected health information.

    Question. According to The Wall Street Journal, Blackcat/ALPHV was 
operating from February 12, 2024, to February 21, 2024, without any 
knowledge by Change Healthcare.

    How many days did Blackcat/ALPHV have access to protected health 
information?

    Answer. On February 12th, criminals used compromised credentials to 
remotely access a Change Healthcare Citrix portal, an application used 
to enable remote access to desktops or applications. Between February 
17-20, 2024, the threat actor exfiltrated protected health information 
from Change Healthcare's systems.

    Question. UnitedHealth Group said it will ``likely take several 
months of continued analysis before enough information will be 
available to identify and notify impacted customers and individuals.'' 
HIPAA Breach Notification Rules require individuals must be notified 
without unreasonable delay and at minimum within 60 days of the breach 
discovery.

    Why the delay?

    What do you expect patients potentially affected to do right now?

    Answer. UHG is continuing our discussions with the HHS Office for 
Civil Rights about how appropriate notice can be made to regulators, 
customers, and affected individuals, and OCR has been supportive of 
Change Healthcare's offer, on behalf of the covered entities, to take 
on the obligations to provide individual notification, regulatory 
notification, and media notification, consistent with applicable law.

    UHG is working as quickly as possible to develop a complete and 
accurate assessment of the individuals impacted by this cyberattack. 
Given the ongoing nature and complexity of the company's data review, 
the company expects that it will take additional analysis before enough 
information will be available to identify affected customers and 
individuals. UHG has deployed a team of internal and external experts 
to conduct a comprehensive analysis of the data involved in this 
cyberattack. The process of analyzing the dataset that was made 
available to the company by the FBI is complex and requires significant 
compute resources because it requires unpacking and unzipping many 
layers of files within the dataset in order to identify the individuals 
whose data may be impacted. This takes time, and it must be done 
extremely methodically. UHG is working as quickly and accurately as 
possible and will keep the committee and the public posted on its 
progress.

    UHG is not waiting to complete its data review and notifications--
the company is offering a robust set of protections and support 
services to any individual concerned that they are affected. These 
services include free credit monitoring and identity theft protections 
for 2 years and a dedicated call center that can connect individuals 
with trained clinicians. Any individual concerned that their data has 
been impacted should visit www.changecybersupport.com or call 1-866-
262-5342 to find more details regarding the support services that UHG 
is making available.

    Question. The Wall Street Journal reported that hackers were in 
Change Healthcare's network for more than a week before deploying 
ransomware, allowing the hackers to steal significant amounts of data 
from the company's systems. The cyberattack at Change Healthcare began 
on February 12, 2024.

    What day and time did you first learn of the cyberattack? Please be 
specific.

    Answer. On February 21, 2024, a threat actor deployed ransomware 
that encrypted numerous systems across the Change Healthcare 
environment. Responsibility for the attack was claimed by a criminal 
group known as ALPHV/BlackCat, working with an affiliate. That day, UHG 
detected the ransomware and took immediate action to mitigate the 
incident. This included quickly severing connectivity to Change 
Healthcare's systems to limit the threat of any further contamination 
by the threat actor.

    Question. Have you spoken to the Department of Health and Human 
Services Secretary Becerra about the cyberattack? If so, what day did 
you first speak with Secretary Becerra? Did the Federal Government 
respond timely to the cyberattack?

    Answer. Within hours of the ransomware launch, we began cooperating 
closely with law enforcement, and we continue to work with State and 
Federal agencies to respond to the attack. UHG was in contact with the 
Department of Health and Human Services (HHS) about this cyberattack no 
later than February 22, 2024, and our CEO, Andrew Witty, spoke with 
Secretary Becerra about the incident on March 11, 2024. The company has 
also been in contact about this incident with Federal agencies and 
other entities including the Cybersecurity and Infrastructure Security 
Agency (CISA), the National Security Council, the Department of 
Defense, and the Department of Veterans Affairs. UHG has been in 
contact with many other government agencies, and this may not reflect a 
complete list of all the contacts across the company.

    Question. My understanding is Change Healthcare touches one in 
three medical records in the United States.

    How many Americans' protected health information records were 
accessed by RansomHub? If you don't know the answer to this question, 
please provide a specific date when you will know.

    Answer. Given the ongoing nature and complexity of the data review, 
it will take additional analysis before enough information will be 
available to identify impacted customers and individuals. UHG has 
deployed a team of internal and external experts to conduct a 
comprehensive analysis of the data involved in this cyberattack.

    Question. This cyberattack has caused extensive disruptions not 
only to critical payments for providers in my State, but also to 
patients who are eagerly awaiting necessary treatments. The Washington 
State Hospital Association told me that they have significant concerns 
about their inability to process prior authorizations for procedures in 
the wake of this cyberattack. As a result of the cyberattack, many 
hospitals and health organizations were forced to switch to another 
system.

    This switch has caused significant delays in providing care. In 
many cases where care could not wait, providers have had to deliver it 
without prior authorization. If the authorization is not granted after 
the fact, providers are at risk of not being paid at all. All of this 
is happening while providers are stuck in the prior authorization 
process that United Healthcare requires them to use. While I appreciate 
your efforts in getting the system back to normal as soon as possible, 
you and I both know that patients, especially ones with serious 
conditions, do not have the luxury of waiting.

    Hospitals have continued to provide care for their patients even if 
they are unable to verify insurance eligibility or get the procedure 
authorized--because this is the right thing to do, and patients are 
counting on it. This does not only impact inpatient care. Many people 
are also having trouble picking up prescriptions, so they are forced to 
skip refills or pay with cash. As the fourth largest insurance company 
in the country that owns a pharmacy benefit manager occupying one-
quarter of the entire PBM market, United Healthcare has an obligation 
to ensure that no one falls through the cracks. People's lives are 
literally at stake.

    Will you commit to relaxing prior authorization requirements until 
the system goes back to normal?

    How will you ensure that providers who delivered care without prior 
authorization because they could not obtain it still get paid?

    What are you planning to do to ensure that patients receive the 
procedures and prescription drugs they need in a timely manner?

    Answer. In the aftermath of the cyberattack, UnitedHealthcare 
temporarily suspended prior authorization for its Medicare Advantage 
plans, including Dual Special Needs Plans, covering most outpatient 
services except for Durable Medical Equipment, cosmetic procedures, and 
Part B step therapies. UnitedHealthcare reinstituted prior 
authorization on April 15th.

    In the aftermath of the attack, UHG's priority was to ensure that 
people had access to the medications and care they needed. For that 
reason, through Optum Rx, UHG notified network pharmacy partners and 
pharmacy associations that the Company would reimburse all appropriate 
pharmacy claims filled with the good faith understanding that the 
medication would be covered.

    For providers, UnitedHealthcare waived or extended deadlines for 
timely filings and appeals for claim reimbursement that were affected 
by the Change Healthcare cyberattack. In addition to the temporary 
funding assistance offered to providers at no cost, UHG took these 
steps in order to support providers and pharmacies and ensure that 
patients continued to receive the care they needed in a timely manner.

    Question. Since the beginning of the COVID-19 pandemic, hospitals 
in my State have been facing steep financial losses and workforce 
shortages due to burnout. Even after the COVID-19 pandemic, providers 
are still struggling to regain their financial footing. According to 
the Washington State Hospital Association, hospitals in Washington 
State lost $3.8 billion during 2022 and 2023. That represents eight 
straight fiscal quarters of significant losses. This cyberattack on 
Change Healthcare does not help.

    My providers have expressed serious concerns about their inability 
to receive payments, and they are dealing with a serious lack of 
communication and clarity from UnitedHealth Group. When I spoke with 
you in my office, you said that not many providers are using the 
interest-free loans that United Healthcare offered, implying that the 
financial situation is not that bad.

    However, my providers' financial records paint a different picture. 
This demonstrates that providers are looking for financial stability 
and reassurance, not another creditor. Providing health care in the 
post-pandemic world is already strenuous enough without this 
disruption. United Healthcare has an obligation to ensure that 
hospitals can keep their doors open, and that doctors receive their 
reimbursements in a timely manner.

    Providers have expressed concern that they will not be reimbursed 
for procedures provided during the system outage as the prior 
authorization process United Healthcare mandates was also down. Will 
you commit to reimbursing providers and relaxing the prior 
authorization process during this difficult time so that providers have 
more financial stability?

    Will you commit to better communication with providers on the 
progress of Change Healthcare's system restoration and financial 
reimbursements?

    Answer. UnitedHealthcare temporarily suspended prior authorizations 
for Medicare Advantage plans, including Dual Special Needs Plans. The 
company also temporarily suspended prior authorizations for most 
outpatient services except for Durable Medical Equipment, cosmetic 
procedures, and Part B step therapies. UHC reinstituted prior 
authorization on April 15th. To the extent the company did not suspend 
prior authorizations for Medicaid and commercial plans, that is because 
the decision to do so lies with the plan sponsor (e.g., State 
governments and corporate customers), not the company.

    The company has been very active in its efforts to share helpful 
information about the financial assistance program to providers across 
the country. This outreach has included the launch of the Change 
Healthcare Cyber Response website on March 1st. This website is 
frequently updated and has received approximately 650,000 unique 
visitors and 2.3 million page views. The website also provides 
information regarding the company's Temporary Funding Assistance 
Program, allowing providers to check their eligibility and ask any 
questions they may have.

    The Temporary Funding Assistance Program that UHG is offering comes 
at no cost--UHG is advancing funds to providers experiencing cash-flow 
issues as a result of the outage. The program is open to any providers 
who have been affected by the attack, allowing those providers to apply 
to receive a zero-cost, zero-interest loan. This program was created 
within a week of the attack. It has two components: accelerated 
payments UHC made and no-cost, no-fee loans. As of May 15th, 
approximately $7 billion has been advanced to providers, with 34 
percent of the total funds getting routed to safety-net hospitals and 
Federally Qualified Health Centers serving many of the patients and 
communities at the highest risk. More than 14,000 unique Taxpayer 
Identification Numbers (TINs) have received funds through the temporary 
funding program.

    In addition, UHG also initiated regular calls with chief 
information security officers, providers, customers, and advocacy 
groups, which commenced on February 23rd. These calls were attended by 
thousands of people who have been given the opportunity to ask 
questions about the breach, restoration efforts, and funding 
assistance. The company launched a digital campaign to increase 
awareness of funding assistance and other resources available to 
providers, with over 200 million impressions to date. UHG prioritized 
outreach to small community, safety-net, and rural providers that are 
serving the most vulnerable communities and patients.

    To access temporary funding assistance, providers need to register 
and apply by entering their Tax Identification Number. They can then 
log in to their Optum Pay account to review and accept available 
funding. Providers will need to apply for funding each week. If the 
funds are insufficient to meet a given provider's needs or if they need 
help determining eligibility, they may submit a request through the 
temporary assistance inquiry form.

    Providers have 45 business days to repay any funds UHG advanced. 
The 45 business day window only opens after the provider attests or it 
is otherwise clear that its claims processing or payment processing 
services have resumed to normal levels. There are no requirements 
around arbitration, indemnification, or limitation of liability as a 
condition of accepting funds. Providers can access the program's full 
terms and conditions by signing into their Optum Pay account.

    Question. Change Healthcare's platforms touch about one in three 
U.S. patient records. The company processes 15 billion claims per year, 
totaling more than $1.5 trillion annually. UnitedHealth Group also owns 
its own pharmacy benefit manager and its own insurer that covers over 
49 million people in the U.S. It also owns Optum, which acquired or 
hired 20,000 physicians last year.

    A company as massive as yours must have top-notch data standards. 
Protecting patient medical data is essential. And yet I was disturbed 
to learn that this attack happened through a portal that did not even 
have multifactor authentication. Multifactor authentication is a basic 
security measure used by companies and other entities across the 
country--including here in the Senate.

    Will you commit to adding a multifactor authentication requirement 
across Change Healthcare's platforms?

    Do you agree that consolidation in the health-care industry 
increases the risk that cyberattackers will be able to gain access to 
more patient data within one attack?

    Do you agree that we need to implement minimum cybersecurity 
standards for health-care companies that receive Federal funding?

    Answer. UHG and Change Healthcare policies require MFA on external-
facing applications. We acquired Change Healthcare in an acquisition in 
late 2022. The server at issue was a legacy Change Healthcare server, 
and our team was working to bring this server up to UHG's standards.

    As Mr. Witty testified, UHG continues to strengthen its defenses 
against cyberattacks in significant ways, and we will continue to work 
to ensure that MFA is broadly deployed on externally facing 
applications. We seek to improve security controls over time through 
continuous monitoring and assessment, working in partnership with 
leading external cybersecurity firms such as PwC, TAG Cyber, and 
Mandiant to improve capabilities and enhance best practices.

    UHG has seen no evidence that Change Healthcare was attacked 
because it was part of UHG. Part of the impetus for the acquisition of 
Change Healthcare was to harness the incredible opportunity presented 
for everyone in our health-care system to innovate, to improve care, to 
reduce costs, and to reduce burden, but always with our obligations to 
protect that data top of mind.

    Once it acquired Change, UHG began the process of upgrading 
cybersecurity and information technology, to bring Change Healthcare up 
to UHG's cybersecurity standards. And in response to this attack, UHG 
harnessed its substantial resources to respond. These are the resources 
and the philosophy that underpinned UHG's remediation of HealthCare.gov 
back in 2013, and its distribution of CMS COVID emergency relief funds 
to care providers in 2020. UHG's acquisition of Change Healthcare thus 
helped ensure Change Healthcare was well-positioned to mitigate the 
effects of the cyberattack, and, going forward, will serve as the 
catalyst for improving Change Healthcare's cybersecurity infrastructure 
and protocols.

    UHG supports mandatory minimum cybersecurity standards for the 
health-care industry, including for (1) endpoint protections; (2) 
remote access, including MFA; and (3) perimeter controls including 
firewalls. The company also believes that these minimum standards 
should be coupled with funding to support small providers in their 
efforts to meet the standards, which will better protect the entire 
health-care ecosystem.
                Questions Submitted by Hon. John Cornyn
    Question. According to the FBI, in 2023 there were 249 ransomware 
attacks against the health-care and public-health sectors. This was the 
highest number of ransomware attacks reported by any critical 
infrastructure sector. These ransomware attacks show no signs of 
slowing down, which means the health-care industry must not only be 
working toward preventing these attacks, but also maintaining cyber 
resiliency should another attack occur. What I mean by cyber 
resiliency, is continuing to efficiently provide services and restore 
business functions after any kind of cyberattack.

    Before the Change Healthcare cyberattack, how was UHG working with 
the Federal Government, including HHS and CISA, to maintain cyber 
resiliency should a cyberattack occur?

    Based on what you've learned from this attack, what additional 
tools from the Federal Government are needed to ensure better 
resiliency for the next cyberattack?

    Answer. Our security organization receives regular alerts about 
critical vulnerabilities and other publications about cybersecurity 
from CISA, the Health Information Sharing and Analysis Center (Health-
ISAC), and third-party security providers.

    Within hours of the ransomware launch, we began cooperating closely 
with law enforcement, and we continue to work with State and Federal 
agencies to respond to the attack. UHG was in contact with the 
Department of Health and Human Services (HHS) about this cyberattack no 
later than February 22, 2024. The company has also been in contact 
about this incident with Federal agencies and other entities including 
the Cybersecurity and Infrastructure Security Agency (CISA), the 
National Security Council, the Department of Defense, and the 
Department of Veterans Affairs. UHG has been in contact with many other 
government agencies, and this may not reflect a complete list of all 
the contacts across the company.

    The Change Healthcare attack demonstrates the growing need to 
fortify cybersecurity in health care. We support mandatory minimum 
security standards--developed collaboratively by the government and 
private sector--for the health-care industry. Importantly, these 
efforts must include funding and training for institutions that need 
help in making that transition, such as hospitals in rural communities. 
We also support efforts to strengthen our national cybersecurity 
infrastructure, including greater notification to law enforcement and 
standardized and nationalized cybersecurity event reporting. UHG is 
committed to working with policymakers and other stakeholders to bring 
our experience to bear in helping develop strong, practical solutions.

    Question. On April 22nd, UHG confirmed in a press release that 
``there were 22 screenshots, allegedly from infiltrated files, some 
containing protected health information (PHI) and personally 
identifiable information (PII) which could cover a substantial 
proportion of people in America.'' I understand UHG paid a ransom to 
protect this patient data from further disclosure, however, many Texas 
providers and hospitals remain skeptical and increasingly concerned 
that this data could still be released now or new data could be 
compromised in a future attack.

    Before this cyberattack, were there extra precautions and attention 
given to protecting millions of Americans' PHI and PII? If so, what was 
being done by UHG to protect this sensitive data?

    What plans are currently in place to protect the sensitive data of 
providers and patients from a future cyberattack?

    Answer. UHG has a robust information security program with over 
1,300 people and approximately $300 million in annual investment. UHG 
successfully defends against attempted cyber intrusions every 70 
seconds--equal to more than 450,000 thwarted intrusions per year. UHG 
manages cybersecurity and data protection through a continuously 
evolving framework that accounts for the ever-changing cyberthreat 
landscape. This framework includes an incident management and response 
program that continuously monitors the company's information systems 
for vulnerabilities, threats, and incidents; manages and takes action 
to contain incidents that occur; remediates vulnerabilities; and 
communicates the details of threats and incidents to management, 
including the chief digital and technology officer and chief 
information security officer, as deemed necessary or appropriate.

    In particular, UHG, Optum, and Change Healthcare have numerous 
policies and procedures related to consumer privacy, cybersecurity, and 
incident response. For example, the Optum Cybersecurity Incident 
Response Plan is a guide to responding to security and privacy 
incidents. The plan sets forth roles and responsibilities and a 
framework for incident response comprising preparation; detection and 
analysis; containment, eradication, and recovery; and post-security 
incident activity.

    UHG has learned from the attack on Change Healthcare and is 
strengthening its defenses against cyberattacks in significant ways. 
The company has taken a number of steps to ensure that customers and 
patients feel confident with respect to Change Healthcare's security 
efforts moving forward, including accelerating efforts to integrate 
systems to UHG standards; bringing on Mandiant as a permanent advisor 
to the audit and finance committee of the board; and committing to 
sharing our learnings with partners in industry and government, 
consistent with maintaining applicable privileges.

    Question. Providers big and small have been hurt by this attack. 
But I am particularly concerned about the downstream effects for those 
serving our more vulnerable patient populations, like community health 
centers. Every single CHC in Texas was affected by this cyberattack 
because either they or their payers use the Change system for claims 
reimbursement.

    One health center in Texas was facing $14 million in outstanding 
claims at one point. Another CHC in my State had to eliminate dental 
services to make ends meet. This could have devastating impacts for the 
patients these centers serve.

    CHCs provide care to uninsured populations and already operate on 
thin margins. I've heard from health centers across Texas that the 
solutions and temporary relief options offered by Change were difficult 
to navigate and ultimately inadequate.

    Can you please walk us through the financial support options Change 
offered health centers and other safety-net providers in the face of 
this attack?

    How many providers took advantage of the financial support you were 
offering?

    Did those who passed on these support options give you a reason?

    What additional support can be provided to these types of providers 
who are still struggling financially from the impact of the hack?

    Answer. The company has been very active in its efforts to share 
helpful information about the financial assistance program to providers 
across the country. This outreach has included the launch of the Change 
Healthcare Cyber Response website on March 1st. This website is 
frequently updated and has received approximately 650,000 unique 
visitors and 2.3 million page views. The website also provides 
information regarding the company's Temporary Funding Assistance 
Program, allowing providers to check their eligibility and ask any 
questions they may have.

    The Temporary Funding Assistance Program that UHG is offering comes 
at no cost--UHG is advancing funds to providers experiencing cash-flow 
issues as a result of the outage. The program is open to any providers 
who have been affected by the attack, allowing those providers to apply 
to receive a zero-cost, zero-interest loan. This program was created 
within a week of the attack. It has two components: accelerated 
payments UHC made and no-cost, no-fee loans. As of May 15th, 
approximately $7 billion has been advanced to providers, with 34 
percent of the total funds getting routed to safety-net hospitals and 
Federally Qualified Health Centers serving many of the patients and 
communities at the highest risk. More than 14,000 unique TINs have 
received funds through this temporary funding program.

    In addition, UHG also initiated regular calls with chief 
information security officers, providers, customers, and advocacy 
groups, which commenced on February 23rd. These calls were attended by 
thousands of people who have been given the opportunity to ask 
questions about the breach, restoration efforts, and funding 
assistance. The company launched a digital campaign to increase 
awareness of funding assistance and other resources available to 
providers, with over 200 million impressions to date. UHG prioritized 
outreach to small community, safety-net, and rural providers that are 
serving the most vulnerable communities and patients.

    To access temporary funding assistance, providers need to register 
and apply by entering their Tax Identification Number. They can then 
log in to their Optum Pay account to review and accept available 
funding. Providers will need to apply for funding each week. If the 
funds are insufficient to meet a given provider's needs or if they need 
help determining eligibility, they may submit a request through the 
temporary assistance inquiry form.

    Providers have 45 business days to repay any funds UHG advanced. 
The 45 business day window only opens after the provider attests or it 
is otherwise clear that its claims processing or payment processing 
services have resumed to normal levels. There are no requirements 
around arbitration, indemnification, or limitation of liability as a 
condition of accepting funds. Providers can access the program's full 
terms and conditions by signing into their Optum Pay account.

    UHG created the financial assistance program within a week of the 
attack. The program provided advance payments from the beginning, and 
UHG never charged any fees, interest, or other associated costs for 
accessing funds. As UHG learned more information about the 
circumstances of affected providers and solicited feedback on the 
program, the company made changes to its funding program with the aim 
of helping providers. Based on feedback from providers and government 
partners in the early launch of the Temporary Funding Program, the 
company made several improvements: (1) removed some terms and 
conditions to simplify the process and expedite payments; (2) extended 
repayment periods; (3) increased funding amounts; and (4) increased 
communication/outreach efforts.

    The company's restoration and remediation efforts focused on 
protecting patients and helping providers, and the company made 
substantial efforts to ensure that any providers suffering from the 
impact of the attack are able to continue operating. This is why UHG's 
Temporary Funding Assistance Program is open to any providers who have 
been affected by the attack, allowing those providers to apply to 
receive a zero-cost, zero-interest loan. This includes last resort 
funding, which is available for providers who have exhausted all 
available options or are in the process of implementing workaround 
solutions, or who work with other payers who have opted not to advance 
funds. This funding mechanism is meant specifically for small and 
regional providers and safety-net and Medicaid providers and will be 
evaluated on a case-by-case basis.

    Question. Patients and providers are still waiting to hear exactly 
what protected health information (or PHI) has been implicated in this 
attack. The HIPAA breach notification rule requires that all covered 
entities and their business associates notify patients when there is a 
breach. This was of course an unprecedented attack within the health-
care industry which could have far-reaching implications across the 
country for patients and their data privacy.

    I have heard from providers who are concerned about the 
administrative burden that will be required to notify patients, when 
providers are already stretched thin from this attack. This will be 
even harder for providers serving harder-to-reach patient populations. 
Providers are also concerned about how this may negatively affect 
patient-provider relationships and trust when they themselves were not 
the ones breached.

    Is it true UnitedHealth is prepared to take on the responsibility 
of notifying patients on behalf of providers? What would that process 
look like exactly for providers?

    Should there be changes to this notification policy depending on 
which covered entities are actually the ones breached?

    Should HHS play a bigger role in helping to notify patients?

    Are you concerned about how this attack will affect patients' 
relationships with providers or UnitedHealth?

    Answer. To help ease reporting obligations on other stakeholders 
whose data may have been compromised as part of the Change Healthcare 
cyberattack, UHG has offered to make notifications and undertake 
related administrative requirements on behalf of any provider or 
customer where permissible. We are continuing our discussions with the 
HHS Office for Civil Rights about how these notifications can be made, 
and OCR has been supportive of Change Healthcare's offer, on behalf of 
the covered entities, to take on the obligations to provide individual 
notification, regulatory notification, and media notification, 
consistent with applicable law.

    As a company, we are thankful for the dedication and collaboration 
that HHS has offered since the early days of our response to this 
attack. We have met with HHS regularly to provide updates on 
restoration and to share information so that we could ensure no 
impacted group was left without support during the disruption.

    In terms of changes to the HIPAA breach notification policy and 
HHS's role in notifying affected patients, UHG stands ready to work 
with HHS and other governmental stakeholders on efforts to strengthen 
the health industry's cybersecurity and to streamline notification 
procedures to help ensure that cyberattack victims and government 
stakeholders coordinate and avoid duplicative notification efforts.
                 Questions Submitted by Hon. John Thune
    Question. As you referenced in your testimony, cyberattacks are 
becoming more serious and more frequent, despite the best efforts of 
the Department of Health and Human Services. It will take several 
months to understand the true scope of this cyberattack and realize how 
many providers and patients were impacted by this breach. Immediately 
after the cyberattack was discovered, you took your systems offline.

    Now that those systems are back up and running, what additional 
protections or recommendations have been implemented to improve the 
security of patients and providers' information?

    What assurances can you make to health systems across the Nation 
that your network is safe to connect to and UnitedHealth Group is safe 
to do business with?

    Answer. UHG has a robust information security program with over 
1,300 people and approximately $300 million in annual investment. UHG 
successfully defends against attempted cyber intrusions every 70 
seconds--equal to more than 450,000 thwarted intrusions per year. UHG 
manages cybersecurity and data protection through a continuously 
evolving framework that accounts for the ever-changing cyberthreat 
landscape. This framework includes an incident management and response 
program that continuously monitors the company's information systems 
for vulnerabilities, threats, and incidents; manages and takes action 
to contain incidents that occur; remediates vulnerabilities; and 
communicates the details of threats and incidents to management, 
including the chief digital and technology officer and chief 
information security officer, as deemed necessary or appropriate.

    In particular, UHG, Optum, and Change Healthcare have numerous 
policies and procedures related to consumer privacy, cybersecurity, and 
incident response. For example, the Optum Cybersecurity Incident 
Response Plan is a guide to responding to security and privacy 
incidents. The plan sets forth roles and responsibilities and a 
framework for incident response comprising preparation; detection and 
analysis; containment, eradication, and recovery; and post-security 
incident activity.

    After the February 2024 cyberattack, UHG rebuilt the Change 
Healthcare systems from the ground up, on an entirely separate network, 
in order to be certain that the new systems would be clean and safe for 
use by UHG and its clients. This took significant investment and effort 
across the UHG enterprise, as returning each service to production 
required key rotation, credential rotation, restoration, remediation, 
scanning by at least two different vendors, security testing, and 
validation.

    Providers and others may request third-party documentation and the 
company's Assurance Safety Environment Statement via UHG's website, 
https://app.smartsheet.com/b/form/0e8c2383e0574728b00546fea0666be5.
                Questions Submitted by Hon. Bill Cassidy
    Question. United is already the largest employer of physicians in 
the country, and by all accounts United is continuing to buy physician 
practices. I am hearing a number of reports from providers that United 
has taken advantage of the crisis that the Change hack created to 
justify its purchases and acquire physician practices at a lower cost. 
As one example, Optum acquired the Corvallis Clinic in Oregon in a fire 
sale, in part, driven by the group's inability to meet its obligations 
because of the breach related cash-flow interruptions.

    Can you provide data on how many physician practices you have 
purchased or made an offer to purchase since the Change Healthcare 
breach?

    Answer. The company has the highest regard for the Corvallis Clinic 
in Oregon and is in close communication with the Oregon Health 
Authority. The Corvallis Clinic acquisition was announced and under 
review months before the Change Healthcare attack. The price of the 
transaction has not changed, and the transaction meets all of the 
regulatory requirements under Oregon law. The Oregon Health Authority 
viewed the transaction as an opportunity to stabilize and increase a 
struggling provider's ability to improve patient access and preserve 
primary care and specialty access in an important area. The Oregon 
Health Authority determined that there existed an emergency situation 
that immediately threatened health-care services, and that this 
transaction was urgently needed to protect the interest of consumers.

    With respect to other physician practices, neither UHG, nor any of 
its affiliates, have attempted--or will attempt--to use the cyberattack 
to develop a strategy for advancing any pending or future acquisitions, 
which includes a commitment not to use provider information from the 
temporary relief program to inform our corporate development strategy. 
This commitment covers the handful of physician practices we have 
purchased or made an offer to purchase since February 21, 2024.

    Question. United Health has proposed to buy Steward Health Care. 
Steward has faced serious financial difficulties in recent months 
impacting many hospitals around the country, including Glenwood 
Regional Hospital in my State. Deals like this are typically negotiated 
behind closed doors and have very troubling consequences for 
competition and consolidation in the health-care market.

    If the United-Steward deal goes through, do you commit to keeping 
Glenwood Regional and other impacted hospitals open, appropriately 
staffed, and setting them on a course for financial stability into the 
future?

    Answer. At the heart of Optum's interest in acquiring Stewardship 
Health (``Stewardship''), a physician group and subsidiary of Steward 
Health (``Steward''), is the potential that such a combination provides 
to grow value-based care models and continue improving health-care 
delivery to benefit patients. The proposed acquisition does not include 
Glenwood Regional or any hospitals, which are owned by Steward, not 
Stewardship.

    We understand the future of the Steward-owned hospitals is of 
paramount concern. We share the concern as the already strained 
hospital system impacts our current and future patients' ability to 
receive high quality care. As noted, because the potential combination 
does not and will not involve acquisition of hospitals, including 
Glenwood Regional, we defer to Steward for comment on any specific 
plans it might be considering.

    Question. I have heard from providers that although most of the 
systems are back online, providers still have reduced access to 
Electronic Remittance Advice (ERA) data, and limited access to 
explanation of benefits (EOB) and claim status. This has made it 
difficult for providers to accurately bill patients for services, and 
is leading to patients complaining to practices for incorrect billing.

    When does Change believe that the system will be fully functional 
in regards to obtaining past ERA and EOBs?

    Answer. UHG continues to make strong progress on restoring services 
impacted by the event. Indeed, 99 percent of pre-incident health-care 
systemwide volumes are flowing smoothly. This is because, in part, the 
company found other pathways--through the electrical grid that is our 
health-care system--for many payers and providers to move their claims 
and payments. With respect to UHG's business, the company has restored 
roughly 90 percent of Change Healthcare's functionality across major 
platforms and products. The remaining 10 percent includes products that 
impact smaller sets of customers and ancillary product features, like 
eligibility software and analytical tools. The company expects full 
restoration of other systems to be completed in the coming weeks.

    Question. As I said to you during the hearing, I have heard 
directly from several small independent practices in Louisiana which 
applied for short-term zero-interest loans from United and were denied. 
Both appealed and eventually received approval, but these were 
independent practices which could not absorb the cost of not being paid 
for months at a time.

    How many providers nationwide applied for loans through United?

    What percentage of those applications have been approved?

    What percentage of those applications had to go to appeal?

    What is the average size loan both in real dollars and as a 
percentage of amount requested?

    What is the average lag time between a provider applying for a loan 
and actually receiving a check?

    Answer. The Temporary Funding Assistance Program that UHG is 
offering comes at no cost--UHG is advancing funds to providers 
experiencing cash-flow issues as a result of the outage. The program is 
open to any providers who have been affected by the attack, allowing 
those providers to apply to receive a zero-cost, zero-interest loan. 
This program was created within a week of the attack. It has two 
components: accelerated payments UHC made and no-cost, no-fee loans. As 
of May 15th, approximately $7 billion has been advanced to providers, 
with 34 percent of the total funds getting routed to safety-net 
hospitals and Federally Qualified Health Centers serving many of the 
patients and communities at the highest risk. More than 14,000 unique 
TINs have received funds through this temporary funding program, and on 
average each TIN has accepted over $500,000. The funds are sent by 
electronic deposit, which takes 2-3 days. UHG has honored nearly every 
funding request made by a provider experiencing financial hardship.

    Question. You told me during the hearing that United would honor 
claims from providers who could not obtain prior authorization during 
the Change outage, even if those claims flowed through Change to other 
insurance companies.

    Please provide details of how that claim process will work and how 
providers seeking payment for claims should proceed.

    Answer. UnitedHealthcare will reimburse claims filed by providers 
who were not able to obtain prior authorization because of the Change 
Healthcare outage and who provided care with the good faith 
understanding that the care would be covered. UnitedHealthcare will not 
retroactively deny any claims submitted during the pendency of the 
Change Healthcare outage for services that would have normally required 
prior authorization. UnitedHealthcare was not in a position to suspend 
prior authorization for its Medicaid and commercial plans because the 
decision to do so lies with the plan sponsor, not UHC. Similarly, 
decisions regarding prior authorization for other health plans lie 
outside of UHG. Finally, through Optum Rx, UHG also has notified 
network pharmacy partners and pharmacy associations that we would 
reimburse all appropriate pharmacy claims filled with the good faith 
understanding that a medication would be covered.
               Questions Submitted by Hon. Sherrod Brown
    Question. United Health Group (UHG) owns and operates OptumRx, one 
of the largest pharmacy benefit managers (PBM)--making up 22 percent of 
the PBM market. In Ohio, numerous independent pharmacy owners have been 
forced to close their doors, many of whom attribute abusive practices, 
including the application of direct and indirect renumeration (DIR) 
fees by PBMs, as a primary reason. In 2023 alone, more than 300 
independent pharmacies closed across the country. And as I previously 
mentioned, which you acknowledged being aware of, over one-third of 
independent pharmacy owners and managers reported when surveyed that 
they were considering closing this year due to financial constraints. 
The Centers for Medicare and Medicaid Services (CMS) issued a final 
rule that would eliminate the retroactive application of DIR fees 
beginning in 2024, however these fees are still allowed to be applied 
at the point of sale.

    During the hearing, you clarified that--in line with CMS's 
regulation--OptumRx no longer retroactively applies DIR fees. In fact, 
you said that your PBM no longer utilizes DIR fees at all.

    Please clarify: does OptumRx currently apply DIR fees at the point 
of sale, or levy DIR fees at all against pharmacies?

    Please list the fees that OptumRx currently collects from 
pharmacies throughout the transaction process.

    Can you confirm that every reimbursement you provide to a pharmacy 
for filling and dispensing a prescription is sufficient to cover the 
pharmacy's costs for filling and dispensing the prescription? In other 
words, does OptumRx ever reimburse a pharmacy below cost for a script 
filled?

    Answer. The company complies fully with the recently enacted CMS 
rule that amended the definition of ``negotiated price'' to ensure that 
price concessions are applied uniformly and that the prices available 
to Part D enrollees at the point of sale are inclusive of all possible 
pharmacy price concessions. See 42 CFR 423 (effective January 1, 2024). 
In alignment with this regulation, Optum Rx does not retroactively 
impose DIR fees under Medicare Part D. To clarify further, it is 
correct that Optum Rx currently does not impose DIR fees at all.

    With respect to fees that Optum Rx currently collects from 
pharmacies, the company's contracts are the product of individual arms' 
length negotiations and the terms used to determine compensation, 
reimbursement, fees, or other consideration vary between contracts.

    Similarly, Optum Rx negotiates reimbursement rates with pharmacies 
for filling prescriptions on an individualized basis. These 
reimbursement rates vary based on formulary terms and contractual 
agreement and there is no one-size-fits-all approach. Optum Rx does not 
have any visibility into each pharmacies total costs for filling and 
dispensing a prescription. Thus, the company does not have data to 
respond to questions about whether reimbursements cover overhead and 
other associated dispensing costs to pharmacies.
               Questions Submitted by Hon. James Lankford
    Question. Is there a specific timeline UHG has planned on outreach 
to and providing still-needed financial assistance to smaller 
providers?

    Answer. The company's outreach efforts have been, and will continue 
to be, robust. On February 22nd, the day following the criminal 
ransomware attack on Change Healthcare's systems, UHG publicly filed an 
8-K with the SEC and began communicating regularly with customers about 
the breach. UHG also initiated regular calls with chief information 
security officers, providers, customers, and advocacy groups, which 
commenced on February 23rd. These calls were attended by thousands of 
people who have been given the opportunity to ask questions about the 
breach, restoration efforts, and funding assistance offered by UHG.

    UHG prioritized outreach to small community, safety-net, and rural 
providers that are serving the most vulnerable communities and 
patients. UHG is providing financial assistance to smaller providers 
until they can resume regular business operations.

    In order to make providers who experienced disruption whole, UHG 
will continue to ensure that our interest-free, no-fee loan funding 
capacity remains available for smaller providers until the provider 
attests or it is otherwise clear that its claims processing or payment 
processing services have resumed to normal levels, as our temporary 
funding assistance program is the best way we can help providers 
overcome the disruption they have experienced as a result of the 
cyberattack.

    Question. Pharmacies and other providers affected by Change 
Healthcare's shutdown are obligated by HIPAA statute to notify patients 
when personal health information is compromised. How does United plan 
to notify providers and pharmacies of what PHI was compromised so these 
providers can meet their legal reporting obligations?

    Answer. To help ease reporting obligations on providers and 
pharmacies that may have data that was compromised as part of the 
Change Healthcare cyberattack, UHG has offered to make notifications 
and undertake related administrative requirements on behalf of any 
provider or customer where permissible. We are continuing our 
discussions with the HHS Office for Civil Rights about how these 
notifications can be made, and OCR has been supportive of Change 
Healthcare's offer, on behalf of the covered entities, to take on the 
obligations to provide individual notification, regulatory 
notification, and media notification, consistent with applicable law.

    Question. Have more advanced cybersecurity protections been put in 
place for UHG's many other subsidiaries in light of this attack?

    Answer. UHG has learned from the attack on Change Healthcare and is 
strengthening its defenses against cyberattacks in significant ways. 
The company has taken a number of steps to ensure that customers and 
patients feel confident with respect to Change Healthcare's security 
efforts moving forward including accelerating efforts to integrate 
systems to UHG standards; bringing on Mandiant as a permanent advisor 
to the audit and finance committee of the board; and committing to 
sharing our learnings with partners in industry and government, 
consistent with maintaining applicable privileges.

    Question. How will UHG make sure that safety-net providers like 
Community Health Centers do not continue to face fiscal uncertainty in 
the aftermath of the Change Healthcare cyberattack?

    Answer. The company has been very active in its efforts to share 
helpful information about the financial assistance program to providers 
across the country. This outreach has included the launch of the Change 
Healthcare Cyber Response website on March 1st. This website has been 
frequently updated and has received approximately 650,000 unique 
visitors and 2.3 million page views. The website also provides 
information regarding the company's Temporary Funding Assistance 
Program, allowing providers to check their eligibility and ask any 
questions they may have.

    The Temporary Funding Assistance Program that UHG is offering comes 
at no cost--UHG is advancing funds to providers experiencing cash-flow 
issues as a result of the outage. The program is open to any providers 
who have been affected by the attack, allowing those providers to apply 
to receive a zero-cost, zero-interest loan. This program was created 
within a week of the attack. It has two components: accelerated 
payments UHC made and no-cost, no-fee loans. As of May 15th, 
approximately $7 billion has been advanced to providers, with 34 
percent of the total funds getting routed to safety-net hospitals and 
Federally Qualified Health Centers serving many of the patients and 
communities at the highest risk. More than 14,000 unique TINs have 
received funds through this temporary funding program.

    To access temporary funding assistance, providers need to register 
and apply by entering their Tax Identification Number. They can then 
log in to their Optum Pay account to review and accept available 
funding. Providers will need to apply for funding each week. If the 
funds are insufficient to meet a given provider's needs or if they need 
help determining eligibility, they may submit a request through the 
temporary assistance inquiry form.

    Providers have 45 business days to repay any funds UHG advanced. 
The 45 business day window only opens after the provider attests or it 
is otherwise clear that its claims processing or payment processing 
services have resumed to normal levels. There are no requirements 
around arbitration, indemnification, or limitation of liability, as a 
condition of accepting funds. Providers can access the program's full 
terms and conditions by signing into their Optum Pay account.

    UHG created the financial assistance program within a week of the 
attack. The program provided advance payments from the beginning, and 
UHG never charged any fees, interest, or other associated costs for 
accessing funds. As UHG learned more information about the 
circumstances of affected providers and solicited feedback on the 
program, the company made changes to its funding program with the aim 
of helping providers. Based on feedback from providers and government 
partners in the early launch of the Temporary Funding Program, the 
company made several improvements: (1) removed some terms and 
conditions to simplify the process and expedite payments; (2) extended 
repayment periods; (3) increased funding amounts; and (4) increased 
communication/outreach efforts.

    The company's restoration and remediation efforts focused on 
protecting patients and helping providers, and the company made 
substantial efforts to ensure that any providers suffering from the 
impact of the attack are able to continue operating. This is why UHG's 
Temporary Funding Assistance Program is open to any providers who have 
been affected by the attack, allowing those providers to apply to 
receive a zero-cost, zero-interest loan. This includes last resort 
funding, which is available for providers who have exhausted all 
available options or are in the process of implementing workaround 
solutions, or who work with other payers who have opted not to advance 
funds. This funding mechanism is meant specifically for small and 
regional providers and safety net and Medicaid providers and will be 
evaluated on a case-by-case basis.

    In addition, UHG also initiated regular calls with chief 
information security officers, providers, customers, and advocacy 
groups, which commenced on February 23rd. These calls were attended by 
thousands of people who have been given the opportunity to ask 
questions about the breach, restoration efforts, and funding 
assistance. The company launched a digital campaign to increase 
awareness of funding assistance and other resources available to 
providers, with over 200 million impressions to date. UHG prioritized 
outreach to small community, safety net, and rural providers that are 
serving the most vulnerable communities and patients

    Question. How do UHG and Optum plan to protect independent 
pharmacies in this particularly difficult time by working with them, 
not just the big chains, to make sure claims operations are set up and 
reimbursement is fair?

    Answer. Pharmacy support was the first area of focus when restoring 
systems, as the company wanted to ensure that people had access to the 
medications they needed. Through Optum Rx, UHG notified network 
pharmacy partners and pharmacy associations that we would reimburse all 
appropriate pharmacy claims filled with the good faith understanding 
that a medication would be covered. And for patients who could not use 
their coupons during the Change Healthcare outage, the company has been 
and will continue to contact those patients and honor their coupons to 
ensure that the patients are reimbursed for their out-of-pocket 
medication expense they incurred and thus made whole.

    UHG is committed to working with small and independent pharmacies 
to ensure their claim operations are fully restored and back online. As 
of late April, pharmacy claims services had returned to 99.8 percent of 
pharmacies. The small number of remaining pharmacies all either have 
restoration plans in progress or outreach has occurred.

    UHG regularly updates the public about product restoration efforts 
on its dedicated cyber response website, which may be found at http://
www.uhg.com/changehealthcarecyberresponse. Our website lists all 
impacted systems, date of restoration or anticipated restoration, and 
the current status (uninterrupted/fully restored, partial service 
available, restoration in progress, and restoration date pending).

    Question. During the midst of Change's systems being down, did 
United decrease the number of claims that required prior authorization 
in order to decrease burdens on providers and patients, as CMS 
recommended?

    If so, what difference did it make?

    Will United consider removing prior authorization requirements for 
some services permanently as a lesson learned?

    Answer. In the aftermath of the Change Healthcare cyberattack, 
UnitedHealthcare temporarily suspended prior authorization for its 
Medicare Advantage plans, including Dual Special Needs Plans, covering 
most outpatient services except for Durable Medical Equipment, cosmetic 
procedures, and Part B step therapies. By taking these proactive 
temporary steps, UHG sought to ensure providers could continue to 
deliver patients the access to care and medications that they needed.

    UHG is committed to working with government and industry 
stakeholders to modernize the health-care system, including the prior 
authorization system. We are actively exploring new ways to address the 
challenges prior authorization is trying to address--namely, patient 
safety and minimizing waste in the system. Even prior to the Change 
Healthcare cyberattack, the company launched an effort to reduce our 
prior authorization codes across the company's business lines. We are 
committed to continuing to innovate and improve the timeliness and 
efficiency of our business to maximize patients' access to appropriate, 
evidence-based care.

    Question. Please explain your experience working with the FBI.

    How could they have helped you solve problems faster or have been 
more proactive?

    Answer. Within hours of the ransomware launch, we contacted the 
FBI, and we remain in regular communication. We shared critical 
information, including details about the intrusion, the method of 
attack, Indicators of Compromise, and other information that would 
assist in their investigation. We are grateful for the FBI's work on 
this matter and the support they have provided, and we will continue to 
share information that will enable law enforcement to pursue, capture, 
and bring these criminals to justice.
            Questions Submitted by Hon. Robert P. Casey, Jr.
    Question. As I mentioned during the hearing, there are significant 
risks when health-care and financial information are breached. For 
older adults--whose victimization from scams have skyrocketed in recent 
years--a data breach means even more of their information is available 
to scammers to use against them in the future.

    In addition to credit monitoring, how is UnitedHealth Group (UHG) 
assisting older adults whose data may have been captured in the breach? 
In particular, what advice or assistance is the company offering 
related to breached health data?

    Answer. In addition to free credit monitoring and identity theft 
protections for 2 years, UHG has also created a dedicated call center 
staffed by clinicians to provide support services. Any individual 
concerned that their data has been impacted should visit 
www.changecybersupport.com or call 1-866-262-5342 to find more details 
regarding the support services that UHG is making available.

    The company, along with leading external industry experts, 
continues to monitor the Internet and dark web to determine if data has 
been published. There were 22 screenshots, allegedly from exfiltrated 
files, some containing PHI and PII, posted for about a week on the dark 
web by a malicious threat actor. No further publication of PHI or PII 
has occurred at this time. To date, the company has not seen evidence 
of exfiltration of materials such as doctors' charts or full medical 
histories among the data.

    Question. You've noted that UHG is doing everything possible to 
minimize the possibility of personal health information being leaked.

    What specific activities is the company undertaking in pursuit of 
that goal? How is the company preventing further exploitation of 
protected health information (PHI) by bad actors?

    Answer. UHG is continuing to cooperate with law enforcement during 
the ongoing investigation. Minimizing the possibility of the 
exploitation of PHI remains highly important. UHG is actively 
undertaking many actions to this effect, including engaging with 
Mandiant as a permanent advisor to the Audit and Finance Committee of 
the board, working with leading external industry experts to monitor 
the web for signs of data disclosure, and offering free credit 
monitoring and identity theft protections to anyone impacted.

    Question. You also mentioned that UHG is offering free credit 
monitoring and identity theft protections for 2 years. However, once 
this data is out in the world, it has lasting implications. This is 
especially true for children's data that has been stolen. As I 
mentioned, this data can be a blank slate for cyber criminals to open 
up bank accounts and apply for loans, and often takes years for people 
to realize this has occurred.

    What long-term services does UHG plan to provide to ensure 
patients' health information, especially that of children, is not used 
against them in the years to come?

    Answer. Please see our response to your question above.

    Question. During the hearing, you addressed the majority of Finance 
member's concerns as United's ``top priority.'' I appreciate your 
willingness to engage as quickly as possible to resolve the challenges 
and security concerns for patients and providers alike. However, I 
would appreciate more clarity on what you mean by ``top priority.''

    Can you please elaborate on the concrete actions you are taking for 
each of the following, what their order of prioritization will be, and 
the timeline for each?

    The implementation of multifactor authentication across systems.

    Identifying patients harmed by the data breach.

    Identifying types of data breached.

    Ensuring providers have adequate cash flow or have received loans.

    Answer. UHG and Change Healthcare policies require MFA on external-
facing applications. We acquired Change Healthcare in an acquisition in 
late 2022. The server at issue was a legacy Change Healthcare server, 
and our team was working to bring this server up to UHG's standards.

    As Mr. Witty testified, UHG continues to strengthen its defenses 
against cyberattacks in significant ways, and we will continue to work 
to ensure that MFA is broadly deployed on externally facing 
applications. We seek to improve security controls over time through 
continuous monitoring and assessment, working in partnership with 
leading external cybersecurity firms such as PwC, TAG Cyber, and 
Mandiant to improve capabilities and enhance best practices.

    Based on initial targeted data sampling to date, the company has 
found files containing protected health information (``PHI'') or 
personally identifiable information (``PII''). Given the ongoing nature 
and complexity of the data review, the company expects that it will 
take additional analysis before enough information will be available to 
identify affected customers and individuals. UHG has deployed a team of 
internal and external experts to conduct a comprehensive analysis of 
the data involved in this cyberattack.

    UHG obtained a data set that is safe for the company to access and 
analyze from the FBI weeks after the ransomware attack, so it took some 
time to be in a position to analyze the affected data. Further, this 
analytical process has to be done very methodically, and it requires a 
significant amount of time and compute resources to unpack and unzip 
all of the relevant files. UHG is following gold standard processes 
utilized by companies seeking to make reasonable and broad 
notifications, which take time. The company is working as quickly as it 
can, consistent with these standards, but does not yet have a specific 
date by when it expects the analysis will be complete.

    Rather than waiting to complete the data review, UHG is providing 
free credit monitoring and identity theft protections for 2 years, 
along with a dedicated call center staffed by clinicians to provide 
support services. Any individual concerned that their data has been 
impacted should visit www.changecybersupport.com or call 1-866-262-5342 
to find more details regarding the support services that UHG is making 
available.

    UHG created the Temporary Funding Assistance Program for providers 
within a week of severing connectivity to the affected Change 
Healthcare systems. The Temporary Funding Assistance Program that UHG 
is offering comes at no cost--UHG is advancing funds to providers 
experiencing cash-flow issues as a result of the outage. The program is 
open to any providers who have been affected by the attack, allowing 
those providers to apply to receive a zero-cost, zero-interest loan. 
And as of May 15th, approximately $7 billion has been advanced in the 
form of (1) accelerated payments UHG made and (2) no cost, no-fee 
loans. Indeed, around 34 percent of these loans have gone to safety-net 
hospitals and Federally Qualified Health Centers serving many of the 
patients and communities at the highest risk. More than 14,000 unique 
TINs have received funds through the company's temporary funding 
program.

    For the loans provided under the program, UHG provides funds to any 
provider that is experiencing a shortfall in cash-flow as a result of 
the outage in the Change Healthcare systems. UHG initially calculated 
the loan amounts by attempting to predict the amount of cash a provider 
may need, but its efforts to do so were based on incomplete 
information, given that UHG does not have visibility of all funds 
flowing to any provider from across the entire health-care system. UHG 
therefore allowed providers to tell it how much money they required to 
meet shortfalls when they applied for loans. UHG then approved the 
amounts. For requests under a million dollars, UHG deposited funds into 
the providers' Optum-based accounts within hours. For larger requests, 
UHG's underwriters typically approved the amount within days.

    Question. How is UHG/Change Healthcare testing its rebuilt IT 
environment to ensure it is clear of vulnerabilities and safe to use 
following the cyberattack? When does the company expect it will be safe 
to resume use of the IT infrastructure?

    Answer. UHG rebuilt the Change Healthcare systems from the ground 
up, on an entirely separate network, in order to be certain that the 
new systems would be clean and safe for use by UHG and its clients.

    In a matter of weeks, UHG replaced thousands of Change Healthcare 
laptops, rotated credentials, rebuilt the data center network and core 
services, and added new server capacity. UHG effectively built a brand-
new functioning data center and workforce. In addition, UHG reissued 
around 11,000 clean devices to Change Healthcare employees and 
contractors, which were delivered globally over a 2-week period. At the 
same time, UHG was able to use Optum's back-up system to help some 
providers carry on without interruption. UHG also rerouted some clients 
to competitors after the incident and is now encouraging clients to 
have at least two alternative channels in case of any future 
interruptions. After this initial rebuild, the company quickly began 
relaunching services, with each product undergoing key rotation, 
credential rotation, restoration, remediation, scanning by at least two 
different vendors, security testing, validation, and more.

    Providers and others may request third-party documentation and the 
company's Assurance Safety Environment Statement via UHG's website.

    Question. You committed to delaying loan repayment deadlines until 
the backlog of claims have been cleared, regardless of time frame. You 
also noted that this would be determined by providers themselves.

    What concrete steps is UHG taking to communicate these 
flexibilities to providers? What will be the process for providers to 
determine their own timelines for repayment?

    Answer. UHG launched www.uhg.com/changehealthcarecyberresponse on 
March 1st, which has been frequently updated and has up-to-date 
information about the company's temporary funding assistance program. 
In addition, the company also launched a digital campaign to increase 
awareness of funding assistance and other resources available to 
providers, with over 200 million impressions to date.

    While we continue to make progress in mitigating the impacts of the 
cyberattack on Change Healthcare services, we understand that some 
providers are still affected as certain systems come back online. Our 
top priority has been to continue to provide the support providers need 
for as long as it takes to get their claims and payments flowing at 
pre-incident levels. We actively worked through the individual nature 
of the recovery. To provide continued financial assistance, we have two 
targeted waves of emails, new banner language alerting our flexibility 
to providers on our Temporary Funding Assistance Program (``TFAP'') 
landing page and our cyber response website. In addition, we have also 
reached out to have one on one verbal conversations with providers to 
ensure they are aware that we are not creating a one-size-fits-all date 
for repayment.

    We have taken a personalized approach to determining providers' 
funding requests and restoration efforts. In those one-on-one verbal 
conversations with providers we are communicating that we will work 
with them on a case-by-case basis so they can determine when their 
business is back to normal. We have no intention of asking for 
repayment until providers determine their business is back to normal. 
Once providers determine their business is back to normal we will work 
with each provider to determine when the 45 business days will start 
with no fees or interest.

    For additional information about the temporary funding process and 
applicable deadlines for providers' repayments, we encourage providers 
to complete an inquiry form on our website or call 1-877-702-3253.

    Question. You have stated multiple times that Change was a newly 
acquired system by UHG. You also noted that Change was already up and 
running when UHG acquired it, meaning there was no period of time in 
which Change did not interact with patient and provider data.

    What, if any, procedures do UHG have in place to ensure adequate 
cybersecurity for newly acquired systems, especially for those in a 
position to interact with providers and patient data?

    Answer. After an acquisition, UHG takes steps to apply UHG 
standards to the newly acquired entity's information technology and 
cybersecurity infrastructure. The same is true with Change Healthcare. 
Change Healthcare was a 40-year-old company with networks, products, 
and systems built on top of one another over the last 40 years. 
Addressing that layered infrastructure takes time. Following the close 
of the acquisition in October 2022, UHG began working to bring the 
legacy infrastructure Change Healthcare had in place in line with UHG's 
standards.

    UHG's Security Shield program is one method by which UHG works to 
improve the cybersecurity posture of newly acquired entities. Security 
Shield is a set of high-priority controls and best practices that UHG 
deploys to new acquisitions to bring them to a baseline level of 
security.

    Question. During the hearing, you mentioned that as of May 1st, UHG 
now has multifactor authentication on all external services.

    Can you clarify what this means, how you will verify these external 
systems are properly using multifactor authentication, and what steps 
you are taking for internal systems?

    Answer. UHG has a robust information security program with over 
1,300 people and approximately $300 million in annual investment. UHG 
successfully defends against attempted cyber intrusions every 70 
seconds--equal to more than 450,000 thwarted intrusions per year. UHG 
manages cybersecurity and data protection through a continuously 
evolving framework that accounts for the ever-changing cyberthreat 
landscape. This framework includes an incident management and response 
program that continuously monitors the company's information systems 
for vulnerabilities, threats, and incidents; manages and takes action 
to contain incidents that occur; remediates vulnerabilities; and 
communicates the details of threats and incidents to management, 
including the chief digital and technology officer and chief 
information security officer, as deemed necessary or appropriate.

    In particular, UHG, Optum, and Change Healthcare have numerous 
policies and procedures related to consumer privacy, cybersecurity, and 
incident response. For example, the Optum Cybersecurity Incident 
Response Plan is a guide to responding to security and privacy 
incidents. The plan sets forth roles and responsibilities and a 
framework for incident response comprising preparation; detection and 
analysis; containment, eradication, and recovery; and post-security 
incident activity.

    UHG and Change Healthcare policies require MFA on external-facing 
applications. We acquired Change Healthcare in an acquisition in late 
2022. The server at issue was a legacy Change Healthcare server, and 
our team was working to bring this server up to UHG's standards.

    As Mr. Witty testified, UHG continues to strengthen its defenses 
against cyberattacks in significant ways, and we will continue to work 
to ensure that MFA is broadly deployed on externally facing 
applications. We seek to improve security controls over time through 
continuous monitoring and assessment, working in partnership with 
leading external cybersecurity firms such as PwC, TAG Cyber, and 
Mandiant to improve capabilities and enhance best practices.

    Question. As a result of the cyberattack and its fallout, many 
providers went through the onerous task of switching clearinghouses, 
which is a costly and time-consuming process.

    Does UHG intend to reimburse providers for any charges, outside of 
those for patient care, they incurred due to the attack?

    Answer. The company's restoration and remediation efforts focused 
on protecting patients and helping providers, and the company made 
substantial efforts to ensure that any providers suffering from the 
impact of the attack are able to continue operating. This is why UHG's 
Temporary Funding Assistance Program is open to any providers who have 
been affected by the attack, allowing those providers to apply to 
receive a zero-cost, zero-interest loan. This includes last resort 
funding, which is available for providers who have exhausted all 
available options or are in the process of implementing workaround 
solutions, or who work with other payers who have opted not to advance 
funds. This funding mechanism is meant specifically for small and 
regional providers and safety net and Medicaid providers and will be 
evaluated on a case-by-case basis.

    To the extent providers have incurred other costs associated with 
the attack, UHG is committed to reviewing their issues and working to 
resolve their concerns on a case-by-case basis.

    Question. During the hearing, multiple Senators asked questions 
about Optum's provider network. You noted that UHG has 10,000 
physicians and contracts with an additional 80,000.

    How many of these physicians, contract or otherwise, currently 
practice in Pennsylvania?

    Answer. Optum's practices in Pennsylvania employs or contracts with 
approximately 100 physicians (data current as of June 2024).

    Question. Due to the Change Healthcare cyberattack, I have heard 
from Rhode Islanders who have suffered due to the lack of redundancy 
and preparation by UnitedHealth Group (UHG). I've heard from a patient 
who experienced a 10-day delay getting their prescription filled and 
from a Providence mental health provider who did not receive a single 
payment from UHG's Optum insurer for over 2 months, leading them to 
miss payments on their mortgage and car. The financial strain nearly 
forced them to close their small practice. UHG, through Optum, 
established a temporary assistance program to extend short-term loans 
to affected health providers and organizations, yet our providers in 
Rhode Island still faced potential practice closures.

    What system redundancies does UHG plan to implement so patients and 
providers are not left without medications and payments in the 
future?''

    Answer. To mitigate service disruptions, UHG offered Change 
Healthcare customers Optum alternatives for several key product areas 
including data analytics, risk coding, risk adjustment, claims 
submission, and compliance reporting. One example includes directing 
Change Healthcare claims clearinghouse customers to use Optum 
Intelligent Electronic Data Interchange (iEDI), a claims submission 
tool for providers. The iEDI claims submission portal allows a range of 
providers, from large health systems to independent family practices, 
to submit claims for reimbursement. Additionally, to support pharmacies 
impacted by disruption to Change Healthcare services such as MedRX, UHG 
rolled out the Optum Rx Pharmacy Portal. This portal assists pharmacies 
in the Optum Rx network with everyday tasks including claims status and 
history, and patient eligibility. UHG has also committed to reimbursing 
pharmacies for all pharmacy claims filled with the good faith 
understanding that a medication would be covered. For patients who 
could not use their coupons during the Change Healthcare outage, the 
company has been and will continue to contact those patients and honor 
their coupons to ensure that the patients are reimbursed for their out-
of-pocket medication expense they incurred and thus made whole. UHG 
also rerouted some clients to competitors after the incident and is now 
encouraging clients to have at least two alternative channels in case 
of any future interruptions.

    Question. UHG is the Nation's largest private health insurer and 
the largest employer of physicians. It ranks as the Nation's fourth-
largest company by revenue this year, with nearly 5 percent of gross 
domestic product flowing through UHG's systems each day. UHG's 
subsidiary, Change Healthcare, processes 40 percent of the Nation's 
medical claims. The February cyberattack froze payments, preventing 
hospitals and providers from being paid for weeks. With much of 
America's health system running through a single organization, 
thousands of hospitals and doctors are vulnerable to a single point of 
failure.

    Has the size of UHG in the U.S. economy made it a particular 
vulnerability to our health-care system?

    Answer. UHG's size and sophistication can make our health-care 
system less vulnerable to attack. Change Healthcare had aging 
infrastructure and legacy systems. At the time of the attack, we were 
in the process of upgrading cybersecurity and information technology, 
to bring Change Healthcare up to UHG's cybersecurity standards. Part of 
the impetus for the acquisition was to harness the incredible 
opportunity presented to our health-care system to innovate, to improve 
care, to reduce costs, and to reduce burden, but always with our 
obligations to protect individuals' data top of mind. In response to 
this attack, we harnessed the substantial resources of UHG to respond.

    We believe that our business model is helping to accelerate the 
transition from volume to value; moving beyond a transaction-based 
health system to a model that is designed to be proactive to help keep 
people healthy over the course of a lifetime. One that rewards high-
quality care, delivers better outcomes, and drives lower costs.

    The U.S. health system remains deeply fragmented and rooted in fee-
for-service models that put the burden of finding and navigating care 
squarely on the shoulders of the people who need help the most. The 
resulting lack of coordination too often results in less-than-optimal 
patient outcomes, higher mortality rates, poor patient experience, 
redundant care, and waste. UHG's integrated ecosystem enhances 
coordination and the quality of patient care.
           Questions Submitted by Hon. Catherine Cortez Masto
    Question. At the Finance Committee hearing on May 1st, Mr. Witty 
verbally committed to extending timely filing deadlines for 
UnitedHealthcare plans for any claims and appeals impacted by the 
Change Healthcare cyberhack and subsequent system outage.

    Please confirm in writing that UnitedHealthcare is committed to 
waiving or extending timely filing requirements for all affected 
providers utilizing Change Healthcare. Please specify which dates of 
service for claims and remittance dates will be included in 
UnitedHealth's waived or extended timely filing deadlines.

    What is the specific extension, in terms of calendar days from the 
date of service, that UnitedHealth will provide for claims submission?

    What are the specific extensions, in terms of calendar days from 
the original remittance date, that UnitedHealth will provide for claim 
resubmission, correction, and reconsideration?

    Answer. UnitedHealthcare waived timely filing requirements for all 
providers impacted by the Change Healthcare incident for any claims 
received starting February 15, 2024, for many UnitedHealthcare fully 
insured commercial, UnitedHealthcare Medicare Advantage, 
UnitedHealthcare community plans and UnitedHealthcare Individual 
Exchange plans, also referred to as UnitedHealthcare Individual and 
Family ACA Marketplace plans. Notably, for Medicaid plans, individual 
States determined the timely filing deadlines for their respective 
UnitedHealthcare community plans. The waiver does not apply to self-
funded commercial plans administered by UnitedHealthcare. Although 
overall claims flow into UnitedHealthcare returned to normal levels in 
mid-March, UHC kept these waivers of filing deadlines in place to 
provide additional relief to the system.

    Now that provider claims are flowing again, the company intends to 
resume timely filing requirements on June 15th. We will continue to 
proactively accommodate providers who have remained with Change 
Healthcare but have not returned to pre-incident claim submission 
volumes by ensuring that timely filing deadlines remain waived for 
those particular providers. UnitedHealthcare will also make clear to 
providers that they may contact their UnitedHealthcare relationship 
manager or a provider services help desk for additional support as 
needed.

    Question. The Change cyberattack has resulted in a significant 
administrative burden for providers.

    How does UnitedHealth Group plan to adequately compensate these 
providers for the incurred costs, particularly additional labor, that 
were essential to preserving their ability to deliver essential health 
services during the system outage?

    Answer. The company's restoration and remediation efforts focused 
on protecting patients and helping providers, and the company made 
substantial efforts to ensure that any providers suffering from the 
impact of the attack are able to continue operating. This is why UHG's 
Temporary Funding Assistance Program is open to any providers who have 
been affected by the attack, allowing those providers to apply to 
receive a zero-cost, zero-interest loan. This includes last resort 
funding, which is available for providers who have exhausted all 
available options or are in the process of implementing workaround 
solutions, or who work with other payers who have opted not to advance 
funds. This funding mechanism is meant specifically for small and 
regional providers and safety net and Medicaid providers and will be 
evaluated on a case-by-case basis.

    To the extent providers have incurred other costs associated with 
the attack, UHG is committed to reviewing their issues and working to 
resolve their concerns on a case-by-case basis.

    Question. In light of the Change service outage, what specific 
actions are being taken to facilitate the Indian Health Service's (IHS) 
recovery process? Additionally, how does UnitedHealth Group plan to 
ensure that Tribes are actively engaged and included in your assistance 
programs to alleviate the impacts of this outage?

    Answer. The Change Healthcare team responsible for managing IHS 
accounts engaged with IHS and provided temporary workarounds during the 
outage periods. We were in regular contact with the cyber security lead 
for IHS, providing regular updates, and also spoke directly with the 
IHS Chief Information Security Officer (CISO) as part of CHC's 
nationwide outreach to Federal agency CISOs. As with the rest of CHC's 
clients, services have been largely restored to CHC's IHS clients, with 
a small number of exceptions of IHS clients for whom we continue to 
work to restore connectivity. IHS clients have also received funding 
through the Temporary Funding Assistance Program.

    Question. Will UnitedHealth Group commit to providing notifications 
and offering credit monitoring services for all IHS patients affected 
by the Change outage?

    Answer. UHG is committed to providing reasonable and broad notice 
to IHS individuals whose data was affected by the Change Healthcare 
cyberattack. We are continuing our discussions with the HHS Office for 
Civil Rights about how these notifications can be made, and OCR has 
been supportive of Change Healthcare's offer, on behalf of the covered 
entities, to take on the obligations to provide individual 
notification, regulatory notification, and media notification, 
consistent with applicable law.

    Like any other individual concerned that they might be impacted, 
IHS patients are eligible for free credit monitoring and identity theft 
protections for 2 years. Any IHS patient can visit 
changecybersupport.com or call 1-866-262-5342 to find more details 
regarding the support services that UHG is making available.

    Question. Please provide a detailed timeline outlining when IHS can 
expect to receive precise information regarding the impact on patients 
and the extent of data compromised in the Change breach.

    Answer. UHG is committed to providing appropriate notice to 
affected individuals, including IHS patients. To help ease reporting 
obligations on other stakeholders whose data may have been compromised 
as part of the Change Healthcare cyberattack, UHG has offered to make 
notifications and undertake related administrative requirements on 
behalf of any provider or customer where permissible. We are continuing 
our discussions with the HHS Office for Civil Rights about how these 
notifications can be made, and OCR has been supportive of Change 
Healthcare's offer, on behalf of the covered entities, to take on the 
obligations to provide individual notification, regulatory 
notification, and media notification, consistent with applicable law.

    UHG is working as quickly as possible to develop a complete and 
accurate assessment of the individuals impacted by this cyberattack. 
Given the ongoing nature and complexity of the company's data review, 
the company expects that it will take additional analysis before enough 
information will be available to identify affected customers and 
individuals. UHG has deployed a team of internal and external experts 
to conduct a comprehensive analysis of the data involved in this 
cyberattack.
              Questions Submitted by Hon. Elizabeth Warren
    Question. Reports indicate that the Change hackers demanded a 
ransom payment of $22 million worth of Bitcoin--please confirm whether 
or not this was the case, and whether UHG was given any other options 
of payment platforms for the ransom payment.

    Answer. UHG paid the demanded $22 million ransom in Bitcoin. 
Because this is an active law enforcement investigation, we will not 
provide further comment. Additional questions should be directed to the 
involved law enforcement agencies, including the FBI.

    Question. Did UHG make this payment? If so:

    Have you been informed whether law enforcement able to track the 
ransom payment along the Bitcoin blockchain?

    If so, what was the ultimate disposition of this payment?

    Answer. Please see our response to the previous question.

    Question. UHG is the largest corporate employer of physicians in 
the country, potentially in violation of certain State Corporate 
Practice of Medicine (CPOM) laws. Passed in the 19th century, these 
laws were intended to insulate health-care providers from outside 
forces that might seek to influence their clinical decision-
making, prohibiting non-physicians, or lay entities, from owning 
provider practices. But today, State CPOM laws are largely unenforced 
and marred with loopholes, leaving provider practices vulnerable to 
corporate takeover. For example, to circumvent State CPOM laws, private 
equity firms and insurers, including UnitedHealth's provider subsidiary 
Optum, form management services organizations (MSOs) that contract with 
a physician practice to manage its billing and administration. Although 
the practice's clinical operations remain nominally owned by a licensed 
physician, the practice is often completely managed and operated by the 
MSO. As a result, providers are often forced to put corporate profits 
over the interests of their patients.

    What percentage of UHG's affiliated physicians work in physician 
practices that use UHG's MSO services?

    What are the common terms of the UHG physician agreements?

    What percentage of physician contracts include non-competes?

    What percentage include, stock transfer restriction agreements?

    What percentage include non-disclosure or other gag clauses?

    What percentage include other provisions to restrict physicians' 
autonomy and control over the practice?

    Do the use of these terms differ between directly employed versus 
MSO affiliated physicians?

    Answer. Optum is proud to partner with independent, affiliated 
physicians. Optum employs roughly 9,000 physicians. Optum does not 
employ any contracted or affiliated physicians. These affiliated 
physicians contract with Optum's risk-
bearing, independent practice association (IPA) entities, who in turn 
contract with health plans under a value-based risk contract. These 
affiliated physicians are independent of Optum, and Optum does not 
provide management services to any physician practices within Optum's 
IPA networks, except in the limited circumstances where the independent 
physician practices need assistance to manage risk contracts. Where we 
do provide affiliated physicians with MSO support, in order to assist 
them in managing risk contracts, these agreements are limited to 
providing claims administration, financial reporting, technology, and 
related support. Less than 3 percent of affiliated physicians receive 
MSO support from an Optum MSO. Optum holds no investment or ownership 
interest in such independent practices.

    Optum's model is to support physicians in a manner to allow them to 
focus on the patient, remove administrative burdens, and assist 
physicians with tools to help them move from fee-for-service to value-
based care. As it pertains to Optum's physician employment agreements, 
Optum does not use a single physician employment agreement form in 
every State that it operates. Rather, the physician employment 
agreements often are unique to each Optum practice and comply with each 
State's unique law.

    Physician employees of the Optum practices have access to a host of 
confidential, proprietary, and trade secret information related to the 
practice, and Optum requires physician employees to maintain the 
confidentiality of confidential, proprietary, and trade secret 
information. The confidentiality provisions in employment agreements do 
not prevent a patient from receiving their medical records under State 
law in the event their physician moves to another employer.

    Further, our physician employment agreements do not include stock 
transfer restrictions. Our employment agreements do not restrict a 
physician's autonomy or control over their practice of medicine.

    Question. Along with a bevy of vertically integrated subsidiaries, 
UHG employs or is affiliated with over 90,000 doctors--about 1 in every 
10 doctors in the country. And while you clarified in your testimony 
that UHG only directly employs roughly 10,000 out of those 90,000 
doctors, you have never disclosed how exactly the other 80,000 doctors 
are classified. Instead, in the hearing, you merely claimed that ``they 
choose to work with [UHG],'' without providing any details of their 
contracts.

    What percentage of employed or affiliated physicians contract only 
with UHG?

    What percentage of employed or affiliated physicians have non-
compete agreements? Please break down this percentage by physicians who 
are directly employed and those that are employed by an MSO affiliate.

    What percentage of directly employed physicians are required to 
take coding training courses? What percentage of affiliated doctors 
have risk-coding incentives in their contracts?

    How does Optum structure ownership and affiliation of physician 
practices? To what extent does it use a management services 
organization (MSO) to employ physicians directly?

    Are UnitedHealth insurance sales agents involved with Optum 
practices? If so, what are their roles and responsibilities? Do these 
roles and responsibilities include switching patients' coverage to 
UnitedHealth?

    How is UHG's ownership or affiliation of Atrius Health and Reliant 
Medical Group in Massachusetts structured?

    Answer. Optum is proud to partner with independent, affiliated 
physicians. Optum employs roughly 9,000 physicians. Optum does not 
employ any contracted or affiliated physicians. These affiliated 
physicians contract with Optum's risk-
bearing, independent physician association entities, who in turn 
contract with health plans under a value-based risk contract. These 
affiliated physicians are independent of Optum.

    As the ``affiliated physicians'' are independent physician 
practices, Optum does not control with whom those practices contract. 
Affiliated physicians may also contract with other IPAs and contract 
directly with health plans. The contracts between Optum and the 
affiliated physicians are network participation agreements. None of the 
network participation agreements include non-competes.

    Optum physician practices are multipayer, meaning that they 
affiliate with other payers in addition to UnitedHealthcare. Our 
physician practices see patients that are covered by State, Federal, 
and commercial health-care plans. Optum's physician practices, as well 
as its independent practice associations that contract with Medicare 
Advantage plans, comply with CMS's Medicare Marketing Guidelines. 
UnitedHealthcare insurance sales agents are not involved in the 
management, operation, or business of Optum physician practices.

    Optum provides training to all its employed physicians, including 
training on the MA risk adjustment model, diagnosing, documentation, 
and coding, among other topics in accordance with Federal regulatory 
and coding accreditation guidance. Optum performs annual reviews of 
employed and affiliated physician incentives and does not approve risk-
coding incentives.

    Optum owns the management service organizations that provide the 
full-scope of administrative, management, and support services to the 
Atrius Health and Reliant Medical Group physicians practices. The 
structure of Optum's ownership and management related to Atrius Health 
and Reliant Medical Group is identical, consistent with Massachusetts' 
law, and were both submitted for review and approval by Massachusetts' 
Health Policy Commission and the Office of the Attorney General. As was 
disclosed to the HPC, both the Atrius and Reliant physicians retain 
their clinical practice autonomy and the arrangement with Optum 
supports the growth and expansion of each of the practice's unique care 
model, which delivers value to the patient through the provision of 
high-quality care at lower total medical expense.

    Please also see responses to the previous question.

    Question. Leveraging its vertically integrated structure, UHG can 
effectively keep much of its business in-house, sending payments from 
its insurance arm to its various provider subsidiaries. For example, in 
2023 alone, Optum received 62 percent of its total revenue from UHG's 
insurance arm. More broadly, UHG sent $138 billion--25 percent of its 
revenue--to its own subsidiaries in 2023.

    Has UHG ever been the subject of a transfer price-related audit by 
Federal regulators?

    A 2023 Wall Street Journal investigation revealed that UHG was 
significantly marking up drug prices at its vertically integrated 
specialty pharmacies, potentially in an effort to skirt Federal 
regulations capping insurer's profits. Does UHG send higher payments to 
its provider subsidiaries, including OptumRx, than independent 
providers?

    Answer. The WSJ article misrepresents important information, and we 
disagree in strong terms with the picture it paints. It is unclear to 
us how the calculations in the article were performed and how the 
highlighted drugs were chosen as a sample. The article also 
misunderstands some important fundamentals of the pharmaceutical supply 
chain. For example, the premise of the article is wrong: UnitedHealth 
Group does not set prices of any drugs or ``mark up'' drug prices; drug 
manufacturers set drug prices and Optum Rx (the pharmacy benefit 
manager) reimburses pharmacies for the drugs they dispense according to 
the reimbursement terms in pharmacy network contracts negotiated with 
those pharmacies. Optum Rx uses the same reimbursement approach for 
affiliated pharmacies as it does for comparable independent pharmacies. 
The article also incorrectly states that ``PBMs decide which medicines 
a patient's health plan will pay for and how much the patient will have 
to contribute to the cost, in the form of out-of-pocket expenses like 
deductibles and coinsurance.'' That is wrong; payers control plan 
design and make those decisions. And, as the company stated at the time 
the article was published, patients would pay less out-of-pocket using 
UnitedHealth insurance plans than they would buying 15 out of 20 drugs 
examined by the article through the Cuban pharmacy, and none of the 
drugs are frequently used by UHC's patient population. Our insurance 
business is subject to regular oversight and review by various State 
and Federal regulatory authorities to ensure that pricing is in 
compliance with applicable regulatory requirements.

    Question. UHG is the largest private insurer in Medicare Advantage 
(MA), and Federal regulators have found that your company has engaged 
in aggressive upcoding of MA enrollees--that is, making patients appear 
sicker than they actually are to secure higher payments from the 
Federal Government. Alarmingly, UHG's direct control of physicians 
indeed helps facilitate this gaming in MA, as UHG can pressure doctors 
and other health-care professionals to add extra diagnosis codes to 
their patients' medical charts.

    To what extent does UnitedHealth use chart reviews, health risk 
assessments, or other data analytic techniques to capture diagnoses for 
risk-adjusted payments under Medicare Advantage and value-based payment 
models?

    Does UnitedHealth require physicians to attend HCC coding 
trainings? Are physicians subject to discipline if they do not attend? 
Does UnitedHealth preference UHC patients when scheduling annual 
wellness visits?

    Does UnitedHealth establish goals or bonuses for physicians or 
other employees related to the use of chart reviews, health risk 
assessments, or other data analytic techniques to capture diagnoses for 
risk-adjusted payments under Medicare Advantage and value-based payment 
models?

    Answer. We strongly disagree with the suggestion that UHG was found 
to engage in upcoding. Our value-based care payment models use chart 
reviews and health risk assessment to identify where members might have 
health-care related gaps in care and to validate when those gaps in 
care have been addressed. UHG does not set bonuses based on the use of 
chart reviews, health risk assessments or other data analytic 
techniques for value-based payment models, although such information 
may be consulted when determining if quality targets have been 
achieved.

    Optum provides training to all its employed physicians, including 
training on the MA risk adjustment model, diagnosing, documentation, 
and coding, among other topics in accordance with Federal regulatory 
and coding accreditation guidance.

                                 ______
                                 
                 Prepared Statement of Hon. Ron Wyden, 
                       a U.S. Senator From Oregon
    This morning the Finance Committee examines the Change Healthcare 
hack that nearly brought the Nation's health-care system to a 
standstill 6 weeks ago. Joining the committee is Andrew Witty, the CEO 
of UnitedHealth Group, which owns Change Healthcare.

    I'll put things in perspective. Last year, UHG generated $324 
billion in revenue, making it the fifth largest company in the U.S. 
Overall, the company touches 152 million individuals across all lines 
of business: insurance, physician practice, home health, and pharmacy. 
With its profits, UHG has purchased dozens of other health-care 
companies and is the largest purchaser of physician practices. This 
corporation is a health-care leviathan.

    I believe the bigger the company, the bigger the responsibility to 
protect its systems from hackers. UHG was a big target long before it 
was hacked. The FBI says that the health-care industry is the number 
one target of ransomware. It's obvious why. Change Healthcare processes 
roughly 15 billion health-care transactions annually, and a third of 
Americans' patient records pass through its digital doors.

    Change specializes in moving patient data from doctor's office to 
doctor's office, or to and from your insurance company. That means 
medical bills that are chock-full of sensitive diagnoses, treatments, 
and medical histories that reveal everything from abortions to mental 
health disorders to diagnoses of cancer to sexually transmitted 
infections.

    Military personnel are included in this data. Leaving this 
sensitive patient information vulnerable to hackers, whether criminals 
or a foreign government, is a clear national security threat. I don't 
think it's a stretch the impact here rivals the 2015 hack of government 
personnel data from the Office of Personnel Management, which the FBI 
called a ``treasure trove'' of counterintelligence information for 
foreign intelligence services.

    UHG has not revealed how many patients' private medical records 
were stolen, how many providers went without reimbursement, and how 
many seniors were unable to pick up their prescriptions as a result of 
the hack. The failures of CEOs like Mr. Witty, who months in can't 
figure out how many people have had their data stolen, validate the 
FBI's warning.

    In the wake of the hack, United essentially disconnected Change 
from the rest of the health-care system. It took weeks for Change to 
get back online, leaving health-care providers in a state of financial 
bedlam. Doctors and hospitals went weeks delivering services but 
without getting paid. Insurance companies couldn't reimburse providers. 
Even today, key functions supporting plans and providers, including 
sending receipts for services that have been paid and the ability to 
reimburse patients for their out-of-pocket costs, are not back up and 
running.

    Small providers--particularly mental health providers--have been 
left holding the bag, stuffing envelopes with paper claims, and unable 
to get straight answers on how long the outage will last. And patients 
are bearing the brunt of it. Prescriptions went unfilled, patients were 
stuck at the hospital longer than needed, and Americans are still in 
the dark about how much of their sensitive information was stolen. The 
credit-monitoring service United offered these patients is cold 
comfort.

    The Change Healthcare hack is considered by many to be the biggest 
cybersecurity disruption to health care in American history. It is 
Exhibit A for my case that tough cybersecurity standards are necessary 
to protect critical infrastructure--and patients--in this country. HHS 
does not require health-care providers, payers, or health-care 
clearinghouses like Change to meet minimum cybersecurity standards, 
unlike industries regulated by other Federal agencies.

    Meeting a baseline of essential cybersecurity standards is a must, 
but is meaningless without equally strong enforcement. HHS has not 
conducted a proactive cybersecurity audit in 7 years. As it stands, if 
a company does not comply with existing cybersecurity regulations, the 
fines amount to nothing more than a slap on the wrist.

    Federal agencies need to fast-track new cybersecurity rules for 
Americans' private medical records, and Congress needs to watchdog this 
every day to make sure everything possible is done to protect patient 
data.

    Finally, the Change hack is a dire warning about the consequences 
of ``too big to fail'' mega-corporations gobbling up larger and larger 
shares of the health-care system. It is long past time to do a 
comprehensive scrub of UHG's anticompetitive practices, which likely 
prolonged the fallout from this hack. For example, Change Healthcare's 
exclusive contracts prevented more than one third of providers from 
switching clearinghouses, even though Change's systems were down for 
weeks.

    Accountability for Change Healthcare's failure starts at the top. 
Before this hearing, I asked UHG which members of its board have 
cybersecurity expertise. UHG pointed to NCAA president Charlie Baker, 
who signed some technology-related legislation into law years ago when 
he was Governor of Massachusetts. Mr. Baker is certainly an expert on 
basketball, but UHG needs an actual cybersecurity expert on its board.

    Mr. Witty owes Americans an explanation for how a company of UHG's 
size and importance failed to have multifactor authentication on a 
server providing open-door access to protected health information, why 
its recovery plans were so woefully inadequate, and how long it will 
take to finally secure all of its systems.

    I'm hopeful that today's hearing can mark the beginning of the 
Finance Committee's work to make meaningful improvements in America's 
cybersecurity on a bipartisan basis. I encourage all members to focus 
on the subject at hand. It's an important topic, and there is much to 
discuss.

                                 ______
                                 

                             Communications

                              ----------                              


                           Action for Health

                      3220 N Street, NW, Suite 150

                          Washington, DC 20007

                           +1 (202) 823-2333

                     https://www.action4health.org/

May 15, 2024

The Hon. Ron Wyden                  The Hon. Mike Crapo
Chairman                            Ranking Member
U.S. Senate                         U.S. Senate
Committee on Finance                Committee on Finance
221 Dirksen Senate Office Building  239 Dirksen Senate Office Building
Washington, DC 20510                Washington, DC 20510

Re: Statement for the Record: Full Committee Hearing, ``Hacking 
America's Health Care: Assessing the Change Healthcare Cyber Attack and 
What's Next,'' May 1, 2024

Dear Chairman Wyden and Ranking Member Crapo:

    Thank you for the opportunity to submit this statement for 
inclusion in the record for the Senate Finance Committee's recent 
hearing on the cyberattack against UnitedHealth Group's (``UHG'') 
Change Healthcare (``Change'').\1\ We applaud the Committee for probing 
this devastating and unprecedented breach that occurred on February 
21st. With more than 100 platforms operated by Change, including claims 
management services, offline for weeks on end, millions of patients, 
physicians, hospitals, and facilities have been left in the dark. This 
outage has been particularly crippling for our nation's healthcare 
professionals. According to a survey of physician practices published 2 
weeks ago by the American Medical Association:
---------------------------------------------------------------------------
    \1\ U.S. Senate Committee on Finance, Full Committee Hearing, 
``Hacking America's Health Care: Assessing the Change Healthcare Cyber 
Attack and What's Next,'' May 1, 2024, accessed: https://
www.finance.senate.gov/hearings/hacking-americas-health-care-assessing-
the-change-healthcare-cyber-attack-and-whats-next.

        . . . [R]espondents report continuing issues with multiple 
        operations, despite UnitedHealth Group's announcements of 
        restored service: 60% continue to face challenges in verifying 
        patient eligibility; 75% still face barriers with claim 
        submission; 79% still cannot receive electronic remittance 
        advice; and 85% continue to experience disruptions in claim 
        payments.\2\
---------------------------------------------------------------------------
    \2\ American Medical Association, Survey, ``Change Healthcare 
cybertattack impact,'' April 29, 2024, accessed: https://www.ama-
assn.org/system/files/change-healthcare-follow-up-survey-results.pdf.
---------------------------------------------------------------------------

Introduction

    My name is Christopher Sheeron, and I am founder and president of 
Action for Health.\3\ Action for Health is a national, non-profit 
advocacy organization. In all our work, we attempt to educate 
policymakers, the media, and concerned citizens about critical 
healthcare issues. Since our founding in February 2020, we have worked 
tirelessly to ensure fair outcomes for patients and their physicians.
---------------------------------------------------------------------------
    \3\ Action for Health, www.action4health.org.

    UHG's voracious appetite for vertical integration,\4\ coupled with 
its anti-competitive practices,\5\ is one of the most critical issues 
our nation's health care system faces today. As Senator Wyden stated, . 
. . [T]he Change hack is a dire warning about the consequences of ``too 
big to fail'' mega-corporations gobbling up larger and larger shares of 
the health care system. It is long past time to do a comprehensive 
scrub of UHG's anti-competitive practices, which likely prolonged the 
fallout from this hack.''\6\ We could not agree more. Moreover, UHG's 
anti-competitive practices come on the backs of patients and physicians 
alike.
---------------------------------------------------------------------------
    \4\ Gist Healthcare, ``UnitedHealth Group hits a milestone in 
vertical integration,'' April 7, 2023, accessed: https://
gisthealthcare.com/unitedhealth-group-hits-a-milestone-in-vertical-
integra
tion/.
    \5\ Rebecca Pfier, ``UnitedHealth under antitrust investigation by 
DOJ: reports,'' Healthcare Dive, February 28, 2024, accessed: https://
www.healthcaredive.com/news/unitedhealth-antitrust-investigation-doj-
unitedhealthcare-optum/708727/.
    \6\ Senator Ron Wyden, ``Wyden Hearing Statement on Change 
Healthcare Cyberattack and UnitedHealth Group's Response,'' May 1, 
2024, accessed: https://www.finance.senate.gov/chairmans-news/wyden-
hearing-statement-on-change-healthcare-cyberattack-and-unitedhealth-
groups-response.

    As your colleagues in the House Energy and Commerce Committee have 
also pointed out, ``Change Healthcare's platforms touch an estimated 
one in three U.S. patient records. Its systems process roughly 15 
billion transactions annually, and are linked to approximately 900,000 
physicians, 118,000 dentists, 33,000 pharmacies, and 5,500 hospitals 
nationwide.''\7\ Change, owned by UHG through its Optum subsidiary, is 
just one of the corporation's many tentacles pervasive in U.S. health 
care.
---------------------------------------------------------------------------
    \7\ U.S. House Energy and Commerce Committee, ``Bipartisan E&C 
Committee Leaders Seek Answers from UnitedHealth Group on Change 
Healthcare Cyberattack,'' April 15, 2024, accessed: https://
energycommerce.house.gov/posts/bipartisan-e-and-c-committee-leaders-
seek-answers-from-united-health-group-on-change-healthcare-cyberattack.

    Not content on simply providing health insurance at increasing 
premiums each year, UHG now employs tens of thousands of physicians, 
manages pharmacy benefits, and maintains a vast array of health service 
and technology operations through OptumHealth, OptumRx, and 
OptumInsight, among other entities. UHG operates 35 different Change-
affiliated subsidiaries. In a staggering display of health care market 
dominance, as of December 31, 2023, UHG now owns and controls 2,206 
subsidiary companies.\8\
---------------------------------------------------------------------------
    \8\ UnitedHealth Group, Form 10-K, Exhibit 21.1, ``Subsidiaries of 
UnitedHealth Group Incorporated,'' 2023, accessed: https://www.sec.gov/
Archives/edgar/data/731766/00007317662400
0081/unhex21112312023.htm.

    The latter part of the title for this Committee hearing stated, 
``What's Next.'' We believe that this Change cyberattack is the tipping 
point for a national, hard, and long-awaited examination into UHG. We 
submit, therefore, that the Senate's next step should be exploring ways 
to begin the process of breaking up the company. The Senate should also 
partner with the Department of Justice and Federal Trade Commission as 
they pursue their cross-government inquiry into ``corporations' 
increasing control over health care.''\9\
---------------------------------------------------------------------------
    \9\ U.S. Federal Trade Commission, ``Federal Trade Commission, the 
Department of Justice and the Department of Health and Human Services 
Launch Cross-Government Inquiry on Impact of Corporate Greed in Health 
Care,'' March 5, 2024, accessed: https://www.ftc.gov/news-events/news/
press-releases/2024/03/federal-trade-commission-department-justice-
department-health-human-services-launch-cross-government.

    The following comments support the need for a thorough examination 
of UHG following the Change cyberattack, and we hope you find them 
helpful.

Profiteering at the Expense of Patients and Physicians

    As the chart below depicts, on the day the Affordable Care Act 
(``ACA'') was signed into law, March 23, 2010, shares of UHG closed at 
$33.13 per share. At the end of the trading day yesterday, UHG's share 
price was $513.88. That represents a staggering appreciation in share 
value of 1,451% in just 14 years.

[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]

    We have also overlayed on the stock chart above significant 
transactions completed by UHG that have fueled this share and earnings 
growth.

    In addition, as the chart below shows, UHG's revenue this year is 
estimated to grow to $398 billion, and then to more than $431 billion 
next year.


                                              Revenue/Earnings Data
                                              Revenue (Million USD)
----------------------------------------------------------------------------------------------------------------
                                                      1Q           2Q           3Q           4Q          Year
----------------------------------------------------------------------------------------------------------------
2025                                               E 106,628    E 107,353    E 107,580    E 109,461    E 431,022
2024                                                  99,796     E 99,998     E 98,833    E 100,118    E 398,745
2023                                                  91,931       92,903       92,361       94,427      371,622
2022                                                  80,149       80,332       80,894       82,787      324,162
2021                                                  70,196       71,321       72,337       73,743      287,597
2020                                                  64,421       62,138       65,115       65,467      257,141
----------------------------------------------------------------------------------------------------------------
Source: Paige Meyer, Stock Report, UnitedHealth Group, CFRA, May 11, 2024

Cyberattack and Anti-Competitive Behavior

    As if the cyberattack itself was not bad enough, UHG has also 
exploited a crisis it created to further its anti-competitive agenda. 
For example, UHG ``applied for an emergency exemption that would fast-
track its takeover of a medical practice in Corvallis, Oregon.''\10\ 
The Change cyberattack had left the practice with an empty bank 
account.
---------------------------------------------------------------------------
    \10\ Maureen Tkacik, ``UnitedHealth Exploits an `Emergency' It 
Created,'' The American Prospect, March 10, 2024, accessed: https://
prospect.org/health/2024-03-10-unitedhealth-exploits-emergency-change-
ransomware-oregon/.
---------------------------------------------------------------------------

Weaponization of the No Surprises Act

    Finally, we believe that UHG's vertical integration and anti-
competitive conduct have significantly eroded the No Suprises Act and 
its independent dispute resolution (IDR) process. For example, UHG was 
the non-initiating party in 36% of IDR claims in Q1 2023, which is the 
same percentage as the next three health insurance plans combined.\11\
---------------------------------------------------------------------------
    \11\ U.S. Centers for Medicare and Medicaid Services, ``Federal IDR 
Supplemental Tables for Q1 2023,'' accessed: https://www.cms.gov/
nosurprises/policies-and-resources/reports.
---------------------------------------------------------------------------

Conclusion

    I attended Congress's first hearing on the Change cyberattack 
conducted by the Energy and Commerce Committee's Health 
Subcommittee.\12\ Your Committee's follow-up hearing was exemplary for 
its breadth, questioning, and accountability. We again applaud you and 
your colleagues for continuing to probe this situation, this time with 
UHG's CEO Andrew Witty.
---------------------------------------------------------------------------
    \12\ U.S. House Energy and Commerce Committee, Subcommittee on 
Health, Hearing, ``Examining Health Sector Cybersecurity in the Wake of 
the Change Healthcare Attack,'' April 16, 2024, accessed: https://
energycommerce.house.gov/events/health-subcommittee-hearing-examining-
health-sector-cybersecurity-in-the-wake-of-the-change-healthcare-
attack. 

    Thank you again, Senator Wyden and Senator Crapo, for this 
opportunity to provide this statement for the record. If we can be of 
any assistance to you or your staff as you continue your important work 
to address not only health care competition and consolidation, but also 
UHG's unstainable dominance of all levers of health care, please do not 
---------------------------------------------------------------------------
hesitate to contact me directly at (202) 823-2333.

Sincerely,

Christopher G. Sheeron
President

Cc: The Hon. Benjamin Cardin
    Chairman
    Subcommittee on Health Care

    The Hon. Steve Daines
    Ranking Member
    Subcommittee on Health Care

                                 ______
                                 
                 American Academy of Family Physicians

                1133 Connecticut Avenue, NW, Suite 1100

                       Washington, DC 20036-1011

                              202-232-9033

                           Fax: 202-232-9044

                     https://www.aafp.org/home.html

  Statement of Tochi Iroku-Malize, M.D., MPH, MBA, FAAFP, Board Chair

Dear Chairman Wyden and Ranking Member Crapo:

On behalf of the American Academy of Family Physicians (AAFP), 
representing more than 130,000 family physicians and medical students 
across the country, thank you for the bipartisan leadership in 
examining the impact of recent health care cyberattacks as part of 
today's hearing entitled ``Hacking America's Health Care: Assessing the 
Change Healthcare Cyber Attack and What's Next.''

On February 21, 2024, Change Healthcare, a UnitedHealth Group (UHG) 
company, experienced a severe cybersecurity attack that had far-
reaching implications for family physicians and other providers of 
health care services, impacting their ability to receive payments and 
perform everyday business functions that are essential to the delivery 
of care to patients. Since the cyberattack, the AAFP has been in close 
contact with UHG, as well as federal regulators who oversee public 
insurance programs and private payers impacted by the breach, with the 
goal of providing much needed support for our members.

The cyberattack disrupted multiple service lines at Change Healthcare 
and the effects are still being felt by health care delivery 
organizations across the country. The functions impacted by the Change 
Healthcare outage include everyday administrative tasks, such as 
confirming patient insurance eligibility, submitting electronic 
prescriptions, processing electronic prior authorizations, filing 
claims, and receiving payment for care they continue to provide. While 
large health care organizations with significant administrative/
technology staff and substantial financial reserves may have weathered 
this storm, small physician-owned practices are in an entirely 
different situation--particularly primary care practices that 
frequently operate on razor thin margins in the best of times.

We are more than 2 months removed from the initial cyberattack and the 
situation on the ground for many small practices has worsened over 
time. The AAFP continues to receive desperate inquiries from family 
physicians across the country who are reaching the point of possible 
practice closure. They are describing their current situation as 
``worse than COVID.'' During COVID, we saw practices temporarily 
closing--not providing patient care and not being reimbursed for 
services. Today, we see practices continuing to care for patients, but 
their revenues are reduced to a fraction of their normal cash flow 
prior to the attack. So, while caring for patients, physicians are 
faced with deciding which bills to prioritize, which creditors to 
negotiate with, and what they personally can go without due to the 
sudden and unexpected loss of revenue. These practices are struggling 
due to failures of systems that are beyond their control.

UHG responded quickly offering remedies that include service 
workarounds and 
interest-free temporary funding programs, both of which are 
administratively complex requiring valuable staff and/or physician 
time. United HealthCare, the insurance subsidiary of UHG, also stepped 
up early in the aftermath of the attack to offer advanced payments to 
practices based on their average payment level before the attack. The 
AAFP directly, or indirectly through its chapters, asked that other 
national and regional private payers do the same and offer advanced 
funding to practices that were continuing to deliver care to their 
patients without receiving payment through normal channels. Of note is 
that the payers were not financially harmed by this incident as their 
ability to receive payments from their customers was largely 
unaffected. What we understand from our conversations with national 
payers and the input we receive from family physicians across the 
country is that the response from payers has been very inconsistent. 
Many of our members have not benefitted from the outreach of payers 
they contract with seeking to remedy the situation created by the 
payers' reliance on Change Healthcare.

Unfortunately, the efforts of Change Healthcare, UHG, and others, 
including the Centers for Medicare and Medicaid Services (CMS), have 
not been sufficient to be truly helpful to all--especially small, 
physician-owned primary care practices. The ongoing nature of this 
disruption is creating revenue challenges that are particularly 
troublesome for these practices that operate on very thin margins. The 
expectation that these practices would be staffed and equipped to 
simultaneously implement workarounds, negotiate with creditors to 
navigate the sharp downturns in revenue, and/or file for temporary 
funding while continuing to care for patients is unrealistic and 
unfortunate.

Described below are a few examples from family physicians to illustrate 
how this situation has intensified for small, physician-owned 
practices.

        A family physician in Oregon noted that, since they have not 
        received any income for more than 6 weeks, the practice has 
        been forced to leverage its cash reserves to continue caring 
        for patients. As the situation has become more dire, she turned 
        to her own personal savings to stay afloat.

        A family physician from Colorado described challenges 
        associated with maintaining payroll. As a small practice, their 
        financial well-being is based on weekly collections, and they 
        generally have one week's worth of backup to pay weekly bills. 
        Over the past 6 weeks, the practice was forced to manage their 
        reserves on a daily basis and to prioritize vendors to pay 
        until their income cash flow normalizes. This physician also 
        noted that the local accountable care organization has been 
        supportive over the past 6 weeks, but there was no outreach 
        from local payers.

        A family physician from South Dakota described financial losses 
        reaching $200,000 and has struggled to maintain payroll with 
        the limited financial assistance they have received from 
        private payers.

        A family physician in Texas described the challenge with 
        securing financial assistance from Change Healthcare. After 
        applying for financial support, they still had not heard back 
        when they contacted us in early April. This member noted that 
        his clinic is at risk of shutting down, leaving their patients 
        without immediate access to care.

        A family physician in Alabama describes scaling back staff 
        hours in order to manage expenses and maintain sufficient 
        operations. When they contacted us, they were only receiving 
        $220 a week in temporary financial assistance, which is 
        insufficient for meeting basic expenses such as payroll and 
        utilities.

Change Healthcare has said repeatedly they have workarounds in place, 
have restored some services, and are working to restore full 
functionality to all service lines. They have also acknowledged as the 
backend technology support for multiple service lines that primarily 
connect to payers and/or other technology providers come online, 
restoring service initiates a chain of events that require others to 
act in order to restore full functionality for practices. This can 
explain why family physicians report to us that practice disruptions 
are continuing. Some examples of this include administratively 
burdensome workarounds, implementing manual mechanisms in cases where 
workarounds don't work, and, in many cases, leaning on outside sources 
of financial assistance or forgoing their own compensation in order to 
maintain adequate operations. Some members have even reported shifting 
away from electronic claims submission to utilizing antiquated paper 
claims that further delays payments. There still is not wide-scale 
national health care interoperability despite HIPAA and billions 
invested under the Health Information Technology for Economic and 
Clinical Health Act. This lack of interoperability coupled with 
consolidation has resulted in a health care system that is not 
resilient in light of this, and future cyberattacks to come.

There are several things the AAFP has learned during this cyberattack. 
As the committee examines the effects of this incident, below are items 
we offer for your consideration:

      Improve ease of access and affordability of cybersecurity 
insurance, especially for small physician-owned practices. While cyber 
insurance is available to protect small business against losses 
stemming from a cyberattack, our members report burdensome requirements 
that must be met to be eligible for such coverage. These requirements 
present significant challenges for small physician practices that are 
already facing substantial burdens, such as prior authorization 
requests, electronic health record documentation, coordinating care 
across clinicians, and contracting with multiple payers. Should the 
practice be able to meet these requirements, they are still faced with 
expensive premiums.

      Work is needed to understand and fortify the resiliency of our 
nation's health care infrastructure. Many of the workarounds put in 
place by Change Healthcare were developed and tested in real-time. For 
other companies vulnerable to similar attacks, it is necessary to 
understand what contingencies are in place amongst payers and vendors 
in the event that cyberattacks of similar scale and scope are realized 
in the future.

      Address the impacts of industry consolidation and lack of 
oversight on the health care infrastructure that supports delivering 
care to patients, especially those related to administrative functions 
that do not improve the quality or value of care for patients. Much of 
the nation's health care system is reliant on a small number of 
companies, such Change Healthcare, providing these services. Their 
medical network completes 15 billion transactions each year, 
representing $1.5 trillion in health claims. With one in three patients 
being impacted and almost $14 billion in claims being affected, we urge 
Congress to closely examine how this kind of consolidation impacts the 
overall health system from the perspective of all stakeholders, 
including patients and the physicians who care for them.

We appreciate the committee exercising its authority to understand the 
real impacts of this cyberattack. For more information about the AAFP's 
efforts, please contact David Tully, Vice President of Government 
Relations at [email protected].

Sincerely,

Tochi Iroku-Malize, M.D., MPH, MBA, FAAFP
Board Chair

Founded in 1947, the AAFP represents 130,000 physicians and medical 
students nationwide. It is the largest medical society devoted solely 
to primary care. Family physicians conduct approximately one in five 
office visits--that's 192 million visits annually or 48 percent more 
than the next most visited medical specialty. Today, family physicians 
provide more care for America's underserved and rural populations than 
any other medical specialty. Family medicine's cornerstone is an 
ongoing, personal patient-physician relationship focused on integrated 
care. To learn more about the specialty of family medicine and the 
AAFP's positions on issues and clinical care, visit www.aafp.org. For 
information about health care, health conditions and wellness, please 
visit the AAFP's consumer website, www.family
doctor.org.

                                 ______
                                 
                     American College of Physicians

                 25 Massachusetts Avenue, NW, Suite 700

                       Washington, DC 20001-7401

                              202-261-4500

                              800-338-2746

                       https://www.acponline.org/

On behalf of the American College of Physicians (ACP), I am writing to 
share our views regarding the recent Senate Finance Committee Hearing 
on ``Hacking America's Health Care: Assessing the Change Healthcare 
Cyber Attack and What's Next.'' We appreciate your willingness to 
investigate why Change Healthcare services and patients' sensitive 
health information were susceptible to a cyberattack, as well as their 
and UnitedHealth's failure to support physicians who experienced 
significant financial loss after this incident. We urge Change 
Healthcare and UnitedHealth to share any information concerning patient 
data that was compromised or stolen and how their protected health 
information and personally identifiable information were compromised 
during this attack. We look forward to collaborating with this 
Committee to safeguard patient digital health records and ensure that 
physicians are properly compensated for any financial losses they 
experienced as a result of and in the aftermath of this cyberattack.

ACP is the largest medical specialty organization and the second 
largest physician membership society in the United States. ACP members 
include 161,000 internal medicine physicians, related subspecialists, 
and medical students. Internal medicine physicians are specialists who 
apply scientific knowledge, clinical expertise, and compassion to the 
preventive, diagnostic, and therapeutic care of adults across the 
spectrum from health to complex illness.

We are alarmed that although UnitedHealth completed its acquisition of 
Change Healthcare in October of 2022, it failed to ensure that digital 
records of patients were secure after this merger. In February of this 
year, hackers stole patient data in one of the largest cyber-attacks in 
our nation's history. As a result of this attack, physicians have not 
received payment for services and are without the revenue they are 
accustomed to, rely on, and that which is necessary to continue 
providing care. Steps have been taken to advance payments to 
physicians, but cash flow disruptions are still occurring, and 
physicians are being forced to reduce hours, cut staff, and hold off on 
purchasing necessary supplies. The reported delays and disruptions to 
patient care over the past 3 months are unacceptable.

Ensure Change Healthcare Provides Financial Support for Physicians

In March, ACP wrote a letter \1\ to HHS highlighting the significant 
financial strain this cyberattack has imposed on physicians who rely on 
Change Healthcare's claims and billing systems, the largest in the U.S. 
health care system. Unfortunately, physicians, especially those in 
smaller practices that serve rural and underserved communities, have 
continued to have cash flow issues that severely threaten patient 
access to care and practice viability. In May, ACP wrote another letter 
\2\ to HHS expressing continued concerns and urging the need for 
additional action to support physicians and protect patient access to 
care. ACP also wrote \3\ to the National Governors Association, calling 
for state-based actions and coordination with federal agencies.
---------------------------------------------------------------------------
    \1\ https://www.acponline.org/sites/default/files/acp-policy-
library/letters/acp_letter_to_hhs_
regarding_change_healthcare_cyber_attack_2024.pdf.
    \2\ https://www.acponline.org/sites/default/files/acp-policy-
library/letters/acp_follow_up_letter
_to_hhs_on_change_healthcare_cyberattack_2024.pdf?_gl=1%2Ah6r4yb%2A_ga%2
AOTMxNzgxNT
AyLjE2NDk5NTEwMTY.%2A_ga_PM4F5HBGFQ%2AMTcxNTM0NjczOS4yMDguMS4xNzE1Mz
Q2NzkxLjguMC4w&_ga=2.197599721.73406395.1715193284-
931781502.1649951016.
    \3\ https://www.acponline.org/sites/default/files/acp-policy-
library/letters/acp_letter_to_nation
al_governors_association_on_change_healthcare_cyber_attack_2024.pdf?_gl=
1*d2clqb*_ga*OTMx
NzgxNTAyLjE2NDk5NTEwMTY.*_ga_PM4F5HBGFQ*MTcxNTM0NjczOS4yMDguMS4xNzE1M
zQ2ODE3LjU5LjAuMA..&_ga=2.260964811.73406395.1715193284-
931781502.1649951016.

UnitedHealth and Change Healthcare have not done enough to support and 
resource physicians over the past 2 months. Instead, many physicians 
have been without the necessary capital to provide care since the 
cyberattack, and most practices are unaware of the steps that HHS and 
others have taken to establish workarounds. A recent survey \4\ from 
the American Medical Association found that in the aftermath of this 
cyberattack, 55 percent of practices have had to use personal funds to 
cover expenses, and about one-quarter of practices have received 
financial assistance from UnitedHealth.
---------------------------------------------------------------------------
    \4\ https://www.ama-assn.org/system/files/change-healthcare-survey-
results.pdf.

The College is therefore strongly urging the Finance Committee and HHS 
to take further action to work with UnitedHealth, Change Healthcare, 
and other necessary actors to ensure that any physicians who 
experienced financial loss because of this attack are compensated in a 
timely manner. ACP is deeply concerned that absent these actions from 
the Finance Committee, UnitedHealth and Change Healthcare, and HHS, 
physician practices will be forced to drastically scale back patient 
panels, restrict the type of care provided, explore alternative 
financing options, or close their practice altogether.

Remove Penalties in MIPS for Impacted Physicians

We are pleased that CMS extended the data submission deadline and 
reopened the 2023 Merit-based Incentive Payment System (MIPS) Extreme 
and Uncontrollable Circumstances (EUC) Exception Application to provide 
relief to eligible physicians and other clinicians impacted by the 
Change Healthcare cybersecurity incident. Extending these deadlines 
into April was essential for eligible physicians, and we strongly urge 
the Finance Committee and HHS to ensure that impacted physicians in 
MIPS are not unfairly penalized throughout this entire performance 
year, as any penalization further threatens the viability of physician 
practices. Even though Change Healthcare's systems are gradually 
returning to operational status, system outages have persisted, and 
some systems still are not fully restored. Physicians will feel the 
effects of this for many months to come, and the Finance Committee must 
ensure physician practices are not detrimentally impacted and protect 
against events of this scale in the future.

 Allow Paper Claims and Extended Grace Period in Aftermath of Attack

We also recommend that HHS take steps to allow and encourage paper 
claims for an extended grace period following the complete restoration 
of Change Healthcare's systems. Currently, practices are backlogged on 
administrative tasks and claims submissions and are also facing the 
choice of reconnecting to the Change Healthcare systems or choosing a 
new clearinghouse. There is a learning curve for physicians when 
adopting these new clearinghouses, and physicians should not be forced 
to choose between providing care and completing administrative tasks 
disrupted by this incident. Allowing paper claim submission during this 
transition period and for months after would allow physicians to place 
their primary focus on clinical practice. ACP recommends extending this 
grace period to 90 days after completely restoring all of Change 
Healthcare's systems.

 Ensure Medicaid and Medicare Provide Flexibility for Physicians

ACP further recommends that the Finance Committee and HHS ensure that 
state Medicaid plans provide flexibility and allocate funds to minimize 
the stress placed on physicians. HHS' encouragement of these state-
based actions is critical to reaching the most marginalized patients 
and the physicians who care for them. HHS should also encourage 
UnitedHealth to adjust its allocation period to 60 days instead of the 
current 45 days. This allows physicians a longer period to provide 
care, perform necessary administrative tasks, and determine if 
additional allocations are needed. The repayment timeframes are also 
problematic as most physicians will not have adequate cash flow to 
return payments within 45 days after standard operations resume. Health 
plans should be aware of these cash flow disruptions, and their 
flexibility during this time is essential to getting physicians back on 
schedule. Additionally, ACP recommends supplemental advanced payments 
to physicians through traditional Medicare and private payers. The 
current payments primarily address providing direct patient care, but 
practices routinely incur costs for clinical staff, resources, and 
other expenses. The lack of these actions and delays in reimbursement 
will lead to a significant decrease in the number of physicians able to 
provide care, elimination of staff, and use of personal funds to keep 
practices operational.

Investigate Predatory Practices Used by UnitedHealth

In addition to the continued concerns about cash flow disruptions and 
access to care, ACP is incredibly disturbed by reports that 
UnitedHealth has used this recent cyberattack to take advantage of 
practices that are struggling financially by buying them out and 
expediting mergers with UnitedHealth. Due to the attack against its 
systems, practices have been financially distressed. ACP believes it is 
a predatory practice for UnitedHealth to acquire practices vulnerable 
to its own cyberattack. We urge the Finance Committee and HHS to 
investigate these predatory practices and take any corrective or 
adverse action where appropriate. HHS should also leverage its 
partnerships with states as additional agencies begin to examine 
UnitedHealth's behavior.

Improve the Security of the Health Care Infrastructure

As HHS continues to work with physician partners, Change Healthcare, 
and UnitedHealth to address these issues, ACP strongly encourages 
special attention to be paid to the ongoing and rising cybersecurity 
and privacy risks within the health care infrastructure. We encourage 
the Finance Committee to consider legislation to ensure that HHS and 
federal agencies responsible for protecting and securing health data 
must guarantee that these delays, barriers, and breaches are not 
repeated in future cyberattacks. These gaps must be addressed in future 
rulemaking, and appropriate penalties must be assessed due to any 
adverse findings via investigation.

Conclusion

We thank the Senate Finance Committee for holding this hearing and 
their ongoing efforts to hold Change Healthcare and UnitedHealth 
accountable for their actions in the aftermath of this attack. The 
College will continue to give feedback to the Finance Committee and HHS 
and inform our members' perspectives during this challenging time. We 
ask that you keep us posted on your ongoing investigation and any new 
information that may be helpful to our physicians. Please do not 
hesitate to contact Brian Buckley, our Senior Associate for Legislative 
Affairs at bbuckley@
acponline.org if you have any questions regarding this statement.

                                 ______
                                 
                      American Dental Association

                    1111 14th Street, NW, Suite 1100

                          Washington, DC 20005

April 29, 2024

Chairman Ron Wyden                  Ranking Member Mike Crapo
U.S. Senate                         U.S. Senate
Committee on Finance                Committee on Finance
219 Dirksen Senate Office Building  219 Dirksen Senate Office Building
Washington, DC 20510-6200           Washington, DC 20510-6200

Dear Chairman Wyden and Ranking Member Crapo,

On behalf of the more than 159,000 dentist members of the American 
Dental Association (ADA), we are writing to provide insights and 
recommendations for your hearing on the Change Healthcare cyberattack.

As you are aware, the cyberattack on Change Healthcare, one of the 
largest healthcare technology companies in the United States, has had 
significant repercussions for many sectors, including dental practices. 
The lack of transparency surrounding the financial impact of this 
incident is concerning and we believe full financial impact assessments 
by the industry are imperative.

Our members have reported delayed claims, additional expenses incurred 
due to resorting to physical mailing, and increased office staff time 
spent on call centers and troubleshooting. In the nearly 13 weeks since 
the cyber-attack, dental services have yet to be fully restored. This 
means provider credentialing, claims and claim attachments processing 
and tracking, practice analytics and revenue cycle insights, and 
automation of business functions (eligibility and benefits 
verification, payment remittances, etc.) are experiencing ongoing 
disruptions.

Due to the unprecedented magnitude of this attack, we recommend the 
below measures that we believe are crucial to ensuring the resilience 
of our healthcare infrastructure in the face of cyber threats.

    1.  Comprehensive Financial Impact Assessments: Urgently conduct 
comprehensive financial impact assessments across the industry to 
ascertain the extent of the damage inflicted by the cyberattack. These 
assessments should encompass not only direct financial losses, but also 
indirect costs incurred due to disruptions in practice operations.
    2.  Enactment of Prompt Pay Legislation: The enactment of ``prompt 
pay'' laws would mandate insurance companies to promptly reimburse 
healthcare providers for services rendered. This is pivotal to ensuring 
the financial stability of systemically important healthcare 
institutions, which include dental practices, amidst increasing cyber 
incidents and other emergencies.
    3.  Enhanced E-Prescribing Standards: Strengthen e-prescribing 
standards implementation and interoperability to ensure seamless 
continuity of care and medication access for patients during cyber-
related disruptions. Standardized e-prescribing and systems to access 
to Enhanced Prescription Drug Monitoring Program (ePDMP) improve 
patient safety and alleviate administrative burdens on dental 
practices.
    4.  Health Insurance Portability and Accountability Act (HIPAA) 
Compliance Enhancement: HIPAA compliance can help safeguard protected 
health information from cyber threats. Strengthening HIPAA compliance 
measures so that health IT vendors that enter in business associate 
agreements with covered entities are held to the same standards under 
HIPAA as covered entities is imperative for protecting patient 
confidentiality and mitigating cybersecurity risks.
    5.  Cybersecurity Support for Dental Practices: As critical small 
healthcare businesses, dental practices often lack the resources and 
expertise to implement robust cybersecurity measures independently. 
Providing for enhanced cybersecurity support and resources to fortify 
defenses against cyber threats could include access to cybersecurity 
training, assistance in implementing cybersecurity frameworks, and 
other collaboration with cybersecurity experts.
    6.  Mitigation of Potential Price Gouging: Price transparency 
measures such as price caps and stringent oversight mechanisms are 
essential to prevent opportunistic pricing practices that could exploit 
vulnerabilities in the healthcare system.
    7.  Payer Responsibility and Collaboration: Holding payers 
accountable for facilitating uninterrupted access to reimbursement and 
financial support for healthcare providers during cyber incidents. 
Payers should collaborate with providers, industry stakeholders, and 
government agencies to develop robust contingency plans and expedite 
claims processing to minimize disruptions.

We believe these proposals can aid policymakers as they seek to take 
proactive steps towards long-term resilience in the face of future 
cyber threats to dental practice and the broader healthcare system. In 
addition to addressing the immediate aftermath of this cyberattack, we 
urge the Committee to consider any legislative measures that would 
improve options for healthcare providers impacted by cyberattacks and 
that attempt to prevent such incidents in the future. We are 
particularly interested in policies addressing gaps in cybersecurity 
regulations and enforcement mechanisms such as measures to enhance 
penalties for cybercrimes, streamlining transparency on incident 
reporting requirements, support for contingency planning and 
facilitating information sharing among law enforcement agencies and 
healthcare providers.

We appreciate the Committee holding a hearing on this critical issue 
and would be happy to provide any further information or assistance. 
The ADA remains committed to collaborating with policymakers to 
safeguard the integrity and security of our healthcare infrastructure.

The ADA looks forward to continuing to work with you and we would 
welcome the opportunity to speak with you in more detail and answer any 
questions you have regarding these comments. Please contact Mr. Chris 
Tampio at 202-789-5178 or [email protected] to facilitate further 
discussion.

Sincerely,

Linda J. Edgar, D.D.S., M.Ed.       Raymond A. Cohlmia, D.D.S.
President                           Executive Director

Cc: Members of the Senate Finance Committee

                                 ______
                                 
                American Gastroenterological Association

                           4930 Del Ray Ave.

                           Bethesda, MD 20814

                             (301) 654-2055

                           https://gastro.org

               Statement of Barbara Jung, M.D., President

On behalf of the American Gastroenterological Association (AGA), I 
would like to thank you, Chairman Wyden, Ranking Member Crapo, and all 
members of the Committee, for the opportunity to provide testimony for 
the record about the importance of transparency and the need for 
UnitedHealthcare to ensure physicians and patients are not unduly 
burdened as a result of its actions and policies.

The AGA was founded in 1897, and today, it has expanded its membership 
to include more than 16,000 professionals dedicated to advancing 
science, practice, and research in the field of gastroenterology. Every 
single day, our members work to move the field forward and ensure that 
patients with a wide range of diseases--from colorectal cancer to 
Crohn's disease--get the safe, effective, and timely care they deserve.

 Cyberattack and Subsequent Failure to Support Physicians is Pushing 
                    Many Practices to the Brink

That last part--ensuring timely care--is key. As physicians, 
gastroenterologists strive to make sure our patients get the right care 
at the right time without delay. We also expect that the care we 
provide is reimbursed in a timely manner so we can keep the lights on, 
pay staff, cover rent, purchase necessary drugs and equipment, and 
invest in expanding our practices so that even more Americans can 
access gastroenterological treatment. The prolonged disruption caused 
by the cyberattack against Change Healthcare and UHC's subsequent 
actions, which have failed providers and fallen far short of the full-
throated support physicians needed, have major implications.

A survey from the American Medical Association \1\ found that 80% of 
physician practices have lost revenue from unpaid claims and 55% of 
respondents said they used personal finances to cover costs. But this 
attack didn't just hurt practices. Delayed reimbursement also 
negatively impacts patient care. Many physicians remain concerned that 
the Change attack delayed lab work, procedures, and access to 
medications, worsening patient health and outcomes. When conglomerates 
like UHC own such large portions of the healthcare reimbursement 
process, it's unsafe for the stability of practices and patients. They 
must do more to help practices recover and be transparent as we try to 
move forward.
---------------------------------------------------------------------------
    \1\ https://www.ama-assn.org/system/files/change-healthcare-survey-
results.pdf.

UHC's Troubling Utilization Management Policies Further Burden 
---------------------------------------------------------------------------
Physicians and Threaten Timely Care for Patients

Our concerns about UHC's recent actions and policies go far beyond its 
questionable response to the Change Healthcare cyberattack. While 
patients and doctors are optimistic about the rapid development of 
game-changing new treatments, even the most routine forms of care are 
too often disrupted, delayed, and denied due to barriers erected by 
UHC. This is frustrating and can lead to serious patient access issues, 
increasing the risk of adverse health outcomes.

Specifically, AGA remains extremely concerned by UHC's Advance 
Notification policy, which it hastily rolled out last summer, as well 
as its murky promise to implement a ``Gold Card'' prior authorization 
program sometime this year. Both utilization management policies impact 
virtually all colonoscopies and endoscopies. This is incredibly 
alarming. Any delays to diagnostic and surveillance procedures can 
increase the risk of disease progression, deferred care, and undetected 
cancers--which is especially worrying, as colorectal cancer is now the 
second deadliest cancer in the U.S. and the number of younger Americans 
living with the disease has skyrocketed in recent years.

Advance Notification

Last summer, UHC announced that it would implement a nebulous new 
policy called Advance Notification mere hours before the policy went 
into effect for all of its more than 27 million commercial 
beneficiaries nationwide. Without any input from the 
gastroenterological community or recognition of long-standing best 
practices and guidelines, the insurance giant immediately required 
physicians to log reams of additional (and often duplicative) data 
using UHC's hastily erected online portal. While the supposed benefits 
of this bureaucratic mandate remain tenuous, it has had an enormous 
impact on the nation's gastroenterological providers. Since it has been 
in place, it has created a significant administrative burden for 
physicians and their practices at a time of growing costs, increasing 
patient need, and lingering workforce shortages. While doctors would 
like to be able to spend more time caring for patients, excessive 
administrative burdens divert precious time and resources to paperwork.

Moreover, this excessive requirement was rolled out in the context of a 
hotly contested prior authorization requirement that targeted virtually 
all colonoscopic and endoscopic procedures across the board. The AGA 
maintained then, as it does now, that UHC had no data to even suggest 
these life-saving screening procedures were overused. In fact, peer-
reviewed clinical and population level data suggest that the opposite 
is true: too few Americans are getting the colonoscopies and 
endoscopies they need that could help identify serious diseases like 
colorectal cancer and inform an individually-tailored treatment plan. 
Many gastroenterologists expressed enormous concern that this Advance 
Notification policy was merely a scheme to try to collect data that 
could be used as a fig leaf to cover its planned Gold Card'' program in 
``early 2024.''

Prior Authorization

Like most physicians, specialty medical organizations, patients, and 
concerned lawmakers, AGA remains concerned that UHC's ``Gold Card'' 
program is merely prior authorization by another name. While we await 
more details nearly a year after the concept was first announced, we 
strongly believe that any prior authorization policy for colonoscopies 
and endoscopies will lead to fewer patients getting the care they need, 
less timely medical interventions, and worse outcomes. This fear is 
well founded: According to the American Medical Association's annual 
survey about prior authorization, 33% of physicians reported that prior 
authorization requirements have led to a serious adverse event--
including hospitalization, disability, and death--for a patient in 
their care. For all these reasons, AGA laments that the insurance 
company has not been forthcoming, transparent, or proactive in efforts 
to inform the medical community about the program and its potential 
impacts.

To date, UHC has ignored repeated, good-faith outreach from medical 
societies, including AGA, to discuss the details about what this ``Gold 
Card'' program might look like in practice, what treatments or 
procedures it would impact, when it will go into effect, and even the 
alleged evidence it has to justify such a wide expansion of prior 
authorization policies to its 27 million commercial beneficiaries. 
Unfortunately, UHC has also failed to respond to repeated entreaties 
made by bipartisan Members of Congress to shed light on any of these 
issues.

Finally, it is troubling that UHC is trumpeting a ``Gold Card'' program 
to justify its prior authorization mandates that we fear are 
forthcoming. Over the last decade, a growing number of state 
legislatures have recognized the tremendous burdens and risks 
associated with prior authorization and have enacted ``Gold Card'' 
legislation to help streamline care by allowing physicians to bypass 
the waiting period and provide timely care. State lawmakers enacted 
such bipartisan legislation to help fight against the out-of-control 
nature of prior authorization. On the other hand, UHC is co-opting the 
language of these important bills in order to justify new prior 
authorization requirements where none currently exist.

Ultimately, there must be transparency and accountability about how 
potentially life-changing requirements like UHC's Advance notification 
and ``Gold Card'' prior authorization policies are developed and 
implemented.

On behalf of AGA, its members, and the millions of Americans who rely 
on us for timely gastroenterological care, I would like to thank you 
for your consideration of our concerns about UHC. If you have any 
questions, please contact Kathleen Teixeira, Vice President of Public 
Policy and Advocacy, at (240) 482-3222 or kteixeira@
gastro.org.

                                 ______
                                 
                      American Medical Association

                    Division of Legislative Counsel

                              202-789-7426

The American Medical Association (AMA) appreciates the opportunity to 
submit the following Statement for the Record to the U.S. Senate 
Committee on Finance as part of the hearing entitled, ``Hacking 
America's Health Care: Assessing the Change Healthcare Cyber Attack and 
What's Next.'' The AMA commends the Committee for focusing attention on 
and exploring solutions to the massive cyberattack on Change Healthcare 
and the resulting outage that is impacting patients, physicians, 
hospitals, pharmacies, labs, and countless additional health care 
professionals, providers, and entities across the country. The AMA has 
been particularly concerned about the impact of the outage on small and 
independent physician practices that live financially on the margins 
and do not have the resources to weather a storm such as this. As such, 
much of this statement focuses on issues and actions needed to protect 
the sustainability and solvency of those critical but vulnerable 
practices.

Although the hackers are ultimately to blame for this breach, the AMA 
has been disappointed by the response of many of the most resourced 
players in the health care system to meet the moment thus far, 
especially in their failure to support physician practices serving 
small, rural, or underserved communities. We hope that Congressional 
interest in the actions, or inaction as it may be, of these players 
will serve to ignite a sense of corporate citizenship in time to help 
the many physicians in crisis.

  I.  Impact of Change Healthcare Outage on Physician Practices

Although Change Healthcare was not a well-known entity until recently, 
it is a health care giant. Even before UnitedHealth Group's (UHG's) 
subsidiary Optum purchased Change Healthcare in 2022, the company 
facilitated over 15 billion health care transactions and approximately 
$1.5 trillion in adjudicated claims--more than one-third of all U.S. 
health care expenditures annually.\1\
---------------------------------------------------------------------------
    \1\ Change Healthcare Annual Report (Form 10-K) for year ended 
December 31, 2020, available at https://ir.changehealthcare.com/node/
7326/html#tx904010_8.

For many physicians, hospitals, and health insurance companies, Change 
Healthcare serves as a clearinghouse through which eligibility 
inquiries are received and responded to, claims are submitted and 
processed, and remittance is sent back to the physician or health care 
provider. For some payers, Change Healthcare even handles claims 
payment. Change Healthcare's importance as the ``middleman'' 
transmitting health care claims from physicians and hospitals to 
insurance companies in the United States cannot be overestimated. But 
that does not even come close to covering the extent of Change 
Healthcare's reach in the health care system. Change Healthcare also 
plays a primary role in communicating prescriptions to pharmacies and 
determining pharmacy, insurance, and patient costs. It facilitates 
exchanges between physicians, hospitals, and labs--including the 
ordering of labs and the sending of results. Change Healthcare supports 
the exchange of information related to prior authorizations (PAs) and 
other utilization management requirements. And it has products and 
services that reach into practice management systems and electronic 
medical record (EMR) systems for dozens of other practice management, 
clinical, and revenue cycle purposes. Therefore, when Change Healthcare 
turned off its systems on February 21st upon news of the cyberattack, 
---------------------------------------------------------------------------
the U.S. health care system more or less came to a screeching halt.

Ten weeks later, for many physicians, functionalities dependent upon 
Change Healthcare systems and products are still not up and running, at 
least not completely, and practices continue to try and function 
without all the Change Healthcare services on which they depended.

The AMA has fielded several surveys during these 10 weeks to better 
inform our understanding of the impact of the outage on physicians and 
their practices. Each survey has yielded heartbreaking results showing 
physician practices being financially devastated by the Change 
Healthcare outage. Our most recent survey, conducted between April 19th 
and April 24th, strongly disputes UHG's assurances that systems are 
nearly back to pre-outage functioning and claims are again flowing 
through the system. Quite the contrary--physician practices, 
particularly small and independent practices, are still very much in 
crisis and not receiving the resources or information they need to 
navigate the outage or breach.

Financial Impact

The financial impact of the Change Healthcare outage on physician 
practices has been massive. According to our most recent survey, as of 
last week, 90 percent of respondents continue to lose revenue from 
unpaid claims because of the outage, 80 percent are losing revenue from 
the inability to submit claims, and 63 percent said they are losing 
revenue due to the inability to charge patient co-pays or remaining 
obligation. More than one-quarter of respondents reported that their 
practice revenue for the last week was down by more than 70 percent 
compared to an average week before the cyberattack.\2\
---------------------------------------------------------------------------
    \2\ https://www.ama-assn.org/system/files/change-healthcare-follow-
up-survey-results.pdf.

The outage is also requiring additional staff time and resources to 
complete revenue cycle tasks, with an overwhelming 91 percent of our 
---------------------------------------------------------------------------
most recent survey respondents reporting such commitments.

This decrease in revenue, along with increased demands on staff, is 
forcing physicians to make some difficult financial decisions in order 
to buy supplies, pay their staff, handle overhead costs, and pay their 
vendors. A band-aid solution has been to use personal funds to cover 
practice expenses or take out loans. But the potential long-term impact 
of this outage is the permanent loss of many small and independent 
practices that simply will not be able to keep their doors open. 
Predictably, the AMA surveys show that practices of 10 or fewer 
physicians appear to be particularly hard hit. The AMA has heard from 
physicians stating:

        ``Having to borrow from my bank at 14 percent interest is a 
        hardship I will never recoup'';

        ``I am now going to get acquired by a hospital system because I 
        just can't bear the financial responsibility'';

        ``This almost put me out of business. Had to use retirement 
        money to cover payroll'';

        ``[I am] on the verge of losing my practice''; and

        ``[This] may bankrupt our practice of 50 years in this rural 
        community.''

It is clear that the repercussions of this crisis will be felt by 
communities long after Change Healthcare is back up and running.

Claims Processing and Other Process Disruptions

As stated above, physicians' experiences with claims processing and 
other revenue cycle services through Change Healthcare systems do not 
seem to be lining up with the narrative coming from UHG that 
functionality is essentially restored. In fact, many practices are 
still facing the inability to submit electronic claims, and even more 
are not receiving payment on claims submitted. According to our most 
recent survey, 75 percent of respondents still face barriers with claim 
submission, and 85 percent continue to experience disruptions in claim 
payments.

Many practices are also unable to electronically check insurance 
information for patients prior to care. Among those responding to our 
most recent survey, 60 percent of physicians continue to face 
challenges in verifying patient eligibility. Standard operating 
procedures for most physician practices include submitting batch 
electronic eligibility requests every evening to confirm insurance 
coverage, benefits, and co-pay amounts for patients with appointments 
scheduled for the next business day. Without this information, 
practices are essentially flying blind and facing extreme uncertainty 
regarding insurance coverage--leading to difficult choices.

Additionally, the AMA has heard from physician practices who are unable 
to obtain electronic remittance advice (ERA) from health plans, even 
when they receive payment. Essentially, practices may be getting checks 
from plans with no information about what claims the payment applies 
to, if any claims were denied or downcoded, the patient cost-sharing 
associated with the payment, etc. As a result, practices have no 
ability to reconcile payments with claims and are not able to collect 
patient cost-sharing, which for many practices represents significant 
portions of their revenue--particularly during the first months of the 
year, when many patients have yet to meet their out-of-pocket 
deductible.\3\ In fact, our most recent survey indicates that 79 
percent of respondents still cannot receive ERAs on claims. Unraveling 
this ERA mess and accounting nightmare will take months or years for 
practices. Unfortunately, for some, the financial resources and staff 
time that will be required to reconcile the claims with payments are 
not available, meaning many practices will have to forgo much-needed 
revenue from being unable to appeal inappropriately denied claims and 
face an ongoing challenge of unbalanced books.
---------------------------------------------------------------------------
    \3\ https://www.ama-assn.org/practice-management/sustainability/
change-healthcare-outage-leaves-physician-practices-reeling.

The AMA has also received significant feedback related to disruptions 
in electronic lab ordering. For example, the AMA recently heard from a 
physician at a small 
maternal-fetal medicine practice serving 45 percent of high-risk 
pregnancies in New Mexico who has been unable to electronically 
communicate lab orders and results for nearly 2 months because its 
electronic clinical system is connected to Change Healthcare. Outages 
in practice clinical systems not only result in significant workflow 
disruptions and burdensome, manual processing; they also lead to 
negative impacts on patient care. For example, a physician respondent 
to the most recent AMA survey stated that, ``The difficulty in 
accessing lab, radiology, and hospital records is causing a dangerous 
delay in diagnosis and treatment of my patients.''

Difficulty Switching Clearinghouses and Employing Workarounds

Practices are working tirelessly to establish workarounds for the 
Change Healthcare outage. For example, 31 percent of physicians who 
responded to a recent AMA survey said they are using manual and 
electronic workarounds to simply get paid on claims and to be able to 
submit claims to payers. As part of these efforts, physician practices 
are having to enter into new and potentially costly arrangements with 
alternative clearinghouses. An AMA survey found that nearly half of 
physicians who responded have engaged alternative clearinghouses to 
conduct electronic transactions, and comments such as ``[it is costing] 
$10,000 just for the set-up of a `back-up' clearinghouse'' were common 
responses.\4\ Unfortunately, we have also received comments that 
indicate some clearinghouses may be taking advantage of this crisis by 
increasing costs and extending minimum lengths of contracts, placing 
further pressure on practice finances. .
---------------------------------------------------------------------------
    \4\ https://www.ama-assn.org/system/files/change-healthcare-survey-
results.pdf.

While switching clearinghouses has been an option, albeit a difficult 
one, for some practices, many practices are unable to switch or are 
choosing not to switch due to substantial barriers. According to our 
most recent survey, for those physician respondents who have not 
switched clearinghouses, the time and costs involved in making a switch 
(54 percent and 25 percent respectively) were significant obstacles. 
Additionally, 32 percent of those respondents said a switch was not 
supported by their EHR or practice management system and 36 percent 
cited incompatibilities with payers' systems or restrictions due to 
---------------------------------------------------------------------------
contract exclusivity.

The AMA has been disappointed by health plans' and their associations' 
disregard for these barriers and their disingenuous suggestions to 
policymakers that switching clearinghouses is a reasonable solution for 
physician practices, including small independent practices. To be 
clear, quickly switching clearinghouses in order to meet urgent 
practice needs is not feasible for many physicians.

  II.  AMA Recommendations to Address the Change Healthcare Cyberattack 
                    and Resulting Outage

The AMA seeks assistance from Congress to ensure physician practices 
recover from this crisis, as well as to establish protections in 
anticipation of a similar future attack.

  1.  Provide Financial Assistance to Impacted Physician Practices

The AMA has been advocating for immediate and targeted financial relief 
for physician practices from all payers in the form of advance payments 
based on claims history. For many physician practices devastated by the 
Change Healthcare outage, such payments can serve as a lifeline. As 
such, the AMA is grateful to the Centers for Medicare & Medicaid 
Services (CMS) for quickly standing up the Change Healthcare/Optum 
Payment Disruption (CHOPD) Accelerated Payments to Part A Providers and 
Advance Payments to Part B Suppliers in March. Given that this program 
was initially set up to provide just 30 days of payment, the AMA urges 
CMS to distribute additional funds to physician practices still 
financially struggling to ensure their stability. In addition, it is 
important to emphasize that CMS should ensure that any advance payment 
recoupment processes do not begin until this situation is completely 
resolved. More information on recoupment and repayment is included 
below.

The AMA also welcomed the March 15th Center for Medicaid & CHIP 
Services (CMCS) Informational Bulletin (CIB) providing enforcement 
discretion to allow Medicaid programs to elect a State Plan Amendment 
(SPA) option for implementation of interim payments to Medicaid fee-
for-service providers. It is important to note the particular 
vulnerability of many physicians who care for Medicaid patients and may 
not have access to other forms of advance payment while serving 
marginalized communities. The AMA continues to urge state Medicaid 
directors to take advantage of this SPA option.

Additionally, UHG should be recognized for the resources it has put 
behind its advance payment program. While initially many physicians who 
applied saw inconsequential amounts being offered and walked away from 
the program, it is our understanding that UHG's loan program now 
provides funding not just based on estimates of unpaid UHG claims since 
the outage, but all insurer claims, to assist struggling practices and 
hospitals. The AMA is aware of many practices that have been able to 
keep their doors open to patients because of this assistance. 
Unfortunately, our survey results continue to show that many small 
physician practices do not seem to be benefiting from UHG's advance 
payment program in the same way as larger practices and have not 
received financial assistance for a number of reasons including a lack 
of outreach or follow-up. The AMA recognizes that it is the bigger 
systems that make the headlines, but stresses that smaller physician 
practices serving underserved communities are too important to ignore.

Disappointingly, we have seen very few other health insurers establish 
any advance payment or loan programs to help their contracted 
physicians. According to the recent AMA survey data, only 4.5 percent 
of respondents have received assistance from commercial health plans 
other than UHG. To the AMA, that is appalling. During the suspension of 
claim submission and payment, health plans have retained premium 
dollars and, in fact, collected interest on those patient, employer, 
and government payments for over 2 months. For companies that make 
billions of dollars in profit each year and purport to be partners with 
physicians in patient care to feel no sense of obligation to support 
our health care system when it is in crisis is unconscionable and a 
crisis in and of itself. The AMA asks Congress to urge commercial 
payers to provide advance payments to physician practices impacted by 
the Change Healthcare service outage, and especially to small, 
independent practices. 

  2.  Immediately Suspend Prior Authorization, Quality Reporting and 
                    Other Administrative Requirements

The Change Healthcare outage has impacted the ability of practices to 
exchange information needed for payer's administrative requirements 
such as PA and quality reporting. For example, the outage has 
obstructed both the electronic exchange of PA information between 
physicians and many health plans and pharmacy benefit managers, as well 
as access to the clinical guidelines used by many payers, making 
completion of these requirements difficult, if not impossible. 
Moreover, the outage's impact on pharmacies', labs', and imaging 
centers' communications has significantly complicated utilization 
management processes.

Additionally, the Change Healthcare outage has required an ``all-hands-
on-deck'' approach to keep physician practices running and patients 
being seen. Nearly all of the respondents in our most recent survey 
(91.2 percent) stated that as of last week, they are still requiring 
additional staff time and resources to complete revenue cycle tasks in 
order to receive payment. We already know that physicians and their 
staff spend an average of 2 working days each week on PAs alone, even 
as these processes threaten patients' access to care. Always, but 
especially now, physician and staff time could be much better spent on 
addressing outage issues and reducing the toll that service disruptions 
are having on the provision of care, rather than dealing with PA 
hassles.

Unfortunately, our most recent study shows that many health plans, 
including national commercial plans and Medicare Advantage plans, are 
maintaining utilization management requirements such as PA during this 
critical time period and applying it to those claims that can be 
processed. As such, the AMA urges Congress to quickly ensure that all 
health plans suspend their utilization management programs and other 
unnecessary administrative requirements, including post-payment audits 
and medical record requests, on physician practices during this crisis 
and its aftermath.

Of note and importantly, CMS extended the 2023 Merit-based Incentive 
Payment System (MIPS) data submission deadline and reopened the 2023 
MIPS Extreme and Uncontrollable Circumstances (EUC) Exception 
Application to provide relief to clinicians impacted by this 
cybersecurity incident. The AMA recognizes the relief this has provided 
to practices and urges Congress to press for an extension of this 
reprieve (which expired on April 15) and for other payers to follow 
with similar administrative relief in their quality reporting programs.

  3.  Prevent Denials on Claims and Appeals Impacted by the Outage

As described above, practices continue to face significant barriers to 
obtaining patient's health insurance information, including their 
coverage information, cost-
sharing responsibilities, and utilization management requirements, due 
to the Change Healthcare outage. Without these capabilities, physicians 
continue to care for their patients, but could later be liable if a 
patient's coverage has lapsed or other insurance requirements were not 
met. The AMA supports physicians' efforts to secure continuity of care 
for their patients throughout this crisis and believes health plans and 
policymakers should as well.

As such, the AMA is urging policymakers to ensure that health plans 
refrain from denying claims impacted by this outage based on lack of 
patient insurance eligibility or completion of health insurer 
administrative requirements.

Many health plans enforce deadlines for timely filing of claims based 
on the date of service. However, given the extensive challenges with 
claim submission resulting from the Change Healthcare outage, many 
physician practices are not currently able to meet those deadlines and 
will continue to have delays in claim submission. Enforcement of these 
timelines could result in nonpayment to practices, further exacerbating 
the financial impact of this crisis.

We note that some practices are already reporting denials due to late 
claim submissions resulting from the service disruption. Indeed, 27 
percent of physicians in the AMA's most recent survey already report 
that claims have been denied for failing to meet timely filing 
requirements. However, given that many filing deadlines are 90 days, 
the AMA is fearing a wave of denials in the coming weeks and months, as 
claims continue to sit with clearinghouses without being processed or 
are unable to be submitted.

Therefore, the AMA is urging policymakers to ensure that all health 
plans are required to waive timely claim filing requirements. Any time 
limitations on the filing of appeals should be waived as well.

Without plans in place to alleviate the burdens and chaos that are 
bound to ensue as Change Healthcare comes back online and processes 
resume, the stability of physician practices will remain threatened.

  4.  Improve the Transparency and Accuracy of Information Going to 
                    Physicians

The AMA is very concerned that information being provided to physicians 
about what can be expected in terms of restoration is limited and 
inaccurate. In our most recent survey, 84 percent of respondents 
indicated that they are not receiving information, or are receiving 
inaccurate information, regarding service restoration from UHG and its 
subsidiaries. The AMA notes that while Change Healthcare may announce a 
date for a certain system or product to be restored, they often fail to 
highlight the restoration is going to take place on a rolling or 
incremental basis. For small physician practices who are having to make 
difficult decisions about loans, clearinghouses, etc., it is imperative 
that they receive information from UHG and Change Healthcare specific 
to their practice, including realistic timelines for service 
resumption.

  5.  Focus on Restoring Function for Small, Independent Physician 
                    Practices

Certainly, the best solution for many physician practices is to have 
their Change Healthcare products restored and functioning again. Media 
reports suggest that for many large systems and hospitals, 
functionality is returning. However, given member feedback, the AMA 
fears that small physician practices outside of large systems are not a 
priority for service restoration. While understanding the reasoning 
behind prioritizing reconnection of systems that move large claim 
volumes, the AMA stresses that it is the smaller practices that may not 
have received advance payments or have the ability to take out loans or 
dip into personal savings that are now teetering on insolvency. In 
fact, AMA survey respondents have reported tens of thousands of dollars 
in unexpected costs to reestablish a portion of their business 
operations. Some practices have even reported that their EMR developer 
has been required to rewrite software to reconnect to Change 
Healthcare's systems--with practices incurring additional fees in the 
process. As such, the AMA asks Congress to help ensure that small and 
independent physician practices are not the last in line when it comes 
to restoring functionality.

  6.  Ensure the HIPAA-Related Reporting Requirements and Notification 
                    Obligations Fall Upon Change Healthcare and Not 
                    Physicians and Other Providers

The AMA believes it is critical that the Office of Civil Rights (OCR), 
and perhaps Congress, clarify responsibilities and assure affected 
providers that any Health Insurance Portability and Accountability Act 
(HIPAA) reporting and notification obligations associated with this 
breach will be handled by Change Healthcare. As such we suggest the 
following Congressional actions:

      Request that OCR publicly state that their breach investigation 
and immediate efforts at remediation will be focused on Change 
Healthcare, and not the providers affected by Change Healthcare's 
breach.
      Request that OCR affirm its position that the breach was 
perpetrated upon Change Healthcare, whose status as a health care 
clearinghouse makes it a covered entity under HIPAA and thus 
responsible for the breach of any protected health information (PHI) 
that it processes or for which it facilitates processing. Because 
Change Healthcare experienced impermissible access to unsecured PHI 
that it processed on behalf of other covered entities, no entities 
other than Change Healthcare, its parent company UHG, and their 
corporate affiliates such as Optum, bear responsibility for this breach 
and are under any legal reporting or notification obligation as a 
result of it.
      Given the statement by UHG that, ``UnitedHealth Group has 
offered to make notifications and undertake related administrative 
requirements on behalf of any provider or customer,'' OCR should 
confirm that any affected provider may rely upon that statement and, as 
UHG bears sole responsibility for the breach, no breach notification 
requirements apply to any affected medical provider.

Additionally, the AMA stresses that the credit monitoring services 
being offered for impacted individuals for 2 years must align with the 
following provisions:

      Change Healthcare must reach out directly to assist impacted 
individuals to access these services, rather than necessitating that 
they navigate various websites to reach portals, resources, and 
services.
      No individual must be required to waive any rights or legal 
remedies in order to access these services.

  7.  Establish Flexibility and Leniencies in Loan Repayments and 
                    Recoupments

Many physician practices have accepted advance payments and loans 
through UHG, Medicare, and Medicaid that are helping maintain their 
financial viability. However, there is growing concern about the 
repayment expectations and the impact that premature or aggressive 
recoupment would have on practices. In fact, we understand that 
recoupment has already begun for some advance payments, including some 
under the CHOPD Accelerated Payments to Part A Providers and Advance 
Payments to Part B Suppliers.

The AMA asks Congress to help ensure flexibility and leniencies in loan 
repayment requirements to ensure that the rug is not pulled out from 
under financially vulnerable practices just as they are beginning to 
reestablish their footing. It will be important for the sponsors of 
advance payments to ensure that claim submission and payment processes 
are functioning for all of a practice's payers, rather than just the 
sponsor's plan, before requiring repayment. Additionally, it will be 
critical that sponsors clearly communicate with practices in advance 
about how recoupments will be processed and specifically identify 
amounts withheld for loan repayments on remittance advice to 
differentiate them from other payer recoupment processes.

  8.  Ensure the Long-Term Financial Stability of Physician Practices 
                    Through Medicare Payment Reform

This crisis underscores the fragility of physician practices and the 
need for Medicare payment reform. According to data from the Medicare 
Trustees, Medicare physician pay has increased just 9 percent over the 
last 23 years, or 0.4 percent per year on average, including the 
temporary 2.93 percent update expiring at the end of this year. In 
comparison, the cost of running a medical practice increased 54 percent 
between 2001 and 2024, or 1.9 percent per year. Inflation in the cost 
of running a medical practice, including increases in physician office 
rent, employee wages, and professional liability insurance premiums, is 
measured by the Medicare Economic Index. As shown in the chart below, 
when adjusted for inflation in practice costs, Medicare physician pay 
declined 29 percent from 2001 to 2024, or by 1.5 percent per year on 
average.

[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]

Physician practices cannot continue to absorb increasing costs or 
weather crises such as the Change Healthcare outage while their payment 
rates dwindle. Congress must act to reform the Medicare payment system 
and ensure that our independent physician practices have the financial 
stability to make it through the next cybersecurity crisis.

III.  Future Actions for Consideration to Deter Cyberattacks and 
                    Protect Patients and Physicians

While immediate and near-term relief and flexibilities for physicians 
and patients are paramount, the AMA urges Congress to begin considering 
long-term policy changes and protections needed to both deter future 
cyberattacks and protect physician practices if--and realistically, 
when--they happen again.

The AMA anticipates that Congress and the Administration will 
investigate the causes of this breach, whether existing cybersecurity 
laws are strong enough, and whether such laws were being enforced and 
followed.

The AMA hopes that Congress will also look at where response 
requirements can be strengthened to include approaches that will 
immediately trigger the positive financial incentives and structural 
supports physician practices need to keep their doors open and continue 
providing care to their patients in the event of the next large-scale 
breach. For example, Congress should consider resiliency requirements 
for health plans and intermediaries.

The AMA also urges Congress to consider whether more flexibility is 
needed for federal and state governments to respond to health care 
cyberattacks, perhaps similar to or in conjunction with those 
flexibilities provided for public health emergencies. Moreover, we 
encourage Congress to work with the Administration to ensure health 
information technology developers adopt security-by-design principles 
as well as investigate the creation of a publicly funded cybersecurity 
insurance program for health care providers.

Additionally, we strongly urge Congress to consider why consolidation, 
and particularly vertical integration, is permitted in the health care 
sector to the extent that a single company can have such indisputable 
dominance over the entire health care system that when they are 
attacked, the entire health care delivery system nearly collapses.

Finally, the AMA urges Congress to reevaluate the environment that has 
led so many physician practices to be in the position of financial 
vulnerability. Ensuring physician practices have resources to weather a 
crisis like the Change Healthcare outage and continue serving their 
patients has to start with ensuring physicians' financial security.

Thank you for the opportunity to submit this statement. We look forward 
to working with the Committee to address the immediate and long-term 
needs of physician practices in light of the Change Healthcare 
cyberattack and outage.

                                 ______
                                 
                    American Pharmacists Association

                       2215 Constitution Ave., NW

                          Washington, DC 20037

                             (800) 237-2742

                       https://www.pharmacist.com

Chair Wyden, Ranking Member Crapo, and Members of the Committee:

On behalf of our nation's over 310,000 pharmacists, the American 
Pharmacists Association (APhA) is pleased to submit the following 
Statement for the Record to the U.S. Senate Committee on Finance 
hearing ``Hacking America's Health Care: Assessing the Change 
Healthcare Cyber Attack and What's Next.''

APhA is the largest association of pharmacists in the United States 
advancing the entire pharmacy profession. APhA represents pharmacists 
and pharmacy personnel in all practice settings, including community 
pharmacies, hospitals, long-term care facilities, specialty pharmacies, 
community health centers, physician offices, ambulatory clinics, 
managed care organizations, hospice settings, and government 
facilities. Our members strive to improve medication use, advance 
patient care, and enhance public health.

The Change Healthcare cyberattack made obvious the deep vulnerabilities 
of our nation's digital health care infrastructure, resulting in 
devastating patient care disruption, particularly at community and 
health system pharmacies across the country. The attack, and even more 
so the prolonged inability to restore service, severed the lifelines to 
patient coverage and reimbursement for needed medications. Patients, 
prescribers, and pharmacies were left in the dark, unsure about 
medication coverage or patient out of pocket cost. The outage also 
halted transmission of electronic prescriptions and processing of 
manufacturer discount cards. Even as reimbursement stopped flowing to 
pharmacies, pharmacies endeavored to provide appropriate care and 
medication. However, in many cases, prescription dispensing was 
inevitably delayed and patient safety was put in jeopardy. This chaos 
and uncertainty continued for over a month. The full impact of this 
attack is still unfolding as sensitive and confidential personal health 
information for hundreds of millions of Americans may have been 
compromised.

This was a long overdue wake-up call to examine all digital aspects 
that touch pharmacy operations and data and patient information and 
care.

The American Pharmacists Association (APhA), representing pharmacists 
and pharmacy teams in all practice settings, urges policymakers to 
closely examine the cause, along with patient and business impact, 
aftermath, responses, penalties, and legal consequences related to the 
system outages and make the necessary policy changes.

APhA's House of Delegates (HOD), comprised of over 300 delegates from 
state pharmacy associations, APhA membership, recognized national 
pharmacy organizations, and ex-officio groups, met during APhA's 2024 
Annual Meeting & Exposition in Orlando over March 22-25, 2024, to 
debate and adopt policy proposals developed throughout the year. The 
APhA HOD passed the following cybersecurity policy statements.

      APhA advocates for implementation and maintenance of 
cybersecurity systems, safeguards, and response mechanisms to mitigate 
risk and minimize harm or disruption for all pharmacies and related 
parties who manage or access electronic health and business 
information.
      APhA advocates for all pharmacies and related business entities 
responsible for electronic health and business information to have 
cyber liability insurance or an equivalent self-funded plan to protect 
all relevant parties in the event of a cyberattack and data breach.
      APhA advocates for education providers to facilitate, and 
pharmacy personnel to seek out, education and training on cybersecurity 
laws, regulations, and best practices.

APhA recommends the following:

      Map out the pharmacy ecosystem to identify infrastructure 
vulnerabilities. There are numerous critical infrastructure 
vulnerabilities in the pharmacy ecosystem that rely on digital 
technology, where cybersecurity breaches could impact patient safety 
and continuity of care. These range from exchange of medical product 
sales and ordering information, claims adjudication, benefit coverage 
verification, prior authorization, e-prescriptions, reimbursement, Drug 
Supply Chain Security Act data exchange and verification, risk 
evaluation and management strategy compliance, prescription drug 
monitoring programs, controlled substance ordering, management and 
compliance, and more. There should be public processes, perhaps through 
the National Academy of Medicine or HHS, to identify these 
vulnerabilities. Awareness of the critical touch points are important 
to identify what is needed for prevention, detection, and response 
related to cybersecurity.

      Expand accountability for protection of protected health 
information. More and more businesses and providers hold or touch a 
patient's health information. The Health Insurance Portability and 
Accountability Act (HIPAA) establishes the framework and requirements 
for covered entities and certain business associates to safeguard the 
privacy and security of protected health information (PHI). As health 
care business models, technology, and threats have advanced, entities 
that are not subject to HIPAA's requirements may touch, collect, 
manage, or share electronic patient health information, creating gaps 
in accountability for the privacy and security of this information. A 
full analysis of the market participants involved in all corners of 
health care infrastructure must be completed and policymakers must 
include these participants as covered entities that must follow HIPAA's 
requirements in order to expand the reach of accountability and 
responsibility of PHI.

      Increase the penalties for breaches and noncompliance. 
Policymakers need to examine the civil money penalties for 
noncompliance of HIPAA and ensure that they are more appropriately 
aligned with the scope and breadth of breaches to serve as a better 
incentive for compliance. Additionally, in the case of breaches such as 
what happened with Change Healthcare, pharmacies or other impacted 
entities must not be held financially liable for good faith efforts 
undertaken during the outage nor subjected to punitive or exploitative 
actions by pharmacy benefit managers, plans, or impacted patients.

      Clarify breach notification requirements for downstream covered 
entities. HIPAA requires covered entities and their business associates 
to provide notification following a breach that compromises the 
security or privacy of PHI. When PHI that is held by a pharmacy is 
breached as a result of compromise through another covered entity or 
business associate, the pharmacy should not be responsible for 
providing individual breach information. The financial and resource 
burden on pharmacies could be significant. It should be clear that the 
entity that was the root source for the breach (e.g., in the latest 
cyberattack, Change Healthcare) provide the breach notification to all 
affected parties, and not only the pharmacies or other providers.

      Require business continuity/backup systems for entities that 
transmit, hold, or otherwise manage protected health information and 
heath care business information. Continuity of patient care is 
critical. If care relies on the transmission of data, then those 
systems must have redundancy and backup plans in place. During the 
recent Change Healthcare outage, there was no backup or redundancy 
plans in place to ensure business continuity. Policymakers should 
require these systems and processes, specifically for any entity that 
transmits essential health care information related to programs that 
rely on federal funding, such as Medicare and Medicaid.

      End vertical integration practices that result in health care 
market consolidation. In the case of Change Healthcare, a serious 
vulnerability was that industry consolidation and vertical integration 
resulted in only a few vendors that own nearly all the market share of 
business for pharmacies and other providers to transact claims. While 
precise data are not publicly available, several sources estimate that 
Relay Health and Change Healthcare together control over 95% of the 
switch aspect in the pharmacy industry. Had an attack simultaneously 
occurred on Relay Health, the consequences to our system could have 
been catastrophic.

     Take-it-or-leave-it contracts by entities that dominate the 
marketplace include provisions that require them to be the sole 
contractor for certain products and services. This locks pharmacies in 
without the ability to switch to a new provider or have a backup plan. 
Change Healthcare also held sole contracts for many pharmaceutical 
manufacturer discount cards and compassionate use programs. This meant 
that not only was the cyberattack disruptive on our system, but it also 
negatively impacted individuals in our society with health disparities 
who are particularly vulnerable.

      Incentivize minimum standards for cybersecurity. A balance of 
voluntary and required minimum standards for enhancing cybersecurity 
protections by health care entities that touch or hold health care data 
should be implemented. Incentives are needed to ensure implementation, 
such as public funding, tax credits, or discounts for publicly 
available measures and solutions. The government should partner with 
nonprofit organizations, such as APhA, to create a checklist of 
measures and efforts to minimize and mitigate exposure to cybersecurity 
breaches and implement these minimum standards as well as educate the 
pharmacy community.

     This may include identifying minimum standards and language for 
model contracts within the pharmacy ecosystem for protection and 
response of cybersecurity breaches such as:

            Cyber-insurance coverage
            Plans for incident response, business 
        continuity, and disaster recovery
            Vendor management policies
            Compliance documentation
            Protocols for authentication and access 
        control, data transmission confidentiality, encryption, 
        vulnerability management, audits, security, training, and use 
        and collection of personal information

      Establish a federal cyber-insurance program. Having adequate 
cyber-
insurance is a best practice as recovery following a cyber security 
breach can be expensive. The pharmacy community's economic environment 
is currently in a dire situation and it is difficult for pharmacies to 
afford to maintain adequate cyber-insurance coverage in the case of 
breach. Given the importance of strong and reliable public health 
infrastructure, a federal cyber-insurance program should be established 
that offers affordable cybersecurity coverage to ensure that pharmacy 
doors can remain open to provide patient care.

      Consider and appropriately fund cybersecurity within emergency 
preparedness and response procedures and practices across the country. 
HHS's Administration for Strategic Preparedness and Response includes 
cybersecurity within its public health preparedness, response, and 
recovery portfolio, and works with the public and private sector on 
security public health infrastructure. However, cybersecurity needs to 
be considered a national priority and addressed at the local and state 
levels by providing appropriate resources and funding to bolster public 
health cybersecurity preparedness and response plans across the 
country. This should include tabletop training exercises with health 
care organizations, including pharmacy, to help the pharmacy community 
in its preparedness and response.

APhA stands ready to work with policymakers to discuss lessons learned 
from the Change Healthcare cyberattack, and what's needed to implement 
these recommendations for prevention, mitigation, emergency 
preparedness and response, and penalties to ensure this does not happen 
again. APhA believes that continuity of patient care is paramount and 
cannot be jeopardized or compromised again. Please contact Doug Huynh, 
JD, APhA Director of Congressional Affairs, at [email protected] if 
you have any additional questions or additional information.

                                 ______
                                 
                        American Senior Alliance

                        225 Peachtree Street, NE

                        Suite 1430, South Tower

                           Atlanta, GA 30303

                https://www.americansenioralliance.com/

We are very concerned about the control that massive insurance 
companies have over American patients and their access to healthcare. 
We drafted an Op Ed that was published recently highlighting many of 
our concerns (see below).

Policymakers Can Address Healthcare Companies' Dominance

After a massive cyberattack against healthcare giant UnitedHealth Group 
(UHG) last February that compromised the healthcare information of a 
``substantial proportion of Americans,'' I am concerned about the 
massive size and control of large health insurance companies over 
American patients and their access to healthcare.

The healthcare giant UHG made $8.5 billion in the first quarter of 2024 
alone, and $370 billion in revenue in 2023. UHG owns the largest 
private health insurer in the world, UnitedHealth, as well as primary 
and secondary care provider services through OptumHealth, pharmacy 
services through OptumRx, and data analytics and technology through 
OptumInsight.

Similarly, two other healthcare giants have unilateral control over 
nearly all aspects of healthcare and patient access. CVS Health, which 
made more than $350 billion in revenue in 2023, owns health insurance 
company Aetna; pharmacy services through CVS Pharmacy and CVS Caremark, 
and primary and secondary care provider services through Oak Street 
Health and MinuteClinic. Health insurance company Cigna, which made 
almost $200 billion in revenue in 2023, also owns pharmacy services 
through Express Scripts.

The largest area of growth and dominance for these companies is their 
control over the pharmacy benefit manager (PBM) market, with OptumRx, 
CVS Caremark, and Express Scripts dominating 80% of the PBM market. For 
example, in the first quarter of 2014, OptumRx made $11.2 billion in 
revenue. In the first quarter of 2024, they made $61.1 billion in 
revenue, an increase of more than 445%. PBMs control what prescriptions 
are available to patients, how much they cost, and where patients can 
get them.

Healthcare giants are reaping these enormous profits all while 
Louisiana's patients are struggling to afford basic healthcare 
services. Louisiana ranks dead last in health care compared to the rest 
of the U.S., and more than 65% of Louisianans experience healthcare 
affordability burdens. Thirty-five percent of Louisianans cite ``high 
costs'' as the reason for not having health insurance, and 36% report 
cutting pills in half, skipping doses, or not filling prescriptions.

As health insurance premiums continue to rise and PBMs continue to 
control access to prescriptions, it is time for policymakers to step in 
and hold these healthcare giants accountable.

I would like to thank Louisiana Senator Bill Cassidy for his leadership 
on patient access issues like 340B Drug Pricing Program and working 
towards reforming these large pharmacy benefit managers. As a 
physician, Sen. Cassidy understands the sanctity of the doctor-patient 
relationships, and need to protect that relationship. I encourage 
Senator Cassidy to continue to advocate for patients through his reform 
efforts, and raise these concerns to UHG's CEO Andrew Witty, as well as 
other leaders of these large corporations. It's time to put the patient 
at the forefront of policy efforts.

Conwell Hooper
Executive Director

                                 ______
                                 
                 American Society of Anesthesiologists

                     905 16th Street, NW, Suite 400

                          Washington, DC 20006

                             (202) 289-2222

April 30, 2024

The Honorable Ron Wyden
Chairman
U.S. Senate
Committee on Finance
219 Dirksen Senate Office Building
Washington, DC 20510

The Honorable Mike Crapo
Ranking Member
U.S. Senate
Committee on Finance
219 Dirksen Senate Office Building
Washington, DC 20510

Dear Chairman Wyden and Ranking Member Crapo:

The American Society of Anesthesiologists (ASA) writes to express our 
concerns about the impacts of the cyberattack on Change Healthcare 
(CHC), part of UnitedHealth Group (UHG). Our recommendations are meant 
to prevent similar incidents and disruptions in the future as well as 
ensure physicians have the needed resources available to avoid care 
disruptions. Due to CHC's size and market share, this cyberattack 
affected the entire healthcare ecosystem, challenging the financial 
solvency of our members, their practice groups, and the facilities 
where they work.

Impact to our Members

In March 2024, ASA conducted a voluntary survey of members affected by 
the CHC cybersecurity attack. Many anesthesiology practices experienced 
a near complete halt to electronic transactions and revenue cycle 
processes. Almost half of respondents (46%) saw revenue drop by more 
than 75% from the same time in the previous year. The complete shutdown 
of this large-scale health IT company integral to revenue cycle 
management for many anesthesia groups meant anesthesiologists and other 
physicians needed to take drastic action to remain solvent. Anesthesia 
groups took out lines of credit, cut back or deferred compensation to 
their employees, and delayed or canceled procedures. Even those groups 
that were able to pivot to alternative vendors noted significant time 
and resources devoted to rebuilding their claim submission and payment 
processes.

Other negative consequences experienced by anesthesiologists include:

      Taking out loans to cover immediate financial needs, such as 
payroll;
      Expending significant resources and additional costs to switch 
clearinghouses, billing companies, or technology vendors;
      Changing administrative practices such as submitting paper 
claims;
      Receiving limited or no electronic remittance advice from health 
plans;
      Assessing their liability, if any, in this cybersecurity attack.

Disruptions to cash flows at the start of the year can be practice-
threatening for anesthesiologists. As you are aware, physicians already 
face significant shortfalls due to the broken nature of the Medicare 
physician fee schedule. Even with Congressional action, 
anesthesiologists are facing a greater than 1.66% reduction in 2024 
Medicare payments compared to last year. Consequently, unexpected 
disruptions to claims processing and cash flow can have immediate and 
significant outcomes.

UHG's recommended workarounds to physicians and practices experiencing 
these issues was to use another clearinghouse for electronic 
transactions or submit manually via each separate payor's online 
portal. Setting up electronic transactions with a clearinghouse is not 
a quick and straightforward process. Physicians or their staff must 
complete paperwork, change their electronic health records and billing 
system set-up, send test files, and wait for the clearinghouse to 
confirm the connection before claims can be submitted. Furthermore, 
given the size and scope of this incident, some practices needed to 
change operations for almost all their claims.

Although the public focus has mainly been on claims payments, an 
equally challenging issue has been the ability to post payments and 
check for insurance eligibility. This will lead to a long tail of 
challenges and has potential implications for other programs such as 
the federal independent dispute resolution process related to surprise 
medical bills. We also face future uncertainty, such as whether our 
members' cybersecurity or other technology-related insurance costs will 
increase in future years because of a heightened concern and past 
experiences with cyber incidents.

 Solutions to Remedy Negative Impacts on Physicians and Ensure Future 
                    Protections

ASA continues to be disappointed with the CHC and UHG response. Despite 
its resources, CHC and UHG did not communicate with anesthesia groups 
sufficiently early or consistently once the cyberattack was discovered. 
Our members are still concerned about poor communication from CHC and 
UHG related to mitigating any data exposure or HIPAA violations. As 
time passed, CHC and UHG extended little direct assistance to impacted 
physicians, offering individual groups a fraction of funding needed to 
maintain basic operations, and not nearly enough to cover the claims 
that could not be processed because of the attack. We are concerned 
that CHC and UHG have not transparently communicated the steps they 
will take to address the concerns of our members or provide information 
to guard against future incidents.

Given CHC's limited relief, the government itself, through its Medicare 
advanced and accelerated payments, stepped in to provide some support 
to physicians and practices. Our members were frustrated to see 
Medicare needing to lead on this issue and cover for the poor 
performance of a major private healthcare IT vendor. We appreciated CMS 
stepping up where private payers did not, but their efforts were 
limited to Medicare claims and not the entirety of claims impacted by 
the cyberattack.

CHC and UHG should have done more to support physician practices during 
this difficult time and ensured that our nation's health care system 
was better protected. We strongly urge CHC, UHG, and Congress to take 
the following steps:

    1.  Increase Financial Assistance for Physician Practices: There 
must be sufficient relief provided to physicians to address the past 
and ongoing fiscal impact of this breach. At a minimum, CHC and UHG 
should provide interest on delayed payments to physicians. Other 
recommendations include:

            In the case of a cyber incident, entities 
        should be required to provide relief to all impacted providers 
        regardless of whether they have exhausted other connection 
        options.
            Financial assistance programs should not 
        require onerous terms, requirements, or limitations on impacted 
        customers.
            Relief should continue to flow for up to 1 year 
        after CHC or other entity operations return to normal.

    2.  Limit Administrative Burden and Disruption for Providers: More 
than 2 weeks after the ransomware attack, CHC and UHG finally provided 
a timeline for when they would restore services but failed to consider 
the administrative burden of their efforts.

            Insurance plans should suspend other 
        administratively burdensome activities, such as prior 
        authorization and documentation requests during such incidents 
        to preserve needed care resources.
            Insurance plans and other payers should also 
        extend the deadline for submitting claims to a full year to 
        ensure that disruptions can be addressed and remedied.
            Congress should compel public and private 
        health insurers to accept medical claims and medical claim 
        denial appeals for up to 1 year after the date of service.
            Congress should require public and private 
        health insurers to provide data on rates of claims denials for 
        claims rejected because of timeliness.

    3.  Address Privacy Implications for Patients & Others: CHC and UHG 
said personally identifiable health information, eligibility and claims 
information, and financial information are likely compromised. CHC and 
UHG should make assurances to individuals and providers to ensure there 
are no further breaches of their information and be solely accountable 
for any potential privacy and confidentiality actions both at the 
federal and state level. CHC and UHG should communicate with individual 
groups on their efforts to mitigate the effects of the data breach and 
protect patient data.

    4.  Outline Future Improvements: While CHC has provided information 
on the incident, the full impact and resolution of the cyberattack 
remain unclear.

            CHC and UHG should provide transparency into 
        specifics of the initial attack to help inform other health 
        care entities on how to guard against future events and should 
        share information on their investigation and recovery 
        processes.
            UHG and other clearinghouses should be required 
        to have in place triage and backup plans in the case of an 
        incident, including financial support to their customers if 
        claims processing is impacted.

ASA urges Congress and the Administration to scrutinize UHG and CHC and 
their operations to determine whether these entities have now become 
``too big to fail.'' Because of this event involving one health 
information technology company, ASA's members experienced a significant 
stoppage in the processing of medical claims for nearly 2 months, a 
lack of communication and accountability from CHC and UHG, and no 
contingency plans for continuing operations after a cyberattack. The 
fact that CMS needed to step in to provide financial support to 
practices affected by this cyberattack further illustrates the lack of 
accountability from CHC and UHG. Congress must ensure that such 
disruptions to one private health IT company do not bring a significant 
part of the healthcare sector to a standstill.

Our members are proud to have maintained patients' access to high-
quality anesthesia care during this continuing disruption. We are eager 
to work with Congress to ensure anesthesiology practices can continue 
operating effectively while also guarding against future attempts to 
attack our nation's healthcare system.

Please contact Manuel Bonilla, ASA Chief Advocacy Officer 
([email protected]), or Nora Matus, ASA Director of Congressional and 
Political Affairs (n.matus@
asahq.org), for any questions or further information on our feedback.

Sincerely,

Ronald Harter, M.D., FASA
President

                                 ______
                                 
           Statement Submitted by Alejandro Badia, M.D., FACS
Considering the recent Senate Committee hearing on the Change 
Healthcare cyber-attack, it's evident that our healthcare system is 
riddled with critical flaws. The assault not only compromised the 
personal data of millions but also unveiled deficiencies in health 
insurance, clinician support, and national oversight. As a practicing 
orthopedic surgeon and healthcare advocate, I am alarmed and cautiously 
optimistic about what's next.

Despite the current political polarization, constructive dialogue 
remains paramount, particularly concerning healthcare reform. 
Witnessing bipartisan cooperation during the hearing underscores the 
necessity of bridging ideological chasms to address systemic healthcare 
issues. My interactions with esteemed guests on my podcast ``Fixing 
Healthcare from the Trenches'' reaffirm this belief. Congressmen Greg 
Murphy, Tom Price, and Senator Bill Cassidy, all surgeons, united in 
their commitment to enhancing healthcare access and affordability.

These political figures possess firsthand insight into our healthcare 
challenges. Like the hearings on the cyber-attack, our discussions 
spanned a spectrum of topics, from prior authorization protocols to 
Medicare sustainability, reflecting the multifaceted nature of 
healthcare reform. Informed decision-making requires not only medical 
expertise but also public engagement. Healthcare reform necessitates 
transcending political barriers to forge inclusive, sustainable 
solutions. By fostering bipartisan discourse, we can address the root 
causes of our healthcare crisis and chart a course toward a more 
equitable and resilient system. As we move forward, let us prioritize 
collaboration and empathy, ensuring that every voice is heard in 
shaping the future of American healthcare.

I affirm my commitment to moving the conversation on healthcare reform 
forward and helping where possible.

Alejandro Badia, M.D.

The podcasts can be viewed at:

Greg Murphy--https://drbadia.com/podcast/?playlist=ad8277c&video=31687c4

Bill Cassidy--https://drbadia.com/podcast/?playlist=ad8277c&video=b0aa3b9

Tom Price--https://drbadia.com/podcast/?playlist=ad8277c&video=33d0410

Bio and Background

Dr. Alejandro Badia, M.D., FACS is a hand and upper extremity 
orthopedic surgeon treating orthopedic problems of the hand & wrist, 
arm & forearm, elbow, and shoulder, at Badia Hand to Shoulder Center in 
Miami, Florida and in New York City. He previously served as chief of 
hand surgery, at Baptist Hospital of Miami.

Dr. Badia founded OrthoNOW', a network of orthopedic walk-in 
centers, and authored the book, ``Healthcare from the Trenches'' during 
the lockdown of 2020. He hosts a popular podcast ``Fixing Healthcare 
From the Trenches'' which invites healthcare and other leaders to 
discuss challenges and potential solutions for the U.S. healthcare 
system.

                                 ______
                                 
                        Clarity Counseling, LLC

                     3220 W 57th Street, Suite 100A

                         Sioux Falls, SD 57108

                                                       May 10, 2024

Regarding: Hacking America's Health Care: Assessing the Change 
Healthcare Cyber Attack and What's Next, May 1, 2024.

Dear Senator Thune,

This letter is being sent regarding the recent Change Healthcare Cyber 
Attack. My name is Brandy Bunkers, and I am a 43-year-old, married, 
mother of two and after being in private independent practice as a 
clinical social worker for the last 8 years. This most recent challenge 
with Change Healthcare has been one filled with loads of uncertainty 
not only for my own practice but also many other health care providers 
in South Dakota.

When operating as a solo practitioner my top priority is serving 
clients and their families. I also work as the only administrator, 
marketing officer, financial record keeper and business operations for 
Clarity Counseling, LLC. With an ever-increasing need for mental health 
services, I am always busy. I must rely on technology not only for 
efficiency but also as an industry standard of practice. With income 
stopping after the Change Healthcare issue in February--I have just 
recently started to receive payments again in April. Thankfully, I had 
savings that were able to support my business and family needs during 
this time, but I do not know many other professions outside of 
healthcare who would keep showing up to work with no pay! I have talked 
with colleges who have had to take out a line of credit to make sure 
they can pay bills and keep their door open.

Protection for healthcare providers is critical. In a system where 
rates of services are dictated by a few large groups (who often also 
control the entities needed to be paid), it limits providers' ability 
to provide care. As an independent provider I see 25-30 clients a week 
and have limited time to navigate the multiple health insurance plans 
and their individual regulations and policies. Insurance claims are 
difficult at best and overwhelming and intimidating at times; this 
should not be the standard.

Health care service (tech) companies like Change Healthcare and others 
need to have a plan of action for when these types of situations happen 
again. The companies need to have more transparency to providers.

Thank you for your time and continued work to support the people of our 
state.

Brandy Bunkers, CSW-PIP

                                 ______
                                 
        College of Healthcare Information Management Executives

                  455 E. Eisenhower Parkway, Suite 300

                          Ann Arbor, MI 48108

The College of Healthcare Information Management Executives (CHIME) 
appreciates the opportunity to submit the following Statement for the 
Record to the Senate Finance Committee as a part of the hearing titled 
``Hacking America's Health Care: Assessing the Change Healthcare Cyber 
Attack and What's Next.''

CHIME is an executive organization dedicated to serving over 5,000 
chief information officers (CIOs) and other senior healthcare IT 
leaders in diverse healthcare settings nationwide, as well as 
worldwide. Our members represent provider organizations of varying 
sizes, including large hospital systems, community hospitals, for-
profit hospitals, small or rural hospitals, long-term care facilities, 
and critical access hospitals. CHIME members are among the nation's 
foremost health IT experts, including on the topics of cybersecurity, 
privacy and security.

We are grateful to the Senate Finance Committee for holding this 
hearing to address the unprecedented cyberattack on Change Healthcare, 
a unit of UnitedHealth Group (UHG), given the impact to our members and 
the broader Healthcare and Public Health (HPH) Sector. In our statement 
for the record, we provide an overview of the healthcare cybersecurity 
landscape, the impact of the Change Healthcare cyber-attack including 
insights from a small survey, as well as a summary of policy 
recommendations for the Committee to consider.

Overview of Healthcare Cybersecurity Landscape

Hostile nation states have grown increasingly aggressive with their 
tactics, attacking hospitals and other healthcare stakeholders daily. 
This poses an imminent risk to our national defense. Bringing down a 
hospital or multiple healthcare delivery organizations (HDOs) at once 
is a risk for the nation and it shakes the confidence and trust of 
everyday Americans which is precisely what hostile nation states 
intend. They are looking to exact both physical, financial, and 
psychological harm.

Healthcare data and patient information remain lucrative targets for 
theft and exploitation, particularly through ransomware attacks. 
Criminal groups and adversarial nation states utilize tactics, 
techniques and procedures across our Sector--including large, publicly 
traded companies with far greater resources than most U.S. hospitals 
and health systems.

The costs to recover from a data breach in the HPH Sector are 
staggering--averaging $10 million per incident, which is far higher 
than any other sector. As a comparison, the costs for a financial 
entity to recover from a breach are estimated to be $6 million.\1\ The 
fallout after an attack has also been shown to impact patient care--one 
report found that nearly a quarter of organizations suffering a cyber 
breach experience higher patient mortality rates.\2\ In short, 
cybersecurity is now also patient safety.
---------------------------------------------------------------------------
    \1\ Cybersecurity attacks cost healthcare systems more than any 
other sector, new report finds, Modern Healthcare, https://
www.modernhealthcare.com/cybersecurity/ibm-report-finds-cybersecurity-
attacks-impact-healthcare-more-any-other-sector.
    \2\ https://www.proofpoint.com/sites/default/files/threat-reports/
pfpt-us-tr-cyber-insecurity-healthcare-ponemon-report.pdf.

Our members are committed to adopting cybersecurity best practices and 
take their responsibility to protect not only the privacy and security 
of patient data and devices networked to their system--but critically--
their patient's overall safety and well-being very seriously. 
Currently, hospitals are forced to balance the challenges of the high 
cost of cyber insurance, near-constant cyberattack attempts, the 
inherent risks to their patients, the weaponization of artificial 
intelligence (AI), and the current workforce shortage needed to 
mitigate all these risks. They are doing their best to navigate an ever 
increasingly complex cybersecurity landscape, a job that has become 
infinitely more complicated with managing third-party risk as vendor/
supporting parties are unwilling to sign Health Insurance Portability 
and Accountability (HIPAA) business associate agreements (BAAs), and/or 
are resisting acceptance of appropriate levels of liability that 
recognize the great amounts of protected health information (PHI) they 
maintain/process. Hospitals nonetheless undertake and devote 
significant resources to securing their systems because they are truly 
committed to the health, well-being, and safety of patients in the 
---------------------------------------------------------------------------
communities they serve.

Like nearly all organizations in the United States, hospitals and HDOs 
must care--to some degree--about their ability to generate positive net 
revenue in order to keep their doors open. However, they are unlike 
other organizations in that their first and most important mission is 
to care for their patients. Hospitals and healthcare systems are not 
only critical to the communities in which they serve, they are also 
often the largest employers.

We must continue to move away from a mentality that punishes those that 
have been victimized by malicious actors and criminals. Cybersecurity 
is a shared responsibility across the community of hospitals and health 
care systems--as well as supporting third-party vendors and affiliated 
continuum of care providers; however, without additional assistance, 
the Sector is limited in what we can do.

Impact of Change Healthcare Cyber Incident

On February 21, 2024, Change Healthcare discovered a threat actor 
gained access to one of their environments. A Russia-affiliated 
ransomware group known as ALPHV/BlackCat claimed responsibility. This 
is the most massive cyberattack on our sector to date--much larger than 
the WannaCry event experienced several years ago--and it wreaked 
unprecedented havoc on the entire healthcare ecosystem given the data 
clearinghouse and transaction hub role that Change provides at national 
scale. The interruption to patient care as well as the financial impact 
on our members has been devastating. This incident has been likened to 
the ``Colonial Pipeline'' of healthcare, highlighting the scale of 
Change Healthcare's impact with 15 billion healthcare transactions 
processed annually and touching one in three patient records.\3\
---------------------------------------------------------------------------
    \3\ Letter to Health Care Leaders on Cyberattack on Change 
Healthcare, https://www.hhs.gov/about/news/2024/03/10/letter-to-health-
care-leaders-on-cyberattack-on-change-healthcare.html.

Following the attack, there was a dearth of information and our members 
found themselves in the dark navigating an extremely complex and far-
reaching attack with few answers, and few options for continuing 
operations. The lack of answers hampered recovery efforts. Many of our 
members were not invited and/or were unaware of the weekly calls hosted 
by UHG sharing updates on mitigation efforts. Indicators of compromise 
(IOCs) were not widely shared immediately, third-party attestations as 
to which systems were ``safe'' to reconnect to were not immediately 
available, questions regarding what data was exfiltrated by the 
criminals has yet to be fully known, and a list of payers with direct 
connections to Change was only made available several weeks after the 
cyber incident occurred. From the very beginning there was significant 
confusion about where to turn for help and our members found themselves 
struggling to navigate the most significant cyber incident to hit our 
---------------------------------------------------------------------------
sector.

Recognizing the need for greater transparency and assistance, CHIME 
reached out to the U.S. Department of Health & Human Services (HHS), 
the Centers for Medicare & Medicaid Services (CMS), the Administration 
for Strategic Preparedness and Response (ASPR), and colleagues at other 
provider organizations to navigate this incident, establish workarounds 
and stem the spread of this attack. On March 1st we shared several 
examples of the impact on patient care, providers, and other 
stakeholders with the Administration. These included patients being 
unable to get their prescriptions filled, being forced to pay out-of-
pocket prices, patients with complex conditions and costly medications 
like chemotherapy therapy treatments searching for a way to pay for 
their medications, and the inability of patients to use medication 
coupons.

Once the magnitude of the attack became clear, the impacts to cash flow 
were severe and many providers still have not completely recovered. The 
cash flow impact has been especially pronounced for small and under-
resourced providers. Many of our members have had to divert staff 
resources to implement workarounds needed to continue business 
operations and receive reimbursement.

HHS acts as the Sector Risk Management Agency (SMRA) for cybersecurity 
incidents pursuant to Section 9002 of the National Defense 
Authorization Act of 2021. On March 5th, HHS issued a press statement 
acknowledging the incident, 2 weeks following the attack. This is in 
stark contrast to the way HHS handled the WannaCry attack in 2017 when 
calls to share details began nearly immediately by the Administration 
to impacted stakeholders. Without a clear sense of where to turn, 
recovery efforts from the inception of this attack were hampered.

In an effort to assist our members, CHIME submitted a letter to HHS 
Secretary Xavier Becerra on March 26th outlining some of our member's 
continued concerns, including the insufficient level of detail shared 
by UHG and requesting more outreach to providers.

The Change Healthcare attack has laid bare how interconnected our 
healthcare system is and the only way to defeat the enemy is to work 
together. This sentiment is shared by former National Cyber Director 
Chris Inglis who has said, ``we have to establish this critical 
infrastructure partnership construct (i.e., The Health Sector 
Coordinating Council) in such a way that you have to beat all of us to 
beat one of us.''\4\ In a recent Congressional briefing we hosted, our 
members shared similar thoughts.\5\ It has also highlighted the impact 
of vertical integration of our sector which continues to spawn large 
mergers and acquisitions.
---------------------------------------------------------------------------
    \4\ A Conversation with Chris Inglis and Anne Neuberger, https://
www.csis.org/analysis/conversation-chris-inglis-and-anne-neuberger-0.
    \5\ https://assets.ctfassets.net/opszt4tga0mx/
2RT3Cv7uP2MlOvbjmbOP1W/851b8f50c9c332a29
9ccfef485276b46/Key-Takeaways-on-Cyber-Briefing-FINAL__1_.pdf.
---------------------------------------------------------------------------

Survey Results

In preparation for a hearing in front of the House Energy and Commerce 
Health Subcommittee on April 16th, CHIME polled our membership in a 
small survey to better understand the ongoing impact of the Change 
Healthcare cyberattack. The results are disheartening even for those of 
us who have been active in the cybersecurity landscape for years, and 
with healthcare being under constant threat.

Please note that these responses are from April 10th-12th, and may not 
be indicative of the current situation but were illustrative of the 
challenges providers faced several weeks following this incident:

When asked, ``Have you opened up/connected back to any Change 
Healthcare services yet?,'' 54 percent of members surveyed had 
reconnected to some Change Healthcare services, 21 percent have not 
reconnected any services, 13 percent had reconnected to all services, 
and 12 percent did not have any directly connected services.

When assessing the priority areas for federal support needed to improve 
healthcare providers' cyber posture, our survey results highlight a 
diverse range of critical areas. The question was: ``If the federal 
government were to offer support to healthcare providers to improve 
their cyber posture--which areas would be priorities (or most 
impactful) for you/your organization?'' Respondents could only select 
their top 3 from the 12 options.

    1.  Mandating Payers and Third-Parties Compliance:
              50 percent of respondents emphasized the need to enforce 
        cyber best practices across payers and other third-parties 
        (e.g., Cloud Service Providers), aligning with the 
        aforementioned 405(d) Program.
    2.  Financial Assistance and Incentives:
              46 percent recognized the significance of financial 
        support in the form of incentives or other payments to bolster 
        cybersecurity efforts.
    3.  Emergency Designation and Safe Harbors for Threat Information 
Sharing:
              38 percent advocated for designating major cyber 
        incidents in healthcare as a national emergency, thereby 
        unlocking additional federal resources.
              Simultaneously, 37 percent sought additional ``safe 
        harbors'' for sharing threat information during cyber incidents 
        and a catastrophic federal cyber insurance program/offering.

Furthermore, 23 percent of members expressed interest in the Office for 
Civil Rights (OCR) offering relief/alternatives related to breach 
notification requirements. These findings underscore the multifaceted 
approach needed to safeguard the healthcare ecosystem against cyber 
threats.

In assessing the impact of the Change cyber incident on patient care, 
the survey results reveal a nuanced yet concerning picture. We asked 
our members, ``On a scale of 1-5, how much of an impact did the Change 
cyber incident have on any patient care?''

          40 percent of respondents reported a somewhat impacted 
        effect.
          25 percent indicated a moderate impact.
          15 percent stated a very significant impact.
          Fortunately, 13 percent claimed no impact.
          A smaller, but notable 5 percent faced an extremely 
        impactful situation to patient care.

These responses underscore the complex consequences of the incident, 
ranging from minor disruptions to critical delays and impact on patient 
care. Because patient care is at the heart of each of our members' core 
mission, even one member reporting that this incident impacted patient 
care is unacceptable.

The responses also are reflective of the core nature of healthcare. 
Care delivery and business continuity strategies are already in place 
to address unplanned downtimes, as manual processes are relied upon to 
ensure delivery of quality patient care during a technology disruption. 
While care will be the primary focus, the operational ability to 
determine eligibility, schedule procedures, deliver medications, submit 
claims, and receive payments is what is hampering and financially 
impacting the industry.

In response to our query regarding the mandatory implementation of the 
20 HHS Cybersecurity Performance Goals (HHS-CPGs) and our members' 
ability to comply without federal financial assistance, our survey 
results revealed that 40 percent are unsure (i.e., selected ``Maybe''), 
33 percent said that they would be able to, and 27 percent said 
candidly and firmly, ``No.'' These diverse viewpoints underscore the 
complexity of achieving compliance with the CPGs without federal 
financial assistance. We respectfully request that Congress navigate 
these policies carefully, with hospitals, health systems, clinics, and 
practices--to enhance their cybersecurity posture and safeguard patient 
care and patient data.

The Change Healthcare cyber incident has had far-reaching and severe 
consequences for hospitals and health care systems. CHIME's member 
survey results demonstrate that a substantial majority of members--85 
percent--experienced detrimental impacts on their claims, while 81 
percent suffered setbacks in reimbursement. Additionally, 75 percent 
grappled with disruptions to their revenue cycle, and 71 percent 
encountered issues with claims submission (either all or partial).

The repercussions extended to pharmacy services, affecting 58 percent 
of respondents, and prior authorization services, impacting 52 percent. 
Even the service option with the least impact, care management, still 
affected 15 percent of our members. Beyond these core services, other 
critical functions such as pharmacy coupon services, denial of claims, 
interoperability, and radiology image sharing were also adversely 
affected.

As part of our survey, we were also able to capture first-hand 
testimonials from providers describing their experiences and 
recommendations:

      ``The preparation of healthcare providers is only as good as the 
connections they have to others. That may be vendors, other providers, 
other healthcare related entities. If there is a weak link in the 
chain, then we are all at risk and need to know how to plan together as 
a whole.''
      ``I would also recommend minimum cyber standards for ALL third-
party providers providing ANY services to healthcare. This includes 
business applications and clinical (EMR, medical devices, etc.) We are 
defining the scope of `healthcare' too narrowly causing holes in our 
defenses--leading to events like Change Healthcare.''
      ``Change Healthcare is a large entity and we're still impacted. 
Small rural hospitals do not stand a chance against threat actors 
because of financial reasons.''
      ``We don't have the resources or funds to meet all the cyber 
demands. Labor costs and supply chain issues along with inflation are 
preventing our recovery to pre-pandemic revenues. But even then, there 
were minimal dollars we could spend as a small to medium sized 
hospital.''

Patient safety in the healthcare sector means not just ensuring access 
to care but ensuring that patient safety is not jeopardized. This lack 
of transparency in the days and weeks following this incident hindered 
our collective recovery efforts, made it more costly, lengthier, and 
diverted precious provider resources away from other critical 
functions. It has also continued to cause downstream impacts such as 
larger payors and/or clearinghouses either not reconnecting or being 
slow to do so thus keeping critical funding away from the HDOs and 
providers that need it the most.

Cybersecurity must be a joint responsibility across stakeholders 
throughout the entire ecosystem of healthcare--not simply a subset. 
Otherwise, it inadvertently shifts more burden onto providers, many of 
which are already severely strained, understaffed, and under-resourced 
all while providing quality patient care. In the ongoing battle against 
cyber threats, we cannot over-emphasize the need for a united and 
concerted front, recognizing that cybersecurity is a shared 
responsibility.

While providers may not be able to completely avoid every cybersecurity 
incident--especially when they are not the ones directly experiencing 
the attack--steps taken to decrease the timeline between the discovery 
of the threat and mitigation of the threat is critically essential to 
increasing patient safety and restoring healthy operations. The 
healthcare adage ``time is brain'' applies here as well, recognizing 
that more timely, quicker care results in better outcomes. The 
technology parallel is ``time is containment'' with the result being 
reduced impact to operations and better operational and financial 
outcomes.

Summary of Policy Recommendations

Below, you will find a comprehensive summary of our policy 
recommendations, designed to address the challenges discussed and to 
guide future legislative action in Congress.

General Funding

With the healthcare sector only as strong as its weakest link, it is 
imperative that the federal government prioritize programs designated 
to aid small and under resourced HDOs protect themselves against, 
detect, respond to, or recover from cybersecurity threats. These 
programs can be successful by providing funding or technical assistance 
to help eligible HDOs adopt recognized cybersecurity practices--such as 
the 405(d) Program, recognized by Congress in Pub. L. 116-321--to 
replace legacy systems and devices, conduct security risk assessments, 
generate corrective action plans for mitigating identified risks, or 
hire staff.\6\
---------------------------------------------------------------------------
    \6\ 405(d): Cornerstone Publications, https://405d.hhs.gov/
cornerstone/hicp.
---------------------------------------------------------------------------

Funding to Implement Cyber Performance Goals (CPGs)

CHIME is supportive \7\ of minimum standards for cybersecurity best 
practices. We support bringing a more coordinated, standardized, and 
focused approach to how the HPH Sector approaches cybersecurity. The 
HHS Cyber Performance Goals (CPGs) were an appreciated, proactive step 
which underscored the collective responsibility to better ensure the 
resilience of our sector. These are predicated on the best practices 
co-developed between industry and the federal government pursuant to 
Section 405(d) of the Cybersecurity Act of 2015.\8\ We believe this is 
a reasonable approach that can help providers improve their 
cybersecurity posture and resilience.
---------------------------------------------------------------------------
    \7\ https://chimecentral.org/content/chime-supports-hhs-release-of-
cybersecurity-performance-goals-to-safeguard.
    \8\ https://www.nist.gov/system/files/documents/2018/10/18/
hhs_fact_sheet_-_csa_405d_cleared.pdf.

We respectfully request that this Subcommittee be cognizant that 
implementing such measures will take time and resources, especially 
impacting small, medium, and under-resourced providers, and those who 
were not eligible for electronic health record (EHR) funds, including 
post-acute and long-term care providers. CHIME will continue to 
strongly advocate for the need for financial support to ensure that no 
one is left behind. An investment in cybersecurity for the healthcare 
sector will be an investment not just in patient safety but also 
---------------------------------------------------------------------------
national security.

HHS's Budget in Brief for Fiscal Year 2025 has requested $1.3 billion 
in funding to support cyber incentives. While we appreciate their 
request for funding, we have several concerns. First, we disagree with 
funding the incentives by tapping into the Medicare Hospital Insurance 
Trust Fund. Second, we worry that the approach for penalties diminishes 
rather than supports hospitals' ability to invest in cybersecurity. The 
proposal calls for removing 100% of a hospital's market basket and 
imposing up to a 1 percent cut to a hospital's base Medicare 
reimbursement. Given that the operating payment rates for general acute 
care hospitals paid by Medicare typically increase by around 2.6 
percent annually, a 100 percent cut to the market basket would 
effectively negate this increase, leaving hospitals with no additional 
funding to address their growing expenses. This could lead to financial 
strain for hospitals and potentially impact patient care quality and 
access to services. When faced with budget constraints due to stagnant 
payment rates, hospitals may need to reprioritize their spending, 
potentially deprioritizing investments in cybersecurity to allocate 
resources to more immediate operational needs.

Safe Harbors for Threat Information Sharing

Our members have repeatedly reflected how helpful having certain safe 
harbors would be. Specifically, they have requested that there be 
protections pertaining to information sharing. There is tremendous fear 
around information sharing related to when an entity experiences a 
cyber incident. Far too often the walls go up and organizations are 
forced to go into a protectionist mode given the significant liability 
repercussions associated with a data breach. If safe harbors were 
enacted to shelter organizations experiencing a cyber incident and 
encourage sharing details of the attack, our entire sector would 
benefit from the ``time is brain'' approach. It would move the attack 
victim from a position of isolation to one where they can freely share 
threat information for the common good; that will help us all ensure 
the threat is best contained, managed, and mitigated in timely fashion.

While the Cybersecurity Act of 2015 affords some information sharing, 
it does not sufficiently remove all the barriers. Stemming from this 
law, the Department of Homeland Security (DHS) issued guidance that 
permits threat sharing. However, it limits sharing to the Cybersecurity 
and Infrastructure Security Agency (CISA), other federal entities, and 
Information Sharing and Analysis Centers (ISACs) or Information Sharing 
and Analysis Organizations (ISAOs) and does not entirely inoculate 
entities from sharing timely critical information about specific 
threats more widely. For example, we are aware of instances when a 
hospital experienced a cyberattack and the neighboring hospitals were 
not made aware because of the liability ramifications. Far too often 
organizations are counseled early on by their attorneys that they are 
not permitted to share details of their incident as doing so would open 
them to significant legal and regulatory risk.

Congress passed the Cyber Incident Reporting for Critical 
Infrastructure Act of 2022 (CIRCIA) which dictates rapid information 
sharing by providers and others who experience a substantial cyber 
incident to the Cybersecurity & Infrastructure Security Agency (CISA). 
CISA recently released their proposed rule related to this new law. It 
will be critical that when threat information like indicators of 
compromise (IOCs) are shared with CISA that there is rapid sharing with 
providers and other stakeholders so they can act quickly to defend 
their networks from like-minded attacks.

Our members continue to express concerns that they are being unduly 
penalized instead of being treated as the victim of a crime. 
Collectively, providers fend off complex attempts at cyber intrusion 
every day, but it only takes one sophisticated criminal to gain entry. 
With the increased use of generative AI, criminals are becoming more 
brazen in weaponizing this new technology. For instance, criminals are 
taking voice snippets and leveraging generative AI to launch 
``vishing'' (voice phishing) attacks. There has been a 1,265 percent 
rise in vishing, phishing (email scam) and smishing (scam text) since 
Chat GPT was introduced.\9\
---------------------------------------------------------------------------
    \9\ https://www.helpnetsecurity.com/2024/02/29/mobile-fraud-
losses/.

Finally, we continue to believe that Stark and Anti-Kickback Statutes 
should be amended to allow for sizeable cyber donations while 
inoculating donors from risk. Organizations are simply too worried 
about taking on risk should they donate technology or services, and the 
recipient later experiences a cyber incident.

All Hazards Designation

As recommended by the Health Sector Coordinating Council (HSCC), high 
impact cyber and ransomware attacks, which result in the disruption and 
delay of health care delivery at one or more critical access, safety-
net and rural emergency hospitals, should be designated as ``all 
hazards'' incidents to activate the Federal Emergency Management Agency 
(FEMA) and other government response support services.\10\ We believe 
by doing this, more federal resources and support will be available to 
support our sector when a significant cyber incident occurs.
---------------------------------------------------------------------------
    \10\ https://healthsectorcouncil.org/wp-content/uploads/2023/04/
HEALTH-INDUSTRY-CYBERSECURITY-RECOMMENDATIONS-FOR-GOVERNMENT-POLICY-
AND-PROGRAMS.pdf.

A major cybersecurity incident should trigger the same level of 
response as a natural disaster or pandemic given its potential to 
cripple hospitals and health systems, delay care, and jeopardize 
patient safety. Further, it can cripple impacted hospitals and health 
systems as they must divert the most critical patients elsewhere. This 
can have a devastating impact for those living in rural areas where 
long distances must be traveled to reach a provider. The Government 
Accountability Office (GAO) found that when rural hospitals closed, 
people living within the community of care coverage areas had to travel 
about 20 miles farther for common services--including inpatient 
care.\11\
---------------------------------------------------------------------------
    \11\ https://www.gao.gov/products/gao-21-93#summary.
---------------------------------------------------------------------------

Mandate Third-Parties and Payers to Share Responsibility

Third-party risk remains an enormous weak spot for the healthcare 
sector and cannot be solved by imposing costly mandates on providers. 
Cybersecurity must be a shared responsibility--risk cannot be born 
alone by providers. Third-parties that store, process and/or transmit 
protected health information on behalf of HIPAA covered entities are 
critical to the healthcare sector; yet during each contract negotiation 
they create caps on their liability that shift multiple millions of 
dollars of liability for a cybersecurity breach back to those 
organizations and/or their providers. The number of technological 
factors and undiscovered vulnerabilities outside of a provider's 
control is significant. The size of a hospital or healthcare system and 
their ability to negotiate these responsibilities with third-parties 
should not matter. If we are to make meaningful improvements in our 
sector, this responsibility must be equally shared.

Whether located in a patient's room or the hospital laboratory, both 
medical devices and other devices--such as a patient's mobile device--
rely on network connectivity for operations and maintenance. 
Additionally, nearly all the technology components in these devices are 
not developed by the HDO. These components include software, services, 
and hardware developed from organizations known as third-parties. One 
study found that the average number of third-parties that organizations 
contracted with in 2021 was 1,950 and also anticipated an increase to 
an average of 2,541 in 2022. Further, it notes that: ``Third-party 
products and services are a necessary and critical part of the HDO IT 
blueprint, but each brings another set of risk factors to the table. 
Some risks are inherent to the third-party such as security of 
operating systems and other embedded software in medical devices [. . 
.] the risk created by the third-party or the HDO use of the third-
party needs to be managed. The burden is on the HDO to perform 
assessments throughout their relationship with the third-party (e.g., 
procurement, implementation, usage, updates, termination, etc.).''\12\
---------------------------------------------------------------------------
    \12\ https://assets-global.website-files.com/
63bc855e7cb1897eeb806ea7/6532d7b6718a3de763b9c
bd1_Ponemon%20Research%20Report%20-
%20The%20Impact%20of%20Ransomware%20on%20
Healthcare%20During%20COVID-19%20and%20Beyond.pdf.

Payers and clearinghouses are also HIPAA covered entities. They both 
hold vast quantities of patient data and are integral partners in the 
healthcare system as evidenced by the Change Healthcare attack. It is 
imperative that they meet certain standards as well. We recommend that 
anyone who is touching health data has an obligation to help protect 
it. For years, our members have reported to us that they experience 
challenges with some medical device manufacturers refusing to sign 
HIPAA BAAs. More details on this can be found in our recent comments to 
Senator Bill Cassidy in response to his RFI on health data privacy.\13\
---------------------------------------------------------------------------
    \13\ https://assets.ctfassets.net/opszt4tga0mx/
3fp1r0uZWMSmIAhGoJ6LW4/2476e4d17c757896
3869807191282a5d/CHIME_Comments_in_Response_to_Sen._Cassidy__R-
LA__Request_for_Infor
mation_on_Health_Data_Privacy__Oct._2023_.pdf.
---------------------------------------------------------------------------

Roadmap for the Future

Our sector needs a federally driven ``playbook'' for the next 
significant healthcare cyberattack so that we have immediate access to 
needed information, and federal authorities can help organize outreach 
and messaging with a strong, clear communication plan. This should 
include needed clarity for hospitals, healthcare systems, and HDOs on 
who to call and contact at the start of, during, and after a cyber 
incident. Put simply, we must have a clear pathway to the federal 
front-door at HHS. HHS has begun a sector-wide risk assessment to 
provide a clearer picture of the inventory of systems, organizations, 
and interlocking pieces that could be subjected to a cyber incident. We 
recommend HHS share this--once finalized--with Congress.

Cyber Insurance Program

The federal government should institute a catastrophic cyber insurance 
program to help healthcare providers offset the extremely high costs of 
coverage and serve as a backstop for those unable to obtain insurance 
on the open market.

The U.S. Department of Treasury has acknowledged that cyber insurance 
is a significant risk-transfer mechanism, and the insurance industry 
has an important role to play in strengthening cyber hygiene and 
building resiliency. In late 2022, Treasury released a Request for 
Comment regarding a ``Potential Federal Insurance Response to 
Catastrophic Cyber Incidents.'' CHIME responded to this request, as we 
strongly believe a federal insurance response to catastrophic cyber 
incidents in the critical infrastructure sectors is warranted and 
needed.

Cyber insurance provides coverage for common cyber risks to help 
companies mitigate losses related to cyber incidents and can encourage 
policyholders to manage cyber risk. But cyber insurers have been 
limiting their exposure to systemic losses (including by limiting 
coverage), and cyber carriers may not fully cover losses from a 
systemic event with catastrophic losses.

According to our members, based on the annual renewal process they go 
through--their premiums are continuing to increase, and the average 
annual increases in premiums that they are experiencing each year have 
typically doubled, if not more. One member noted that they were paying 
a $1 million dollar premium for each $5 million dollars of coverage. 
Some members have reported being denied any cyber insurance coverage--
simply because they had experienced a cyberattack within the last 5 
years and are therefore required to ``self-insure.'' Furthermore, even 
when our members have ``comprehensive'' cyber insurance, the coverage 
may only cover half of their losses--often amounting to tens of 
millions of dollars that they are then left to recoup. A CHIME survey 
found that nearly 60 percent of our members reported that the Internet 
of Things (IoT) and connected devices were their largest area of 
concern for risk of cyber intrusion over the next 3 years, areas, as 
described earlier, that can often be outside the HDO's control.

Due to increasing cybersecurity risks, businesses are facing a more 
demanding underwriting process--and insurers are more thoroughly 
examining a company's security controls, internal processes, and 
procedures concerning cyber risk. Additionally, ``underwriters are more 
cautious in examining an insured's risk presented by the third-parties 
working or contracting with the insured.''\14\ Hospitals and health 
systems do not have a choice to simply ``not work with'' or ``not 
contract with'' third-party vendors--yet they are being penalized or 
deemed uninsurable despite the fact that there is not a streamlined 
disclosure process to ensure that they are aware of any new potential 
and/or known vulnerabilities associated with third-party products and/
or services. The burden is solely on our members--hospitals and health 
systems--to perform assessments throughout their relationship with the 
third-party (e.g., procurement, implementation, usage, updates, 
termination, and disposition of assets holding patient data).
---------------------------------------------------------------------------
    \14\ https://content.naic.org/sites/default/files/cmte-c-cyber-
supplement-report-2022-for-data-year-2021.pdf.

There are also a myriad of requirements that HDOs must meet to obtain 
insurance coverage and the requirements vary by carrier. Some 
requirements do little to improve a provider's cyber posture, yet 
providers are required to meet them. Therefore, our members believe, 
based on experience, that the current marketplace for cyber insurance 
offered to the healthcare sector is tenuous, financially unfeasible, 
and for some--completely unavailable.

Student Loan Forgiveness Program

Workforce issues continue to plague the healthcare sector and they are 
also pronounced with a shortage of security professionals. CHIME 
supports the recommendations made by the HSCC contained in their recent 
report, ``Recommendations for Government Policy and Programs.'' The 
report calls for HHS, in conjunction with other federal partners, to 
administer a workforce development and cyber training program that 
offers free cyber training and student loan forgiveness programs. They 
also call for instituting a federally subsidized ``civilian cyber 
health corp'' that could offer loan forgiveness in exchange for a 
minimum number of years served, modeled after a uniformed health corp.

Conclusion

In closing, thank you again for holding this hearing and for your 
leadership and attention to the critical issue of healthcare 
cybersecurity. CHIME remains committed to being a trusted stakeholder 
and resource to the Senate Finance Committee as it analyzes the Change 
Healthcare cyber-attack and what comes next.

Links:

https://www.unitedhealthgroup.com/ns/changehealthcare/faq.html

https://assets.ctfassets.net/opszt4tga0mx/6cbuJhBQA02SR0JeT3ZbfP/9a79cf
5cc4ba572dd0e1b623ab7c9891/Change_Healthcare_Impacts_3.1.24.pdf

https://www.hhs.gov/about/news/2024/03/05/hhs-statement-regarding-the-
cyberattack-on-change-healthcare.html

https://chimecentral.org/content/chime-and-aehis-send-letter-to-hhs-on-
change-healthcare-cyberattack

https://energycommerce.house.gov/events/health-subcommittee-hearing-
examining-health-sector-cybersecurity-in-the-wake-of-the-change-
healthcare-attack

https://405d.hhs.gov/Documents/405d-cpg-highlights-2024.pdf

https://www.hhs.gov/sites/default/files/fy-2025-budget-in-brief.pdf

https://chimecentral.org/content/comments-on-treasury-rfi-for-
potential-federal-insurance-response-to-catastrophic-cyber-incidents

https://healthsectorcouncil.org/wp-content/uploads/2023/04/HEALTH-
INDUSTRY-CYBERSECURITY-RECOMMENDATIONS-FOR-GOVERNMENT-POLICY-AND-
PROGRAMS.pdf

                                 ______
                                 
                  Letter Submitted by MaryAnn M. Cowan
Senator Ron Wyden
Chair
Senator Michael Crapo
Ranking Member
U.S. Senate
Committee on Finance

May 6, 2024

RE: ``Hacking America's Health Care: Assessing the Change Healthcare 
Cyber Attack and What's Next'' Hearing (May 1, 2024).

Dear Senators,

The solution to defending against ransomware and cyberattacks in the 
healthcare insurance claims industry, should not only include multi-
factor authentication and redundancy, but a totally new way of storing 
and retrieving data with encryption. During the hearing, Mr. Witty, CEO 
of United Healthcare Group, did not offer any innovative solutions 
which would decrease the risk of a successful cyberattack in the 
future.

A possible solution to this risk is Blockchain technology. Healthcare 
data can be entered onto a blockchain in a distributive database. This 
format offers the advantage of personal information encryption while 
additionally allowing smart contracts to make automatic insurance claim 
payments. (See ``Block Chain Application in Insurance Services: A 
Systematic Review of the Evidence: https://journals.sagepub.com/doi/
10.1177/21582440221079877?icid=int.sj-full-text.similar-articles.6.)

Although there would be many hurdles in implementing blockchain or 
another innovative technology, the healthcare industry has access to 
our most private information and needs a correspondingly strong system 
to save, sort, manage, share, and protect this data.

Thank you for investigating the cause of the cyberattack and for 
creating laws that protect U.S. citizens' health information--while 
also allowing this data to be shared securely with providers and 
payers.

Best regards,

MaryAnn M. Cowan

                                 ______
                                 
                    Federation of American Hospitals

                     750 9th Street, NW, Suite 600

                          Washington, DC 20001

                              202-624-1500

                            FAX 202-737-6462

                          https://www.fah.org/

The Federation of American Hospitals (FAH) submits the following 
statement for the record in advance of the Senate Finance Committee's 
hearing entitled ``Hacking American's Health Care: Assessing the Change 
Healthcare Cyber Attack and What's Next.'' We appreciate the 
Committee's efforts to understand the Change Healthcare cyberattack and 
its ongoing impact, and to hold insurers accountable for ensuring that 
premium dollars are spent on patient care.

The FAH is the national representative of more than 1,000 leading tax-
paying hospitals and health systems throughout the United States. FAH 
members provide patients and communities with access to high-quality, 
affordable care in both urban and rural areas across 46 states, plus 
Washington, DC, and Puerto Rico. Our members include teaching, acute, 
inpatient rehabilitation, behavioral health, and long-term care 
hospitals and provide a wide range of inpatient, ambulatory, post-
acute, emergency, children's, and cancer services. Tax-paying hospitals 
account for approximately 20 percent of community hospitals nationally.

The Change Healthcare cyberattack paralyzed a core engine of our 
healthcare system and disrupted critical electronic connections between 
patients, providers, and insurance companies. Despite this, hospitals 
and healthcare providers continued to provide high-quality care 24/7/
365 to all patients who come through their doors. The FAH believes 
cybersecurity is a shared responsibility and efforts to combat future 
cyberattacks should prioritize safeguarding patient data, protecting 
scarce hospital resources, and ensuring patient access to health care 
services.

Impact of the Change Healthcare Cyberattack

Prior to the cyberattack, Change Healthcare processed 15 billion 
claims, about 50 percent of all medical claims in the United States, 
totaling more than $1.5 trillion a year. In the weeks following the 
unprecedented cyberattack, many providers faced a crippling cash flow 
deficit after weeks of providing needed medical care to patients 
without receiving payment for those services--forcing some to access 
lines of credit or otherwise borrow funds at high interest rates to 
maintain operations and patient care. In March, Kodiak Revenue Cycle 
Analytics released benchmarking data from the first month immediately 
following the cyberattack that showed total claim submissions at 63% of 
pre-attack levels and a total estimated cash flow impact of over $6 
billion dollars.\1\ While the impacts of this financial disruption on 
operations and liquidity varied by provider, the event threatened to 
disrupt patient access to care throughout the country's health care 
system.
---------------------------------------------------------------------------
    \1\ https://www.businesswire.com/news/home/20240313807696/en/
Cyberattack-on-healthcare-claims-processor-costing-hospitals-2-billion-
a-week-in-cash-flow-Kodiak-Solutions-data-showx.

UnitedHealth Group, along with most other private health insurers 
including Medicare Advantage and Medicaid managed care plans, failed to 
adequately respond to the needs of providers immediately following the 
cyberattack. For example, nearly 2 weeks after the cyberattack, 
UnitedHealth Group announced a ``Temporary Funding Assistance Program'' 
to mitigate the impact on hospitals and other providers. However, the 
program was very limited and did not address the fact that hospitals 
and other providers were unable to bill and receive payments for care 
provided to patients. Providers were forced to continue to create 
workarounds to submit claims and receive payments to remain 
---------------------------------------------------------------------------
operational.

While insurers failed to adequately respond to the crisis in the 
initial aftermath, the Centers for Medicare and Medicaid Services (CMS) 
took much appreciated steps within its current limited authorities to 
provide accelerated and advance payments to hospitals and providers, 
grant state Medicaid agencies authority to make similar advance 
payments to Medicaid providers, and encourage Medicare Advantage and 
other private plans to offer advance payments and suspend 
administrative requirements such as prior authorization, timely filing 
requirements, and claims appeal deadlines.

Lingering Effects of the Change Healthcare Cyberattack

Providers continue to grapple with the profound repercussions of the 
Change Healthcare cyberattack. Hospitals have worked diligently to find 
workarounds using alternative clearinghouses to submit claims to 
insurers and replace other critical lost functions. Even with these 
efforts, the restoration of the normal flow of claims submission, 
receipt of payment, and resolution of claim rejections and denials will 
take months. The complexities of adjusting to a new clearinghouse have 
led to significantly higher rates of claim rejections and denials. As 
rejections and denials proliferate, the burden falls on providers to 
identify for each claim the specific reason for the rejection/denial, 
communicate with the insurer, and re-bill the claim and/or appeal it in 
a timely manner. These factors all amount to additional burdens on 
providers already struggling to adapt and already operating on strained 
resources.

As the health care system navigates the aftermath of the attack, the 
focus must be on supporting providers as they work through the 
administrative backlog and recover from financial strains caused by 
this unprecedented attack. Insurers must also be held accountable for 
ensuring timely payments and reducing administrative burdens, such as 
temporary suspension of requirements for prior authorization, timely 
filing, and appeals deadlines to facilitate recovery.

Holding Health Insurers Accountable

While UnitedHealth Group has been working to bring systems back online 
and has offered advance payments to some providers, these payment 
programs generally were insufficient and difficult to access. Most 
other private health insurers, including Medicare Advantage and 
Medicaid managed care plans, declined to provide advance payments to 
providers and continue to apply prior authorization and other coverage 
and payment obstacles.

Throughout this time, insurers have continued to collect and earn 
interest on premiums paid by consumers and taxpayers. The vast majority 
of those premium dollars are required under the law to be spent on 
medical care. Yet, many providers face a crippling cash flow deficit 
after weeks of providing needed medical care to patients without 
receiving payment for those services--forcing some to access lines of 
credit or otherwise borrow funds at high interest rates to maintain 
operations and patient care. Providers have been working around the 
clock in using workarounds to submit claims to insurers. However, the 
ability to submit claims is only the first step. The next phases are 
equally challenging--restoring the normal flow of claims submission, 
receipt of payment, and resolution of claim denials will take months.

Workarounds themselves present many additional barriers. For example, 
workarounds for submitting claims do not include the thousands of plan-
specific billing and coding requirements needed to file what insurers 
would deem a ``clean'' claim, lifting these required code edits, 
providers have experienced significantly high rates of claims 
rejections--25 to 40 percent (or in some cases significantly more)--
compared to a typical rejection/denial rate of about 5 to 10 percent. 
Often, providers manually submit claims with the coding edits, which is 
a very burdensome and time-consuming process, to help mitigate the 
claim rejection rates.

Increasing Cybersecurity

The FAH recognizes the critical importance of cybersecurity in 
healthcare delivery. FAH members are committed to protecting patient 
data and ensuring the integrity of healthcare services. Challenges 
persist in the face of evolving cyber threats and no organization, 
including the federal government, has immunity from cyberattacks. The 
FAH believes that any effort to enhance cybersecurity in the healthcare 
sector should prioritize preserving patients' access to care.

Hospitals are leaders in proactive cybersecurity efforts. In fact, 
according to the 2023 Department of Health and Human Services (HHS) 
Hospital Resiliency Landscape Analysis, hospitals' cybersecurity 
measures include encryption mechanisms, consumption of threat 
intelligence from other organizations, 24/7/365 security operations and 
incident response centers, vendor risk assessments, segmentation of 
medical devises on specialized network segments, comprehensive access 
management, regular system updates to mitigate risks of data breaches 
and cyberattacks, and other activities.\2\
---------------------------------------------------------------------------
    \2\ United States Department of Health and Human Services (n.d.). 
Hospital cyber resiliency initiative landscape analysis. Hospital 
Resiliency Landscape Analysis. https://405d.hhs.gov/Documents/405d-
hospital-resiliency-analysis.pdf.

Increased cybersecurity standards should not impose burdensome mandates 
on hospitals or fail to consider the shared responsibility of 
cybersecurity and address 
system-wide vulnerabilities. Instead, efforts should encourage 
collaboration between hospitals, government agencies, and other 
entities to develop innovative cybersecurity solutions which promote 
shared learning, resource pooling, and proactive threat mitigation 
strategies. The FAH stands ready to collaborate on advancing 
cybersecurity policies that uphold patient care and provider 
resilience.

Recommendations

Congress and the Administration must hold health plans accountable in 
the wake of this devastating event. FAH urges federal policymakers to 
ensure that CMS has the authority to compel federally regulated and 
financed managed care plans--including Medicare Advantage plans, 
Medicaid managed care plans, qualified health plans offered on the ACA 
Marketplaces, as well as group health plans and health insurance 
issuers offering group or individual health insurance coverage--to meet 
their obligations to their members in the event of future cyberattacks 
by:

      Using historical claims payment data to establish adequate, 
accessible, and transparent advance and accelerated payment programs; 
and

      Suspending administrative requirements that are simply 
unworkable in the context of a widespread crisis, including prior 
authorization, timely filing and appeals deadlines, and unique coding/
billing edits.

We thank you for your focus on the Change Healthcare cyberattack and 
look forward to working with the Committee to ensure the security and 
stability of the health care system.
                Letter Submitted by Silvia Garcia, M.D.
May 7, 2024

        Change Healthcare Hack From a Doctor in Active Practice

Dear Senators,

I am a physician for 24 years in solo practice, who utilized Change 
Healthcare's product, Revenue Performance Advisor (ironically named, 
no?) as my claims clearinghouse for submitting claims to insurance 
companies.

Without any warning, the website stopped working on February 21, 2024 
and I stopped being able to be paid. The website was taken offline and 
I had no way to submit medical claims, and my solo practice was in 
serious jeopardy.

Weeks went by with no information, then a trickle of info from the UHG 
website that their other proprietary clearinghouse through Optum would 
be an option for me, with associated registration and fees to hire this 
ancillary service as an alternative. Thankfully it is a free market, 
and I found a competitor with robust safety algorithms and an easily 
adoptable clearinghouse so that I could send claims to be paid and keep 
the lights on at my solo dermatology practice.

I went without a paycheck for 2 months until my business could pay the 
rent, utilities, insurance, supplies, etc. as the priority. In 2023, 
Change Healthcare made a huge deal of forcing a ``One Healthcare ID'' 
to login and that this would provide security. It took a band of rogue 
hackers to easily destroy their meager safety mechanism.

To date, Optum/UHG/Change Healthcare has about 10 toll free numbers 
where I have called all of them to discontinue and cancel my 
clearinghouse relationship due to force majeure, with their broken and 
untrustworthy products that were criminally compromised by 
international cyberhackers and ransomed with Bitcoin. I still do not 
know whether my private business data was compromised, or that of my 
patients' data, sent in with claims, for how long, for whom, and when. 
Nothing.

There is no way to communicate with anybody at UHG as they all point 
fingers to either iEDI or Optum and won't answer any questions for 
nearly 3 months. UHG has made a mockery of the physicians' and 
patients' trust in slipshod and corner cutting products, while we were 
reassured that they were top notch.

I was unhappy with frequent outages with Change Healthcare over the 
past 2 years. One month none of my Medicare claims went through for 
some inexplicable reason (June 2022). All of their tech support was 
based in India. I believe such sensitive info needs to be managed by 
entirely domestically based support staff, where our laws and standards 
apply.

Silvia Garcia, M.D.

                                 ______
                                 
                Letter Submitted by Jocelyn Good, Ph.D.
April 27, 2024

I would like to formally comment on the Change Healthcare debacle when 
the company was hacked and reimbursement to providers was suspended due 
to an inability to process billing.

I am the co-owner of a small private practice in Columbus, Ohio. We 
have 8 therapists, 5 of whom are single and have no additional source 
of income. Two of these women are single mothers. We are all paid based 
on the billing collected for the clients we see.

It was incredibly scary to not know how long billing would be 
suspended. Two weeks is 50% of lost income for the month. As the 
owners, we were considering a small loan to help out our employees and 
to pay ourselves which is an expense we should not have to take on.

While the monies that were held up for us is small in comparison to 
large hospitals, it could have had an even more devastating impact on 
our group of 8 because losing such a significant amount of income makes 
taking care of personal bills difficult.

Thank you for looking into this debacle so that hopefully it never 
happens again.
Sincerely,

Jocelyn Good, Ph.D.
Psychologist

                                 ______
                                 
                          Greenway Health, LLC

                   4301 W. Boy Scout Blvd., Suite 800

                            Tampa, FL 33607

                          877-932-6301 (Main)

                           GreenwayHeath.com

May 15, 2024

The Honorable Ron Wyden
Chairman
U.S. Senate
Committee on Finance
Washington, DC 20510

The Honorable Mike Crapo
Ranking Member
U.S. Senate
Committee on Finance
Washington, DC 20510

Re: Senate Finance Committee hearing ``Hacking America's Health Care: 
Assessing the Change Healthcare Cyber Attack and What's Next'' held May 
1, 2024.

On behalf of Greenway Health, LLC (``Greenway'') we wish to provide a 
statement for the record following the House Energy and Commerce 
Committee hearing on May 1, 2024, regarding the Change Healthcare 
(``Change'') cyberattack and its significant impact on the healthcare 
ecosystem.

Greenway's mission is to improve health care delivery efficiency and 
effectiveness through our electronic health record (``EHR'') solutions. 
We serve nearly 4,000 provider clients throughout the United States 
including predominantly physician-owned practices, Federally Qualified 
Health Centers (``FQHCs''), and Community Health Centers (``CHCs''), 
Rural Health Clinics (``RHCs'') and tribal communities. As a health IT 
developer with a network of provider clients that largely operate in 
small practice settings and frequently serve vulnerable populations, 
Greenway appreciates this opportunity to mark the significance of the 
impact Change's cybersecurity incident has had on these providers.

Our comments today are centered around the following four points:

      The substantial clinical impact for our provider clients* and 
their patients because of this cyberattack;
      The financial ramifications that have been crippling for our 
provider clients;
      The data breach obligations that Greenway is under and how that 
has been stymied; and
      How the non-standardization of laboratory messaging has made 
changing lab interface providers (like Change) nearly impossible.

*Below this letter is an impact statement from Perinatal Associates of 
New Mexico so that the Committee can see the first-hand affects that 
Change has had on small providers.

Clinical Impacts

Greenway is contracted by our clients to provide many services 
including those that enable electronic lab orders & results and claim 
management. Greenway in turn uses Change Healthcare to provide that 
solution. As of today, our clients have had limited access to, or have 
not been able to access entirely, these services since February 21, 
2024 until approximately May 10, 2024. This has caused significant 
clinical care repercussions where clinical services like lab orders and 
electronic prescribing services to patients are not being provided or 
are delayed.

The ability to order lab tests for patients and make clinical decisions 
based on the results is a fundamental part of clinical care--the 
disruption of this workflow has meant that ordering and receiving labs 
via Greenway's EHR can (and, almost certainly has) led to delayed 
diagnosis or treatment protocols. To continue to provide care, 
providers had to resort to manual procedures like paper charts. This is 
concerning since many providers today are unfamiliar with strictly 
paper-based practice for certain workflows. For our obstetrics & 
gynecology clients, the patient care impact was heightened in areas 
like women's health where results often need a faster feedback loop.

Financial Impacts

While lab orders are a way that Greenway is directly impacted, it is 
well documented that the widespread monetary impacts for providers were 
significant and in some cases are still ongoing. Change Healthcare has 
started to restore service in certain areas like billing statements so 
that providers can begin to send bills out to people directly, but 
their Medicare and Medicaid claims are largely still in disarray. 
Anecdotally, a client recently submitted approximately $8,000,000 in 
Medicaid claims and they all bounced back. This is particularly 
disturbing for many of our provider clients since these programs are 
often their largest payer.

For practices that are operating on very small margins to begin with, 
the lack of cash flow for nearly 2 months is nothing short of 
devastating. Some are resorting to using personal savings accounts or 
putting practice expenses on credit cards--the loans that are being 
issued by UnitedHealth Group pale in comparison to the overall lost 
finances. The question of whether the Change impacts will result in not 
being able to submit claims on a timely basis remains unknown and will 
vary by state and payor, including CMS and state Medicaid agencies.

Data Breach Reporting Obligations

During the May 1, 2024, witness testimony from Andrew Witty, Chief 
Executive Officer for UnitedHealth Group, stated in his testimony that, 
``as we have previously confirmed, based on initial targeted data 
sampling to date, we found files containing protected health 
information (PHI) and personally identifiable information (PII), which 
could cover a substantial proportion of people in America.'' However, 
the Office of Civil Rights has yet to receive a breach report from 
UnitedHealth Group.

Without this disclosure, Greenway and countless other organizations are 
in a vulnerable position of not knowing the magnitude of PHI or PII 
that have been exposed, and therefore having no idea of potential 
exposure of our clients and not knowing how to fulfill their HIPAA 
reporting obligations.

Laboratory Messaging Standardization

The federal government strictly regulates electronic health record 
developers but not the entirety of the Health IT ecosystem. There is no 
oversight to ensure things like uniformity in laboratory messaging 
standards unlike interoperability standards like FHIR (Fast Healthcare 
Interoperability Resources) that exist in other areas of healthcare 
today and are required by EHR developers. In contrast, today, each 
laboratory sends and receives information but does not do so in a 
uniform way. Change Healthcare acts as an intermediary translation 
service between labs, and in the absence of Change due to the 
cyberattack, labs could not easily switch to another service provider 
due to lack of uniform standards and exclusivity contracts with Change.

This has become burdensome for the industry and we can see the impact 
the broad reach of UnitedHealth Group via Change Healthcare has had 
over the past 2 months. Greenway supports standards like FHIR for 
laboratory communications. The lack of standards across labs and 
interfaces is significantly delaying the restoration of labs as each 
lab has to test and validate their unique configurations before being 
re-enabled.

Summary

Greenway appreciates the Committee's oversight in convening the May 1st 
hearing. Due to our needed reliance on Change, we have suffered 
reputational harm through no fault of our own, and our clients have 
been left in a grave situation with which they are still grappling. 
According to the American Medical Association's most recent survey 
released on April 29th, respondents report continuing issues with 
multiple operations, despite UnitedHealth Group's announcements of 
restored service: 60% continue to face challenges in verifying patient 
eligibility; 75% still face barriers with claim submission; 79% still 
cannot receive electronic remittance advice; and 85% continue to 
experience disruptions in claim payments.

We look forward to the Committee's continued attention to this critical 
issue and thank the Committee for its oversight. An impact statement 
from a Greenway provider client follows this letter.

Sincerely,

Karen W. Mulroe
General Counsel

Stephanie Jamison
Senior Director, Regulatory & Government Affairs

Client Impact Statement

Dear Members of Congress,

I am a maternal-fetal medicine subspecialist and president of Perinatal 
Associates of New Mexico. Our practice is the largest perinatal 
practice in the state. We provide high-risk pregnancy care for over 45% 
of all births in the state of New Mexico.

I would like to share our experience and concerns regarding our 
statewide New Mexico perinatal practice's inability to fully utilize 
our electronic medical record (EMR) due to the United Healthcare Group/
Optum Health/Change Healthcare cybersecurity breach which occurred on 
February 21, 2024 and has finally been resolved as of May 9, 2024 . . . 
78 days later.

I also want to share a recent news story which was published in the 
Santa Fe New Mexican detailing the difficulties faced by our medical 
practice. You can find the newspaper story at the link. I have reached 
out to our EMR's CEO, CMO, and Product manager, United Healthcare 
leadership, and each of our NM congressional representation to escalate 
my concerns.

      Our practice was unable to order any laboratories electronically 
from our EMR due to failure of the Change Healthcare interface.
      Our practice was unable to receive any laboratory results 
electronically into EMR due to a failure of the Change Healthcare 
interface.
      Our practice was unable to send obstetric ultrasound reports 
from our ultrasound reporting system to our EMR due to a failure of the 
Change Healthcare interface.
      Our practice was unable to electronically process claims with 
New Mexico Medicaid from our EMR due to a failure of the Change 
Healthcare interface.
      Our practice continued to pay our EMR vendor a monthly 
subscription for services which are completely non-functional due to 
failures on the part of Change Healthcare.

Facing these challenges and seriously concerned regarding the timeline 
of restoration on the part of United Healthcare/Optum Health/Change 
Healthcare, I reached out to the New Mexico Medical Society and the 
American Medical Association. On April 15, 2024, I met briefly with 
Roger Connor (CEO Optum Insight) and Mike Peresie (CEO Change 
Healthcare) to convey my concerns and advocate for a rapid fix to the 
issues we faced daily in New Mexico.

Here is a summary from our meeting.

      Change Healthcare was beginning restoration of Clinical Exchange 
on 4/15 with an anticipation of going live within 2 weeks.
      Change Healthcare has over 350 lab connections to complete 
including reconnection of Greenway Health (our EMR) and Tricore 
Reference Laboratories (our main New Mexico lab).
      Labcorp is included among the first 20 labs in the country to be 
reconnected by Change Healthcare.
      No information could be shared regarding where Tricore Reference 
Laboratories was on the list of lab reconnections.
      Our ultrasound reporting software interface to Greenway Intergy 
EMR would begin working once the lab reconnection is completed by 
Change Healthcare.

We also discussed the extreme health inequities faced in the state of 
New Mexico.

      Maternal mortality rates vary significantly from state to state.
      Mississippi had the highest maternal mortality rate in 2021, 
with 82.5 deaths per 100,000 births, followed by New Mexico with 79.5 
deaths per 100,000 births.
      In contrast, California had the lowest maternal mortality rate 
(9.7), and Massachusettshad the second lowest (17.4).
      There are 2,205 LabCorp locations in the United States as of 
March 27, 2024. The state with the greatest number of LabCorp locations 
in the U.S. is California, with 324 locations (15% of all LabCorp 
locations in the U.S.).
      The northeast U.S. has a concentrated, high percentage of 
LabCorp locations.

    After exhaustive efforts, Mike Peresie (CEO Change Healthcare), 
Christina Fortner Slade (Greenway Health--Chief Client Experience 
Officer), Dr. Angela Sanchez (Tricore--Chief Medical Officer) and I met 
on April 25, 2024 to coalesce a plan for reconnection of our lab and 
ultrasound interfaces.

For 78 days, work to reconnect Perinatal Associates of New Mexico, 
Greenway Health, and Tricore Reference Laboratories was ongoing with no 
specific estimate on complete restoration. Our ability to care for 
pregnant patients and improve their outcomes throughout the state of 
New Mexico remained limited due to the lack of connectivity provided by 
United Healthcare Group/Optum Health/Change Healthcare interfaces. 
After nearly 3 months, our lab and ultrasound connectivity was restored 
by United Healthcare Group/Optum Health/Change Healthcare and massive 
efforts on the part of Greenway Health, Tricore Reference Laboratories 
and Perinatal Associates of New Mexico.

Providing healthcare in the United States is a privilege, honor, and 
challenge. As a physician with over 20 years of experience, clinicians 
face innumerable obstacles in their provision of medical care to 
patients.

A lack of oversight and cybersecurity by the largest health insurer in 
America which created a national outage affecting pharmacy 
prescription, laboratory orders and results, and insurance payor claims 
processing for medical practices and hospitals across our country 
requires serious assessment, corrective action, and protections placed 
by Congress to ensure the security of American healthcare in the 
future. Please address these issues during your committee hearings and 
forthcoming legislative efforts. Patients throughout the United States 
deserve your dedicated attention to this important matter. Their lives 
and their health depend on your actions today.

If your or any Congressional leaders have questions or concerns, please 
feel free to reach me by cell at 505-506-8744 or by email at 
[email protected].

Sincerely,

Michael S. Ruma, M.D., MPH
President
Perinatal Associates of New Mexico

Links

https://d1dth6e84htgma.cloudfront.net/
Witty_Testimony_OI_Hearing_05_01_24_5ff
52a2d11.pdf

https://www.hhs.gov/hipaa/for-professionals/special-topics/change-
healthcare-cybersecurity-incident-frequently-asked-questions/index.html

https://www.hl7.org/fhir/

https://www.ama-assn.org/system/files/change-healthcare-follow-up-
survey-results.pdf

https://www.santafenewmexican.com/news/local_news/purgatory-of-paper-
health-careproviders

https://usafacts.org/articles/which-states-have-the-highest-maternal-
mortality-rates/

https://www.scrapehero.com/location-reports/LabCorp-USA/

                                 ______
                                 
                     Healthcare Leadership Council

                     750 9th Street, NW, Suite 500

                          Washington, DC 20001

                             (202) 452-8700

                          https://www.hlc.org

May 1, 2024

The Honorable Ron Wyden             The Honorable Mike Crapo
Chairman                            Ranking Member
U.S. Senate                         U.S. Senate
Committee on Finance                Committee on Finance
Dirksen Senate Office Building      Dirksen Senate Office Building
Washington, DC 20510                Washington, DC 20510

RE: May 1st ``Hacking America's Health Care: Assessing the Change 
Healthcare Cyber Attack and What's Next'' Hearing

Dear Chairman Wyden and Ranking Member Crapo:

The Healthcare Leadership Council (HLC) thanks you and other members of 
the Senate Finance Committee for holding the hearing, ``Hacking 
America's Health Care: Assessing the Change Healthcare Cyber Attack and 
What's Next.''\1\ Recent events have brought much needed attention to 
the risks for the healthcare sector in protecting and defending itself 
from an unprecedented number of ransomware and other cybersecurity 
attacks. In attacking one segment of the healthcare sector, criminals 
cause industry wide disruption and jeopardize patient safety. These bad 
actors require a unified and strong cross sector response; and our 
members are committed to collectively safeguarding patients and 
protecting their data.
---------------------------------------------------------------------------
    \1\ https://www.finance.senate.gov/hearings/hacking-americas-
health-care-assessing-the-change-healthcare-cyber-attack-and-whats-
next.

HLC is a coalition of chief executives from all disciplines within 
American healthcare. It is the exclusive forum for the nation's 
healthcare leaders to jointly develop policies, plans, and programs to 
achieve their vision of a 21st century healthcare system that makes 
affordable high-quality care accessible to all Americans. Members of 
HLC--hospitals, academic health centers, health plans, pharmaceutical 
companies, medical device manufacturers, laboratories, biotech firms, 
health product distributors, post-acute care providers, homecare 
providers, group purchasing organizations, and information technology 
companies--advocate for measures to increase the quality and efficiency 
---------------------------------------------------------------------------
of healthcare through a patient-centered approach.

To support healthcare entities that treated Medicare beneficiaries, the 
Administration took swift action to help mitigate the impact of the 
Change Healthcare cyberattack by accelerating payments to Medicare Part 
A providers and announcing Medicare Part B advanced payments. However, 
the impact on providers, payers and patients remains significant. As 
the frequency of healthcare data breaches continues to increase at a 
staggering rate, already doubling over the last 5 years to more than 
720 breaks annually, a standard predictable response would ensure that 
patients receive the necessary care, and caregivers are compensated, 
even when systems are compromised.\2\
---------------------------------------------------------------------------
    \2\ See https://www.hipaajournal.com/security-breaches-in-
healthcare/.

As pharmacies and physicians continue to deal with payment delays it is 
becoming increasingly clear that the number of entities impacted by 
cybersecurity breaches will likely increase exponentially from here if 
further action is not taken. For this reason, Congress and federal 
agencies must focus their efforts on actions on these next steps by 
offering clear guidance and needed support, rather than punishing 
legally operating businesses victimized by criminal bad actors. While 
organizations that violate HIPAA or mismanage data should be held 
accountable, vilifying healthcare companies compromised by a security 
hack will only further stress critical infrastructure. We have 
---------------------------------------------------------------------------
identified the following areas that are ripe for government action:

      Ransomware Response--Healthcare organizations need guidance when 
facing ransomware attacks, including recommendations for appropriate 
responses. While the FBI advises not paying, there are often life-
threatening consequences that result from such a stance which 
necessitate additional consideration.

      Data Breaches and Protections--Congress should consider 
expanding the protections established under the January 2020 HITECH 
Act, to offer organizations that implement a comprehensive 
cybersecurity program full safe harbor protection in the event of cyber 
incidents beyond their control. This will encourage disclosure and 
mutual support, a far more constructive and effective mechanism for 
combatting cyberattacks in the healthcare sector than the current 
public reporting process.

      Leadership and Coordination--There are many organizations and 
officials whose duties and missions involve health sector cybersecurity 
at some level including the Healthcare Sector Cybersecurity Coordinated 
Center, the Health Sector Coordination Council, and the Office of the 
National Cyber Director. While there is clearly a great deal of 
constructive activity and focus on cybersecurity among all these 
groups, their overlapping roles and the lack of a single dedicated 
office focused on health sector cybersecurity issues will slow progress 
in an area, and during a time, when exactly the opposite is needed.

Given the complex challenges of not only preparing for but responding 
to cybersecurity incidents, companies need assistance that will bolster 
cyber readiness. We recognize the challenges in developing legislation 
on this important topic and stand ready to assist in any way we can. 
Please contact Katie Mahoney at kmahoney@
hlc.org or (202) 449-3442 if you have any questions or would like 
additional information.

Sincerely,

Maria Ghazal
President & CEO

                                 ______
                                 
                  Statement Submitted by Krissy Levine

          United Healthcare and Change Healthcare Data Breach

This is in regards to the hearing of May 1, 2024, which I'm weeks late 
for.

This is a statement that Optum planned on, which I heard by word of 
mouth from an IT in Canada, that they were talking about closing down 
one of Change Healthcare's clearinghouses in December.

When the attack happened, we had MFA on all products except for one 
source we use. Optum wanted Change Healthcare edits that we use in 
Assurance. This was against the DOJ and their statement when they 
bought Change Healthcare.

Change Healthcare has never been at risk for cyberattack.

This action that Andrew and others caused needs to be under 
investigation. Andrew not once either has mentioned it in the town hall 
meeting.

                                 ______
                                 
                Letter Submitted by Mark A. Mayle, CISSP
May 1, 2024

Inquiry Regarding Security Certifications and Overlooked Controls in 
Change/Optum

Dear Members of the Senate Finance Committee,

I hope this message finds you well. I am writing to address an 
important issue concerning the cybersecurity practices of Change 
Healthcare and Optum, particularly their recent HITRUST and SOC 2 Type 
2 certifications. While these certifications are highly respected 
within the industry and signify a robust approach to information 
security, there have been notable lapses that raise concerns about the 
effectiveness of these audits.

Despite their certifications, it has come to light that there were 
significant oversights in basic security controls, specifically the 
absence of Multi-Factor Authentication (MFA) for Citrix systems and 
shortcomings in data recovery processes. These elements are often 
considered fundamental to cybersecurity frameworks and their omission 
poses questions about the thoroughness of the certification processes.

It is crucial to understand how such foundational security measures 
could be overlooked by the rigorous assessments involved in HITRUST and 
SOC 2 Type 2 audits. This situation underscores a potential gap in the 
audit processes that could allow for ``low-hanging fruit'' 
vulnerabilities, which, while basic, are critical for the overall 
security posture of an organization.

We urge the committee to consider these points in your ongoing efforts 
to oversee and enhance corporate accountability in cybersecurity 
practices, particularly for entities handling sensitive health 
information. It is essential to ensure that certification processes are 
not only thorough but also reflective of all foundational cybersecurity 
practices.

Thank you for your attention to this matter. I look forward to your 
thoughts on how we can together ensure more comprehensive security 
standards and practices.

Very Respectfully,

Mark A. Mayle, CISSP
Director of Information Security

                                 ______
                                 
                  Medical Group Management Association

                    1717 Pennsylvania Ave., NW, #600

                          Washington, DC 20006

                             T 202.293.3450

                             F 202.293.2787

                         https://www.mgma.com/

May 1, 2024

The Honorable Ron Wyden             The Honorable Mike Crapo
Chairman                            Ranking Member
U.S. Senate                         U.S. Senate
Committee on Finance                Committee on Finance
221 Dirksen Senate Office Building  239 Dirksen Senate Office Building
Washington, DC 20510                Washington, DC 20510

Re: MGMA Statement for the Record--Senate Committee on Finance Hearing, 
``Hacking America's Health Care: Assessing the Change Healthcare Cyber 
Attack and What's Next''

Dear Chairman Wyden and Ranking Member Crapo:

The Medical Group Management Association (MGMA) thanks you for holding 
this important hearing examining the Change Healthcare cyberattack and 
what comes next. MGMA members were significantly impacted by the 
cyberattack and continue to deal with the fallout. We appreciate the 
Committee reviewing how this caused so much disruption to our nation's 
health system and examining policies to help mitigate future 
cyberattacks.

With a membership of more than 60,000 medical practice administrators, 
executives, and leaders, MGMA represents more than 15,000 group medical 
practices ranging from small private medical practices to large 
national health systems, representing more than 350,000 physicians. 
MGMA's diverse membership uniquely situates us to offer the following 
policy recommendations.

On February 21st, Change Healthcare experienced a cyberattack that 
critically impacted the U.S. healthcare system, causing unprecedented 
outages. Change Healthcare touches one in three patient records and 
processes 15 billion healthcare transactions annually.\1\ With one 
corporate entity providing so many services to such a wide swath of the 
nation's healthcare ecosystem, the disruptions caused by the malicious 
cyberattack resulted in substantial harm.
---------------------------------------------------------------------------
    \1\ Department of Health and Human Services, Letter to Health Care 
Leaders on Cyberattack on Change Healthcare, March 10, 2024, https://
www.hhs.gov/about/news/2024/03/10/letter-to-health-care-leaders-on-
cyberattack-on-change-healthcare.html.
---------------------------------------------------------------------------

 Impact of the Change Healthcare Cyberattack on Medical Groups

Given the breadth of services Change Healthcare offers, MGMA members 
felt myriad negative consequences following the cyberattack, including: 
severe billing and cash flow disruptions, inability to submit claims, 
limited or no electronic remittance advice (ERA) from health plans, 
electronic prescriptions could not be transmitted, lack of connectivity 
to data infrastructure, health information technology disruptions, and 
much more. Physician practices diligently instituted workarounds for 
various processes to remain operational, which required significant 
labor costs and time to institute, diverting critical resources from 
patient care.

The lack of cash flow that resulted from the Change Healthcare attack 
led to medical groups having to make difficult financial decisions as 
it was early in the year and practices already had limited working 
capital on hand due to tax considerations. Smaller practices were 
particularly affected given their tight margins and had to utilize 
lines of credit with high interest rates just to keep their doors open. 
Practices have had to make drastic payroll decisions in the wake of the 
attack; one MGMA member's statement to CNN sums up the gravity of the 
situation: ``We are hemorrhaging money, this will probably be the last 
week we can keep everybody on full time without having to do 
something.''\2\
---------------------------------------------------------------------------
    \2\ Sean Lyngaas, CNN, `` `We're hemorrhaging money': US health 
clinics try to stay open after unprecedented attack,'' March 9, 2024, 
https://www.cnn.com/2024/03/09/tech/medical-supply-chain-cybersecurity/
index.html.

While some of Change Healthcare's systems have come back online, 
effects of the attack still remain--there's an extensive backlog of 
claims being processed, some groups are still not receiving ERAs 
impacting their ability to reconcile claims, and practices are still 
utilizing resource-intensive workarounds. Further, we still do not know 
the full extent of the cyberattack as both Change Healthcare and law 
enforcement authorities are investigating the data breach. In totality, 
the Change Healthcare cyberattack continues to ripple throughout this 
nation's health system.

 Federal Response and Policy Considerations to Support Physician 
                    Practices

As the scope of the cyberattack became apparent, MGMA wrote to the 
Department of Health and Human Services (HHS) on February 28th 
expressing the severity of its impact to medical groups and advocating 
for the agency to use all tools at its disposal to mitigate the 
damage.\3\ Thankfully, HHS instituted numerous flexibilities in 
response and offered accelerated and advanced payments to hospitals and 
providers to help mitigate the consequences from the cyberattack. We 
appreciate the Department heeding our call and swiftly acting to assist 
practices.
---------------------------------------------------------------------------
    \3\ MGMA, Letter to CMS on Change Healthcare Cybersecurity Attack, 
February 28, 2024, https://www.cnn.com/2024/03/09/tech/medical-supply-
chain-cybersecurity/index.html.

The cyberattack on Change Healthcare made it evident that there are 
significant vulnerabilities in our healthcare system, which must be 
addressed--especially as the threat of such attacks only continues to 
rise. Moving forward, health plans, clearinghouses, and other third-
party vendors must have safeguards and contingency plans in place to 
better protect physician practices from such significant cash flow and 
---------------------------------------------------------------------------
administrative impacts resulting from a cyber incident.

The Committee should examine whether further authorities and 
flexibilities should be granted to federal agencies responding to 
future attacks to support physician practices. Specifically, the 
Committee should ensure that the statute governing advanced payments to 
Part B providers allows for a quick response time from HHS to a future 
attack, and that repayment terms are not onerous, adding another 
stressor during a time of acute uncertainty. Additionally, the 
Committee should review whether other policies should be introduced 
such as waiving timely filing requirements for health plans, reducing 
prior authorization burden, and relaxing other requirements as it may 
be impossible to fulfill them with such widespread outages. This would 
be a significant step to allow practices to function with a semblance 
of efficiency during a cyberattack of this size.

Physician practices must continue to work to ensure they have adopted 
ironclad cybersecurity policies and procedures to best protect the data 
of their patients and their ability to provide high-quality care. When 
contemplating the fallout, we urge against establishing penalties, or 
conditioning relief funds, for medical groups in response to 
cyberattacks perpetuated against other healthcare actors. There are a 
multitude of security and data privacy regulations governing medical 
groups; introducing barriers to future relief would work against 
supporting medical groups' ability to operate in the face of 
considerable interruption.

It is important to note that physician practices have access to widely 
different levels of cybersecurity resources depending on their size. 
The President's budget acknowledged the need to bolster cybersecurity 
resources within the healthcare sector, allocating $800 million to 
assist ``high-need, low-resourced'' hospitals to help implement 
cybersecurity practices.\4\ The budget also proposed $500 million for 
an incentive program for advanced cybersecurity practices for 
hospitals. Ensuring that all physician practices are afforded resources 
similar to those proposed for hospitals is critical. We support 
practices incorporating voluntary cybersecurity goals, like those 
recently published by HHS, to bolster their defenses against future 
attacks.
---------------------------------------------------------------------------
    \4\ Department of Health and Human Services, Fiscal Year 2025 
Budget in Brief, pg. 80, March 11, 2024, https://www.hhs.gov/sites/
default/files/fy-2025-budget-in-brief.pdf.

These are sophisticated criminal cyberattacks often sponsored by nation 
states that are not only impacting healthcare but many other industries 
in addition to federal, state, and local governments. Exacerbating a 
terrible situation by adding further penalties to medical groups beyond 
what is already in place would be overly punitive for practices not 
responsible for the attack and operating in full compliance. Resources 
should be devoted to law enforcement agencies to bolster their actions 
to combat these cyberattacks and prevent them before they begin. Our 
nation's law enforcement agencies have the expertise and training to 
stop these criminals--we should ensure they have every resource 
necessary at their disposal.

Breach of Protected Health Information

Change Healthcare is currently undergoing an investigation into the 
data breached during the cyberattack, but ``based on initial targeted 
data sampling to date, the company has found files containing 
protecting health information (``PHI'') or personally identifiable 
information (``PII''), which could cover a substantial proportion of 
people in America.''\5\ MGMA appreciates recent public statements from 
UnitedHealth Group committing to ``provide appropriate notifications'' 
and stating that it ``has offered to make notifications and undertake 
related administrative requirements on behalf of any provider or 
customer.''\6\ At the same time, no prudent medical group can rely on 
vague promises in a press release containing no specifics with respect 
to either timing or implementation.
---------------------------------------------------------------------------
    \5\ UnitedHealth Group Press Release, April 22, 2024, https://
www.unitedhealthgroup.com/newsroom/2024/2024-04-22-uhg-updates-on-
change-healthcare-cyberattack.html.
    \6\ Id.

Medical groups currently face mounting concerns about their own 
regulatory exposure should United not fulfill these promises to the 
satisfaction of the Department of Health and Human Services Office for 
Civil Rights (OCR). Further, as more patients become aware of the 
possible disclosures of their sensitive PHI and PII, they will turn to 
their providers for information and assurances, neither of which can 
---------------------------------------------------------------------------
currently be provided.

MGMA wrote to OCR last week asking for clarity from their office that:

        1.  Responsibility for breach notifications rests solely with 
        Change and UnitedHealth Group;
        2.  Providers that are completely innocent in this unique 
        situation will be spared any regulatory scrutiny; and
        3.  OCR will ensure that Change and United fulfill the promises 
        they have made in a prompt and transparent manner.\7\
---------------------------------------------------------------------------
    \7\ MGMA, letter to OCR on Change Healthcare and breach 
notifications, April 25, 2024, https://www.mgma.com/getkaiasset/
e4c23eb7-45aa-4629-bdbe-fc60797ae3e3/04.25.2024_OCR%
20MGMA%20Change%20Healthcare%20Breach%20Letter.pdf.

We recommend the Committee works to ensure that UnitedHealth Group 
fulfils their promises, and that OCR provides a clear statement that 
the responsibility for the HIPAA-required breach notifications falls 
solely with UnitedHealth Group and Change Healthcare.

Conclusion

MGMA looks forward to working with the Committee to reinforce the 
resiliency of the cybersecurity defenses for this nation's health 
system. It is critical to ensure physician practices can continue 
providing high-quality patient care in the face of substantial 
disruptions. If you have any questions, please contact James Haynes, 
Associate Director of Government Affairs, at [email protected] or 202-
293-3450.

Sincerely,

Anders Gilberg
Senior Vice President, Government Affairs

                                 ______
                                 
                         Metropolitan Neurology

                         Boynton Beach, Florida

May 12, 2024

Dear Senators,

It has been nearly 3 months and we are still not completely functional 
in sending eclaims.This has been one of the most exasperating 
experiences in my over 30 years of solo private practice as well as an 
enormous existential threat to private practice in an already adverse 
healthcare environment.

This has also marked my second healthcare cyberattack involvement in 
the past 3 years which has affected me though the first was not a 
financial threat to my practice. The first major healthcare cyberattack 
affected a large hospital system where I also provide services. It 
required reverting to a paper based system for 3 months which was 
difficult but manageable.

Watching the testimony of Mr Witty, the response to this healthcare 
cyberattack crisis by the federal government, health insurance 
corporations, and our EMR company has led to the following conclusions:

There is a tremendous amount of incompetency, greed, and bureaucracy in 
both the corporate and government components of the U.S. healthcare 
system which is impeding a successful outcome and the entire ordeal has 
been one tremendous example of horrible crisis management with the 
exception of Aetna and Humana (see below).

    1.  The EMR design and implementation has been flawed from the very 
beginning. Providers are held hostage to both large and small EMR 
companies that have contracts with exclusive vendors to provide one 
clearinghouse connection, one telemedicine vendor, one fax vendor, one 
escribe provider, and so forth for which the provider has to pay the 
EMR company. It is a complete monopoly and very costly. I am paying a 
small fortune for the EMR annually for all these ``features'' and the 
EMR companies clearly do not have the ability to support the technical 
issues especially in times of crisis. There appears to be no 
standardization to allow portability of an EMR to self selected 
subvendors which could potentially lead to lower prices with greater 
market competition. Furthermore, none of these EMR systems are able to 
meaningfully connect with one another: especially in retrieving 
hospital data, major lab center data and imaging center reports which 
would avoid redundant testing. This would obviously assist greatly in 
patient care and reduce healthcare cost. How much money would be saved 
in avoiding redundant testing? I don't believe that Apple, Google, or 
Microsoft would have had a fundamental technical breakdown going on 3 
months without a solution (I have no relatives working at any of these 
companies) nor would have not found an efficient working solution 
quickly to the core reason to implement EMR.

    2.  Most pertinent to the inability of easily switching eclaims to 
another clearinghouse appears to be the lack of a mandated standardized 
interface from EMR to clearinghouses for Part B claim transmission. 
This is the main failure and reason why most providers are still not 
able to transmit claims flawlessly and quickly and why we are 
imprisoned to any one EMR system with its one clearinghouse connection. 
The workaround at present is that each affected EMR company has to 
``build a template'' to interface with a different clearinghouse for 
each client. The EMR companies such as mine do not have the staffing or 
expertise to conduct and implement this efficiently. They build a 
template and 100% of the time it is not working properly and then has 
to be corrected for each individual claim that has been rejected. 
Multiply this by the number of clients it has and you can see why this 
has been a complete nightmare. For this reason alone we have not been 
able to successfully transmit claims. Again, I do not believe that 
Apple, Google, or Microsoft, would have taken nearly 3 months to 
resolve this issue.

    3.  Many insurance companies did not step up to the challenge of 
managing the crisis to alleviate the claim transmissions by offering an 
easy alternate submission route including UNITED (which was the cause 
of this problem) and CMS (the largest government healthcare 
contractor).

United has not posted anywhere or informed us that it will waive the 90 
day claim submission deadline as Mr Witty testified at your hearing. 
Furthermore, I have not received any mailing for potential financial or 
healthcare breach of data from United from a business or patient 
perspective or an offer for credit monitoring as was also highlighted 
at the meeting last week.

CMS is the only insurer that requires an EDI Enrollment Form for each 
clearinghouse used by a provider which only adds time to the process of 
eclaim submission by weeks. Unfortunately, one of our applications to 
CMS EDI Enrollment had 2 errors and instead of returning the 
application to us citing both errors on the first rejection, CMS 
decided to return the application twice after 2 submissions citing each 
error individually--again adding unnecessary time to get a working 
connection. Seemingly inefficient, each EDI Enrollment Application 
submission requires 1 week for approval.

I would like to commend the management of AETNA and HUMANA (I have no 
relatives working at these companies) which took the lead on resolving 
this eclaim submission nightmare and were flexible with providing a 
quick working solution. They informed us we could fax in paper HCFA 
1,500 claims and they would EFT the payments as usual. It has worked 
flawlessly and we did not have to rely on the poor and incompetent 
technical support from our EMR company nor perform a double claims 
entry on another portal which posed additional technical challenges nor 
rely on the mail which has its own issues.

Again, I find it hard to believe that Apple, Google, or Microsoft would 
have let their customers waiting for an easy working technical fix for 
nearly 3 months on such a critical matter.

Unfortunately, I cannot conclude this letter informing you that we are 
up and running with flawless eclaim submission to all companies. We are 
still struggling to make electronic connection from the EMR to various 
insurance companies.

However, I can conclude that the implementation of EMR has not made any 
meaningful or cost effective improvement for private practice and has 
only added enormous costs, bureaucracy, and now, even greater 
frustration.

Thank you for your attention and interest in improving the current 
system for patient healthcare data management and eclaim transmission.

Gabriella Gerstle, M.D.

                                 ______
                                 
               National Association of Chain Drug Stores

                      1776 Wilson Blvd., Suite 200

                          Arlington, VA 22209

                              703-549-3001

                         https://www.nacds.org/

            Statement of Steven C. Anderson, FASAE, CAE, IOM
                 President and Chief Executive Officer

Introduction

The National Association of Chain Drug Stores (NACDS) appreciates the 
opportunity to submit a statement for the record for the United States 
Senate Committee on Finance's hearing on ``Hacking America's Health 
Care: Assessing the Change Healthcare Cyber Attack and What's Next.'' 
NACDS applauds your continued partnership and leadership to improve the 
effectiveness and the resiliency of the nation's healthcare system. 
Based on the experience of our chain pharmacy members since the 
cyberattack on Change Healthcare more than 8 weeks ago, we thank the 
Committee for the opportunity to share feedback on the impact of this 
detrimental disruption and recommendations to help address similar 
incidents that occur in the future.

Additionally, NACDS applauds your continued dedication to PBM reform as 
the recent cyberattack has only exacerbated the already dysfunctional 
reimbursement structure that continues threatening the future of 
community pharmacies' ability to serve the nation. NACDS looks forward 
to continued opportunities to work collaboratively to strengthen the 
nation's defenses against cyberattacks, in addition to effectuating 
comprehensive PBM reform, and addressing other key issues to promote 
health and healthcare access across communities nationwide.

 Pharmacy Lessons Learned From Change Healthcare Cyberattack: Informing 
                    Future Responses to Preserve Continuity of Care

Throughout the duration of the disruption stemming from the cyberattack 
on Change Healthcare, pharmacies have remained fully committed to 
promoting uninterrupted access to care for the patients and communities 
they serve nationwide. Feedback from our pharmacy membership indicates 
that across the country, pharmacies have been significantly impacted by 
the disruption caused by the cyberattack on Change Healthcare. Since 
disruptions were first encountered, pharmacies have continued to work 
tirelessly to mitigate delays and interruptions for their patients, 
implementing high-burden and unsustainable workarounds with very 
limited guidance and without indication of the scope of the 
interruption, nor an estimated duration of the disruption, especially 
during the first several weeks following the incident.

Despite important progress made over the last 8 weeks since the 
incident, pharmacies across the country continue to report disruptions 
as they work to process the backlog of claims that mounted during the 
outage of various billing systems and processes stemming. Specifically, 
pharmacies were unable to bill Medicare Part B for certain products and 
medications for nearly five weeks, with additional disruptions in 
billing across six state Medicaid programs for nearly six weeks,\1\ and 
interruptions in some workers' compensation plans as well. Still today, 
pharmacies are experiencing challenges processing manufacturer coupon 
cards and patient assistance programs that some patients rely upon to 
afford their medications. Workarounds for these programs have resulted 
in high administrative burdens and medication access delays in certain 
instances. While we appreciate actions taken by CMS, HHS, and 
UnitedHealth Group, to mitigate the impact of this disruption on 
pharmacies, other healthcare providers, and the American people, there 
are several key areas of opportunity outlined in this statement to 
better resolve current challenges and prepare for similar, future 
incidents.
---------------------------------------------------------------------------
    \1\ https://www.unitedhealthgroup.com/
changehealthcarecyberresponse#latestupdates.
---------------------------------------------------------------------------

I.  Explore Emergency Solutions and Policy Levers to Mitigate Claims 
                    Processing Interruptions in Healthcare

During the recent interruptions in billing processes stemming from the 
Change Healthcare attack, cash flow challenges for pharmacies, 
hospitals, and medical offices have been reported on an ongoing basis. 
Most pharmacies and other entities could not seamlessly implement 
alternate claims processing, which requires substantial time and 
effort. Therefore, pharmacies and other healthcare providers had no 
choice but to manually hold transactions for billing at a later, 
unknown date, once the disruption was resolved. Importantly, holding 
claims places pharmacies and other providers in an untenable position, 
taking on financial risk for prescriptions dispensed and services 
provided without a reliable mechanism and timeframe to be compensated 
for those products and services.

While provider funds and temporary payment programs are greatly 
appreciated, reports of meager funds, egregious high-interest loan 
programs, and closed deadlines have mitigated benefits of such 
assistance. Also, because restoration timelines were unknown and 
unreliable earlier in the incident, it was challenging for providers 
eligible for such programs to determine if the administrative burden 
was worth the potential for temporary funding assistance. Rather than 
supporting temporary funding programs, it is critical for HHS and CMS, 
together with policymakers, to explore effective solutions and policy 
levers to better respond to emergency disruptions that more seamlessly 
resolve interruptions from such incidents. Specifically, implementation 
of emergency solutions, tools, and policies that provide an immediate, 
alternate mechanism for pharmacy and medical claims processing is an 
essential lesson learned from the recent cyberattack. It is critical 
that the response to the next interruption is not built around a 
temporary patchwork of provider loans, but rather a sturdy and reliable 
mechanism for healthcare providers to rely on so when emergency 
disruptions occur, alternate tools exist and can be active to support 
uninterrupted healthcare for the nation without additional strain on 
the healthcare providers who are on the front lines of serving the 
American people. Leveraging lessons learned during the recent Change 
Healthcare incident, NACDS recommends the following:

NACDS Recommendation 1. Together with policymakers, HHS and CMS should 
work with pharmacies and other healthcare providers and states to 
explore, and ultimately implement, solutions to minimize risk and harm 
to pharmacies and other healthcare entities when pharmacy and medical 
claims processing is interrupted. For example, a tool such as the 
Emergency Prescription Assistance Program (EPAP), that may allow 
pharmacies to temporarily bill for prescriptions for a subset of 
impacted patients and health plans, is an important concept to explore. 
Additionally, in circumstances where processing of Medicare Part B 
claims is disrupted, temporary billing to Medicare Part D, if feasible, 
should be considered by CMS. Solutions that allow pharmacies and other 
healthcare providers to immediately bill and be reimbursed as they 
usually would, should be prioritized, rather than temporary funding 
loans, advance payments, or other programs healthcare providers must 
apply for and expend additional resources to receive. The most 
effective solutions will be those that support immediate, alternate 
billing mechanisms without additional burden on healthcare providers to 
maintain uninterrupted operations and healthcare delivery.

NACDS Recommendation 2. Together with policymakers, HHS and CMS should 
work with Change Healthcare and other prescription processing companies 
to mitigate any friction or unnecessary burden for pharmacies to 
partner with multiple, or different, prescription processing companies 
as a means of mitigating potential future disruptions caused by similar 
incidents. Partnering with other claims processors to implement an 
alternate process for prescription claims processing requires 
tremendous time, effort, and costs. The process to implement alternate 
claims processing is arduous, and is not conducive to addressing 
emergent outages or disruptions and must be implemented in advance of 
an emergency. For example, pharmacies who may elect to switch 
clearinghouses must manually update their new clearinghouse information 
individually for each pharmacy store in the Provider, Enrollment, 
Chain, and Ownership System (PECOS), which is tremendously burdensome. 
NACDS urges CMS to implement more efficient processes for pharmacies to 
update any clearinghouse changes across all pharmacy locations in mass. 
More broadly, removing hurdles to pharmacies and other healthcare 
providers partnering with multiple processors could help alleviate 
future impacts of similar incidents.

NACDS Recommendation 3. Together with policymakers, HHS and CMS should 
seek to proactively mitigate instances when health plan programs are 
exclusive to only one prescription processor. As demonstrated by the 
current incident, scenarios when the sole prescription processor is 
compromised for a certain program are especially disruptive, as no 
other mechanism exists for billing and reimbursement. Key consideration 
should be made to support alternate claims processing especially for 
the following programs: Medicaid Fee-For-Service, manufacturer cash 
discount cards and Patient Assistance Programs, Medicare Part B 
prescription claims, including diabetes supplies, major medical plans, 
and workers' compensation insurance.

II. Mitigation of Harmful PBM Practices & Undue Requirements

Lack of claims processing, along with PBMs' preexisting draconian 
behavior (e.g., below-cost reimbursement, egregious audit practices), 
during this cyberattack intensified the already lopsided reimbursement 
structure that continues threatening patients' access to their 
neighborhood pharmacy and the viability of community pharmacies across 
the country. America's pharmacies are in a crisis and urgently need 
Congress to advance comprehensive PBM reform now to help address these 
reimbursement challenges and ensure pharmacies can keep their doors 
open for the foreseeable future. To that end, NACDS strongly urges 
Congress to enact comprehensive pharmacy benefit manager (PBM) reforms 
included in NACDS' Principles of PBM Reform, outlined below. Congress 
has already recognized the importance of enacting PBM reform as many of 
these policies have already advanced this Congress with bipartisan and 
bicameral support. Last December, the House acted with a broad 
bipartisan vote to pass the Lower Costs, More Transparency Act, a bill 
that provides components of PBM reform, while the Senate Finance 
Committee advanced the Modernizing and Ensuring PBM Accountability Act 
and the Better Mental Health Care, Lower-Cost Drugs, and Extenders Act, 
two bills also including necessary PBM reforms. We applaud these 
efforts and urge Congress to take the next step by enacting these 
important protections for pharmacies without delay.

NACDS' Principles of PBM Reform

      Help to Preserve Patient Access to Pharmacies by Addressing 
PBM's Retroactive Pharmacy Fees
            Retroactive DIR Fees/Claw Backs--Pharmacy 
        access can be undermined when health plans and their middlemen, 
        PBMs, arbitrarily ``claw back'' fees retroactively from 
        pharmacies weeks or months after a claim has been adjudicated/
        processed. This manipulation of pharmacy reimbursements may 
        diminish access to care (e.g., pharmacies being forced to close 
        their doors or pare back hours and healthcare services) when 
        PBMs are unpredictable, not transparent, and payment falls 
        below a pharmacy's costs to acquire and dispense prescription 
        drugs. Policymakers should consider enacting laws that prohibit 
        payers or PBMs from retroactively reducing and/or denying a 
        processed pharmacy drug claim payment and obligating them to 
        offer predictable and transparent pharmacy reimbursement to 
        better protect pharmacies as viable and reliable access points 
        of care for patient services.

      Provide Fair and Adequate Payment for Pharmacy Patient Care 
Services
            Reasonable Reimbursement & Rate Floor--Pharmacy 
        access remains at risk when PBMs reimburse pharmacies below the 
        cost to acquire and dispense prescription drugs. Pharmacy 
        reimbursement that falls below the costs to acquire and 
        dispense prescription drugs threatens future sustainability for 
        pharmacies to continue providing valuable medication and 
        pharmacy care services to communities. Policymakers should 
        enact laws to adopt a reimbursement rate floor that requires 
        PBMs to use comprehensive reimbursement models that are no less 
        than the true cost to purchase and dispense prescription drugs 
        to help maintain robust public access to pharmacies.
            Standardized Performance Measures--A crucial 
        part of comprehensive DIR fee reform is advancing pharmacy 
        quality that improves outcomes for beneficiaries and drives 
        value in care which are essential to controlling costs in the 
        healthcare system. Arbitrary performance measures developed by 
        PBMs assess the performance of the pharmacy without pharmacies' 
        input and create a moving target for pharmacies to show value 
        and improve health outcomes. Measures vary across the various 
        plans and dictate DIR fees (or claw backs at the State level) 
        imposed on pharmacies, as well as help create substantial 
        system dysfunction and unnecessary spending in the Part D 
        program. Policymakers should enact laws to standardize PBM's 
        performance measures for pharmacies to help set achievable 
        goals for pharmacies before signing a contract to promote 
        harmonization in the healthcare system and improvements in 
        health outcomes.

      Protect Patient Choice of Pharmacies
            Specialty--Some PBMs require patients with rare 
        and/or complex diseases to obtain medications deemed 
        ``specialty drugs'' from designated ``specialty pharmacies'' or 
        mail-order pharmacies which impedes patient access to their 
        convenient local neighborhood pharmacies where specialty drugs 
        are filled as well. Prescription drugs should not be classified 
        as ``specialty drugs'' based solely on the cost of the drug or 
        other criteria used to limit patient access and choice--
        instead, should focus on clinical aspects such as requiring 
        intensive clinical monitoring. Policymakers should enact laws 
        to establish appropriate standards for defining and 
        categorizing specialty drugs to ensure comprehensive and 
        pragmatic patient care and access and prohibit PBMs from 
        steering patients to only specialty pharmacies, including those 
        owned by the PBMs, for their prescription needs.
            Mail Order--Medication access and care can be 
        weakened when PBMs manipulate the system by requiring patients 
        to use mail-order pharmacies only. Some plans impose penalties 
        such as higher copays or other financial disincentives for 
        choosing a retail pharmacy instead of a mail-order pharmacy 
        which is often owned by the PBM. Policymakers should support 
        patient choice and access by enacting laws to prohibit PBMs 
        from requiring or steering patients to use mail-order 
        pharmacies.
            Any Willing Pharmacy--Due to PBMs' network and 
        contract barriers, pharmacies willing and ready to serve 
        patients may be ineligible to provide important pharmacy 
        services and patients may experience unnecessary delays and 
        interruptions in patient care. Patients should have the choice 
        and flexibility to utilize the pharmacy that best meets their 
        healthcare needs. Policymakers should enact laws that require 
        PBMs and plans to include any pharmacies in their networks if 
        the pharmacy is willing to accept the terms and conditions 
        established by the PBM to help maximize patient outcomes, and 
        cost savings and ensure patient access to any willing pharmacy 
        of their choice.

      Enforce Laws to Stop PBM Manipulation and Protect Pharmacies and 
Patients
            Audits--PBMs routinely conduct audits to 
        monitor a pharmacy's performance and reverse or claw back 
        pharmacy payments when there are alleged issues with a 
        particular pharmacy claim. PBM audits interrupt the pharmacy 
        workflow, can extend wait times, and detract attention from the 
        quality of care patients receive. Policymakers should enact 
        laws that support fair pharmacy audit practices to ensure 
        timely patient care delivery at community pharmacies and bring 
        efficiency, transparency, and standardization to the PBM audit 
        process.
            Oversight Authority--There are growing concerns 
        that pro-pharmacy and pro-patient legislative successes might 
        be undercut if PBMs fail to comply with such laws and/or states 
        fail to fully enforce these laws. Such failure could 
        significantly impact pharmacy reimbursement and overall patient 
        access. Policymakers should establish and enforce laws already 
        on the books to regulate harmful PBM reimbursement practices 
        that may harm patients and the healthcare system as we know it, 
        especially at the pharmacy counter, and empower state 
        regulators to do the same to enforce PBM transparency and fair 
        and adequate pharmacy reimbursements.

Additionally, in late February, Optum Rx, the PBM affiliate of 
UnitedHealth Group, has indicated they will make payment for pharmacy 
claims in good faith given lacking system functionality resulting from 
the cyberattack incident. However, pharmacies have seen claim 
rejections from other health plans and PBMs who have not acknowledged 
these extreme and uncontrollable circumstances, worsening challenges 
for patients and pharmacies during this already difficult time. Based 
on feedback from our membership, pharmacies continued to see billing 
rejections after the incident (e.g., refill too soon, prior 
authorization required), demonstrating that some PBMs impacted were not 
acting in good faith to support patient access and claims processing 
during the incident, disregarding the lack of system functionality 
during the outage. In late March, Optum Rx committed not to audit 
pharmacy claims that were impacted in any way during the disruptions, 
as audits in this climate could lead to retroactive claw backs to 
pharmacy reimbursement. However, information related to audits from 
other health plans and PBMs impacted has been sparse. Therefore, NACDS 
urges:

NACDS Recommendation 4. Together with policymakers, HHS and CMS should 
work closely with all health plans and Pharmacy Benefit Managers (PBMs) 
impacted by the Change Healthcare disruption to strongly encourage PBMs 
to publish their intent to: act in good faith on claims affected by the 
current incident as an important means of preserving patient access to 
care; and not to audit on pharmacy and medical claims impacted by this 
cyberattack. Additionally, HHS and CMS should seek to ensure that 
impacted PBMs do not attempt to seek monetary compensation for their 
financial impact of this incident in the form of fees, reimbursement 
concessions, or any other form of financial adjustment imposed on 
pharmacies. In planning for future incidents, Congress and the 
Administration should work with CMS, other health plans, and PBMs to 
proactively establish policies that commit to a reasonable approach to 
claims review by (1) paying claims in good faith and (2) exempting 
claims from auditing during the impacted time period of such incidents. 
Additionally, CMS, health plans and PBMs should develop proactive 
guidance for pharmacies and other healthcare providers on billing a 
backlog of claims during periods of disruptions and such guidance 
should emphasize a reasonable approach to claims review, and ensure 
waiving of any existing penalties, extraneous requirements, or 
deadlines to reasonably support pharmacies' and other healthcare 
providers' delayed billing of claims when extreme and uncontrollable 
circumstances arise, like those observed during the Change Healthcare 
incident.

III.  Data Transparency & Privacy

Since this incident was first reported, the severe lack of transparency 
on the full scope of the disruption has been extremely problematic, 
including lack of clarity on the estimated restoration timeline. Also, 
just 5 days after the incident was reported, a February 26th statement 
from UnitedHealth Group indicated that all pharmacies had implemented 
either modified electronic claims processing or offline workarounds to 
address this incident.\2\ However, lacking data transparency prevented 
other entities from being able to cross-reference or confirm that data 
was accurate. Unsubstantiated representations of the situation may have 
stifled attention and action on the disruptions for pharmacies early in 
this incident.
---------------------------------------------------------------------------
    \2\ https://www.beckershospitalreview.com/cybersecurity/
unitedhealth-says-most-pharmacies-have-effective-workarounds-amid-
change-cyberattack.html.

In fact, the statement from UnitedHealth Group was in direct conflict 
with the impacts and disruptions being reported by the nation's 
pharmacies.\3\ Later reports from UnitedHealth Group indicated that 99% 
of pharmacy claims were flowing, however this data could not be 
substantiated by pharmacies. Also, consider that 6.7 billion 
prescriptions were filled by pharmacies in 2022.\4\ If 1% of those 
prescriptions were disrupted during a 2-month period, that equates to 
more than 11 million impacted prescriptions. Consider the millions of 
Americans who either may have faced challenges in accessing their 
medication or more than 11 million prescriptions that pharmacies 
dispensed at the financial risk of not being paid for their critical 
services, placing the nation's pharmacies in an even more untenable 
position as they simultaneously work to combat underwater reimbursement 
from market dominant PBMs and advocate for PBM reform. However, due to 
lacking data transparency on the issue, the full scope of the incident, 
including prescriptions impacted, remains unclear.
---------------------------------------------------------------------------
    \3\ https://www.nacds.org/news/nacds-letter-to-hhs-cms-urges-
immediate-action-to-preserve-americans-access-to-care-amid-disruption-
caused-by-change-healthcare-cyberattack/.
    \4\ https://www.iqvia.com/insights/the-iqvia-institute/reports-and-
publications/reports/the-use-of-medicines-in-the-us-
2023#::text=Total%20prescriptions%20%E2%80%94%20adjusted
%20for%20prescription,from%206.1%20billion%20in%202018.

Further, throughout the incident, NACDS has continued to urge for more 
information from UnitedHealth Group about how they will address any 
HIPAA breaches that result from this incident. Recent information from 
UnitedHealth Group indicates, ``Based on initial targeted data sampling 
to date, the company has found files containing protected health 
information (PHI) or personally identifiable information (PII), which 
could cover a substantial proportion of people in America.''\5\ NACDS 
appreciates UnitedHealth Group's commitment to provide appropriate 
notifications and to help ease reporting obligations on other 
stakeholders whose data may have been compromised as part of this 
cyberattack, as UnitedHealth Group has offered to make notifications 
and undertake related administrative requirements on behalf of any 
provider or customer.\5\ UnitedHealth Group, however, has stated that 
the notifications it is willing to make are not official breach 
notifications.\5\
---------------------------------------------------------------------------
    \5\ https://www.unitedhealthgroup.com/newsroom/2024/2024-04-22-uhg-
updates-on-change-healthcare-cyberattack.html.

NACDS Recommendation 5. NACDS strongly urges HHS and its Office for 
Civil Rights (OCR) to exercise enforcement discretion such that 
UnitedHealth Group is required to provide notification of any breaches 
that may have occurred, or will occur, as required under the HIPAA 
rules, rather than requiring every covered entity to provide HIPAA-
required breach notifications. Because of the size and extent of the 
cyberattack, a single, coordinated reporting process is needed. 
Otherwise, millions of Americans could receive multiple reports of the 
same breach, which would cause more confusion, misunderstanding, and 
stress.

Conclusion

NACDS looks forward to partnering with policymakers, HHS, CMS, states, 
and other key stakeholders to support uninterrupted access to care for 
the American people during this immediate incident and to better 
prepare for future challenges. Underpinning the ability for pharmacies 
to continue serving Americans is the importance of implementing 
comprehensive PBM reform now. It is unacceptable that PBMs continue to 
profit at the expense of patients, pharmacists, and pharmacies, 
especially in a time of uncertainty and massive disruption in 
healthcare. We need to strengthen our defenses against future 
cyberattacks and pass PBM reform now to ensure affordable, high-
quality, and uninterrupted access to healthcare for Americans.

We greatly appreciate the opportunity to inform timely action on this 
critically important issue. For questions or further discussion, please 
contact NACDS' Sara Roszak, Senior Vice President, Health and Wellness 
Strategy and Policy at sroszak@
nacds.org or 703-837-4251.

                                 ______
                                 
                   North Florida Integrative Medicine

                       6228 NW 43rd St., Suite B

                         Gainesville, FL 32653

                         Phone: (352) 332-6680

                          Fax: (352) 332-6604

                        https://www.mynfim.com/

May 9, 2024

RE: Hacking America's Health Care: Assessing the Change Healthcare 
Cyber Attack and What's Next

Dear Senate Finance committee:

Please include this ``for the record'' for the May 1, 2024 hearing on 
the Change Healthcare attack.

I am one of the small private doctors in primary care with high 
overhead and low liquidity severely affected by the CHANGE outage.

It is still affecting my finances but finally I am seeing payments.

My struggle is documented in these articles published by BLOOMBERG and 
CNBC on April 29th, just prior to your hearing on May 1st.

https://www.bloomberg.com/news/articles/2024-04-29/unitedhealth-hack-
lawmake
rs-probe-change-healthcare-data-
breach?accessToken=eyJhbGciOiJIUzI1NiIsInR5cCI
6IkpXVCJ9.eyJzb3VyY2UiOiJTdWJzY3JpYmVyR2lmdGVkQXJ0aWNsZSIsImlhdCI
6MTcxNDM5MzE5MywiZXhwIjoxNzE0OTk3OTkzLCJhcnRpY2xlSWQiOiJTQ1BBS
1BEV0xVNjgwMCIsImJjb25uZWN0SWQiOiJCMUJDOTdEOTQ3MTg0OUExQkQ4
MjIyN0MwMzJCRDQ4MiJ9.wJeTr-WkxEZYqmyQ4AJinCOM7S8l6iiy9Yf8IzjpSmk

https://www.cnbc.com/2024/04/30/change-healthcare-cyberattack-doctors-
tap-personal-savings-for-costs.html

Please:

    1.  Support dismantling the UnitedHealth Group ``leviathan.'' They 
have too much power as evidenced by this disruption putting so many of 
us almost out of business and leaking protected health information of 
potentially ``\1/3\'' of Americans according to Mr. Andrew Witty, CEA 
of UHG.
    2.  Censor them for buying out Corvalis health system in Oregon in 
March after they put them in distress.
    3.  I heard during the testimony by Mr. Andrew Witty that they have 
that approximately 1 in 10 doctors in the country working for them in 
some way.

I believe there are serious antitrust issues with UHG being so large. 
It has been hard to negotiate good reimbursement rates from 
UntiedHealth Care insurance for a while now.

Finally, they need to be held accountable for the financial damages 
doctors like me have incurred including inordinate hours of personal 
and staff time trying to figure out how to have alternative ways to be 
paid, loss of income from retirement investments liquidated , any 
interest for loans taken to keep our practices open and continued 
struggle with finances.

Most sincerely,

Angeli Maun Akey, M.D., FACP
Owner and Medical Director

                                 ______
                                 
                            People's Action

                         1130 N Milwaukee Ave.

                           Chicago, IL 60642

                             (312) 243-3035

                       https://peoplesaction.org/

People's Action appreciates the opportunity to submit testimony for the 
record of the hearing titled, ``Hacking America's Health Care: 
Assessing the Change Healthcare Cyber Attack and What's Next.'' 
People's Action's Care Over Cost campaign is organizing people impacted 
by the systemic problem of claim denials that result in delays of care, 
debt, bankruptcy and worsening health or premature death. We are 
campaigning to win people the care they need, address the problem at 
its root cause and win policy change to improve health care. Together, 
we represent 1 million people in America--many of whom have been harmed 
by the epidemic of care denials within the private health industry and 
specifically by UnitedHealthcare.

We understand that the data hack has deeply harmed health centers 
serving poor and uninsured people and the people whose private 
information is now available on the internet to scammers and 
fraudsters. But the harm that UnitedHealth Group inflicts on people 
goes far beyond negligent cybersecurity. They are intentionally 
blocking healthcare providers from providing care and bragging to their 
shareholders about how much money they're making while they do it. Two 
weeks ago they announced that they took $7.9 billion in profit in just 
3 months. We urge you to hold CEO Andrew Witty accountable for the 
systemic denials of care and payments through prior authorization 
requests and claims denials.

People's Action's network's members tell us that despite expansions to 
health insurance coverage, people are still experiencing major barriers 
to receiving care. In many cases, the largest barrier to receiving care 
is the private health insurance corporations themselves refusing to 
authorize or pay for care. UnitedHealthcare stands out in particular as 
a company that is dominating the privatized Medicare market, making 
most of its profits off of public dollars and engaging in systemic 
delays and denials of care. Everyone should have the health care they 
need, when and where they need it, and Senators must demand that they 
stop profiting by denying people their health care.

Seventy-six percent of people in America get their health insurance 
from a private company \1\ based on the promise, explicit or implicit, 
that they and their covered family members will be able to afford and 
receive the care they need and their doctors recommend. Instead, 
private health insurance companies deny health care for their members 
well over 248 million times annually.\2\ This averages out to more than 
once per covered member.
---------------------------------------------------------------------------
    \1\ ``Health Insurance Coverage in the United States: 2020,'' 
Census.gov, September 14, 2021, https://www.census.gov/library/
publications/2021/demo/p60-274.html (66.5% exclusively through a 
private plan and then an additional 9.5% including privatized Medicaid 
and Medicare = 76% total insured through private plans).
    \2\ Karen Pollitz et al., ``Claims Denials and Appeals in ACA 
Marketplace Plans in 2021, ACA Marketplace 48.3 million in 2020 in-
network claim denials,'' KFF, February 9, 2023, https://www.kff.org/
private-insurance/issue-brief/claims-denials-and-appeals-in-aca-
marketplace-plans/. Department of Labor est. 200 million for employer 
delivered health insurance in 2017, 2023 number including other private 
health insurance coverage (Medicare Advantage & Privatized Medicaid) 
plus increase in ACA/employer markets likely to be much greater.

Delays and denials of care result in suffering for tens of millions of 
people annually in the form of medical debt, bankruptcy, ongoing 
sickness or injury, increased stress and lost wages, worsened health 
outcomes and even premature death. According to the Kaiser Family 
Foundation, 1 in 11 adults reported they delayed or went without care 
because of the cost and nearly 1 in 10 adults (23 million people) owe 
over $250 in medical debt.\3\
---------------------------------------------------------------------------
    \3\ ``How does cost affect access to healthcare?'', Health System 
Tracker, January 12, 2024, https://www.healthsystemtracker.org/chart-
collection/cost-affect-access-care/.

---------------------------------------------------------------------------
Below are some examples of claims denials by UnitedHealthcare:

Jenn Coffey of Manchester, NH was denied life-saving and life-
transforming infusions by her UnitedHealthcare Medicare Advantage plan. 
In the wake of multiple battles with breast cancer Jenn suffers from 
Complex Regional Pain Syndrome. She spent years in bed with the 
condition known as one of the most painful to humankind. Because 
UnitedHealth wouldn't pay for the infusions Jenn needed to mitigate the 
pain she had to sell her car and other belongings. Jenn has been in a 
never-ending battle with UnitedHealthcare where she has to contest 
every prior-authorization denial. UnitedHealthcare has at times offered 
payment of $1.22 and $1.01. At other times, UnitedHealthcare has 
offered payment for Jenn's infusion medicine but denied payment for 
saline and other necessary aids.

Thirty-year old Carly Morton of Beaver, PA was denied life-saving and 
life-transforming surgery by her UnitedHealthcare Medicare Advantage 
plan. Carly suffers from neurogenic Median Arcuate Ligament syndrome. 
As a result she was not able to eat for years, was constantly in and 
out of hospitals and had a majority chance of dying within 5 years. 
Carly's doctors ordered a life-saving surgery and UnitedHealthcare 
denied prior-authorization. Carly spent months in tears on the phone 
with UnitedHealthcare customer service agents who sent her in circles. 
After a public campaign in which thousands of people advocated on her 
behalf, a retired insurance attorney helped her with appeals and United 
States Senator Bob Casey reached out to UnitedHealthcare, they 
ultimately relented and prior-authorized Carly's surgery. Carly 
received the needed surgery and it indeed transformed her life allowing 
her to eat without pain for the first time ever. Carly will live. 
However UnitedHealth still won't pay Carly's surgeon for this life-
transforming surgery.

Alysia Dominique of Pueblo, Colorado has suffered from diabetes. Alysia 
is insured by UnitedHealthcare through her employer. Recently Alysia's 
doctors recommended a dosage increase of Ozempic to better control her 
diabetes and prevent nerve damage, kidney failure, blindness and even 
death. UnitedHealthcare denied the dosage increase of Ozempic even 
though they were already covering the medicine resulting in Alysia 
being unable to fulfill a prescription for the medicine at all 
resulting in ongoing suffering and risk to her. Alysia believes United 
should rebrand itself as UnitedHealth (doesn't) care.

Delays and denials of care are an even greater problem in privatized 
public programs within Medicaid and Medicare (managed care and Medicare 
Advantage, respectively). Private health insurance corporations denied 
claims that otherwise met Medicare coverage rules 18% of the time \4\ 
in Medicare Advantage plans. For privatized Medicaid, UnitedHealthcare 
denied care an average of 13.6% of the time across states, and one 
state's denial rate was an astonishing 27%.\5\ UnitedHealth is taking 
public money meant to provide health care for seniors, people with 
disabilities, and poor people, and is instead using it to pad executive 
salaries and profits by denying medically necessary care.
---------------------------------------------------------------------------
    \4\ Reed Abelson, ``Medicare Advantage Plans Often Deny Needed 
Care, Federal Report Finds,'' The New York Times, April 28, 2022, 
https://www.nytimes.com/2022/04/28/health/medicare-advantage-plans-
report.html.
    \5\ Department of Health and Human Services Office of the Inspector 
General, July 2023, https://oig.hhs.gov/oei/reports/OEI-09-19-
00350.pdf.

---------------------------------------------------------------------------
Here are just a few examples of UnitedHealth's profiteering:

      In 2022, UnitedHealthCare CEO, Brian Thompson was paid 
$9,859,429.\6\
---------------------------------------------------------------------------
    \6\ Salary.com website, last accessed April 30, 2024, https://
www1.salary.com/UNITED
HEALTH-GROUP-INC-Executive-Salaries.htmlv.
---------------------------------------------------------------------------
      Between the 5 years of 2018-2022, UnitedHealth Group's CEO Sir 
Andrew Witty extracted over $90 million in executive and board pay for 
himself.
      UnitedHealth Group took $22.4 billion in profit in 2023 
alone.\7\
---------------------------------------------------------------------------
    \7\ ``UnitedHealth Group Full Year 2023 Earnings: In Line With 
Expectations,'' Yahoo Finance, March 3, 2024, https://.nance.yahoo.com/
news/unitedhealth-group-full-2023-earnings-1307076
01.html.?guccounter=1.
---------------------------------------------------------------------------
      UnitedHealth Group sent $14.8 billion to shareholders through 
buybacks and dividends in 2023 alone.\8\
---------------------------------------------------------------------------
    \8\ Marketwatch.com, https://www.marketwatch.com/press-release/
advisory-unitedhealth-group
-reports-2023-results-0ee8ec8a.
---------------------------------------------------------------------------
      Just this month, UnitedHealth Group reported taking over $7.9 
billion in profits so far in 2024.
      UnitedHealth Group spent $3,102,539 on political contributions 
and $6,430,000 on lobbying in 2022 alone.\9\
---------------------------------------------------------------------------
    \9\ UnitedHealth Group Profile, Open Secrets, April 30, 2024, 
https://www.opensecrets.org/orgs/unitedhealth-group/
summary?id=D000000348.

The U.S. has a lower average life expectancy by 6 years than our peer 
countries, yet we pay $5,000 more per capita for health care. 
Meanwhile, private health insurance corporations rake in tens of 
billions in profits, while purchasing tens of billions of dollars in 
shares to raise prices and over-compensate executives. These profits 
are taken through hiked premiums from policyholders, denied claims, and 
---------------------------------------------------------------------------
inflated charges to public health insurance programs.

UnitedHealth Group's profiteering by denying care is a disgrace, 
leaving people across the United States without the care they 
desperately need. We recommend that the Senate require UnitedHealth 
Group to take the following actions:

      Require UnitedHealth Group to execute a publicly shared audit 
and reimburse federal and state governments for the public money 
diverted by claim and prior-authorization denials within Medicaid 
(Managed Care), and Medicare (Medicare Advantage);
      Stop UnitedHealth Group's overbilling of Medicare by Medicare 
Advantage plans;\10\
---------------------------------------------------------------------------
    \10\ ``Our Payments, Their Profits,'' Physicians for a National 
Health Program, 2023, https://pnhp.org/system/assets/uploads/2023/09/
MAOverpaymentReport_Final.pdf.
---------------------------------------------------------------------------
      Prohibit prior authorization requests for treatments recommended 
by medical professionals; or at the very least:
            Immediately cease the practice of using 
        Artificial Intelligence and algorithms to initiate claims 
        denials in bulk;\11\
---------------------------------------------------------------------------
    \11\ Casey Ross & Bob Herman, ``Denied by AI: How Medicare 
Advantage plans use algorithms to cut off care for seniors in need,'' 
Stat News, March 13, 2023, https://www.statnews.com/2023/03/13/
medicare-advantage-plans-denial-artificial-intelligence/
#::text=Health%20insur
ance%20companies%20have%20rejected,more%20than%2031%20million%20people.
---------------------------------------------------------------------------
            Require transparent publication of details of 
        denied claims/prior-authorizations by market, plan, state, 
        geography, gender, disability, and race/
        ethnicity;
            Relinquish ownership of and transfer over the 
        claim appeals process to relevant public authorities;
      Expedite payment of claims;
      Disclose monetary value of total denied claims/prior-
authorizations broken down by internal and external appeals processes 
and total percentage of profits taken by denying care;
      Hold quarterly open microphone meetings with policyholders to 
discuss problems with their insurance products in each state they sell 
insurance in just as they hold public meetings with their shareholders 
to discuss the profits;
      Cease using public funds and policyholder premiums for stock 
buybacks;
      Cease overriding the will of people who need health care by 
lobbying and donating their members' money to politicians' campaigns, 
PACs and any other entities that can advocate for or against the defeat 
of elected officials.
      Document and publicly release the time and money spent by 
healthcare professionals and policyholders requesting prior-
authorizations for treatments that are eventually approved.

We and our members take seriously the harm UnitedHealthcare and other 
UnitedHealth Group subsidiaries cause our people. On March 13, 2024, we 
hosted a livestream where people shared stories of UnitedHealthcare 
denials. We urge you to use your legislative and oversight authority to 
stop the systemic problems of delays and denials of care by 
UnitedHealthcare.

Links

http://www.careovercost.org/

https://www.crowdcast.io/c/
careovercost?link_id=2&can_id=fb619e9689086ee8dbe5
451021351a66&source=email-marylanders-act-now-on-this-urgent-
opportunity-to-support-health-insurance-
reform&email_referrer=email_2234960&email_subject=join-us-online-for-
unitedhealth-doesnt-care-on-313-at-8pm-eastern

                                 ______
                                 
                   Perinatal Associates of New Mexico

                        201 Cedar SE, Suite 405

                         Albuquerque, NM 87106

                          505-764-9535 office

                            505-843-9646 fax

                         https://www.panm.com/

May 1, 2024

U.S. Senate
Committee on Finance

Members of Congress,

My name is Michael S. Ruma, M.D., MPH. I am a maternal-fetal medicine 
subspecialist and president of Perinatal Associates of New Mexico. Our 
practice is the largest perinatal practice in the state. We provide 
high-risk pregnancy care for over 45% of all births in New Mexico.

I would like to share our experience and concerns regarding our 
statewide New Mexico perinatal practice's inability to fully utilize 
our electronic medical record (EMR) after the United Healthcare Group/
Optum Health/Change Healthcare cybersecurity breach which occurred on 
February 21, 2024 and has not been resolved as of today.

I also want to share a recent news story which was published in the 
Santa Fe New Mexican detailing the difficulties faced by our medical 
practice. You can find the newspaper story at the link below.

https://www.santafenewmexican.com/news/local_news/purgatory-of-paper-
health-care-providers-raise-concerns-about-consolidation-in-wake-of-
cyberattack/article_64f
becf4-ec95-11ee-a548-cbcff55f08d0.html

I have reached out to our EMR's CEO, CMO, and product manager, United 
Healthcare leadership, and each of our NM congressional representation 
to escalate my concerns.

      Our practice is unable to order any laboratories electronically 
from our EMR due to failure of the Change Healthcare interface.
      Our practice is unable to receive any laboratory results 
electronically into EMR due to a failure of the Change Healthcare 
interface.
      Our practice is unable to send obstetric ultrasound reports from 
our ultrasound reporting system to our EMR due to a failure of the 
Change Healthcare interface.
      Our practice is unable to electronically process claims with New 
Mexico Medicaid from our EMR due to a failure of the Change Healthcare 
interface.
      Our practice continues to pay our EMR vendor a monthly 
subscription for services which are completely non-functional due to 
failures on the part of Change Healthcare.

Facing these challenges and seriously concerned regarding the timeline 
for restoration on the part of United Healthcare/Optum Health/Change 
Healthcare, I reached out to the New Mexico Medical Society and the 
American Medical Association. On April 15, 2024, I met briefly with 
Roger Connor (CEO Optum Insight) and Mike Peresie (CEO Change 
Healthcare) to convey my concerns and advocate for a rapid fix to the 
issues we are facing daily in New Mexico.

Here is a summary from our meeting.

      Change Healthcare was beginning restoration of Clinical Exchange 
on April 15th with an anticipation of going live within 2 weeks.
      Change Healthcare has over 350 lab connections to complete 
including reconnection of Greenway Health (our EMR) and Tricore 
Reference Laboratories (our main New Mexico lab).
      Labcorp is included among the first 20 labs in the country to be 
reconnected by Change Healthcare.
      No information could be shared regarding where Tricore Reference 
Laboratories was on the list of lab reconnections.
      Our ultrasound reporting software interface to Greenway Intergy 
EMR would begin working once the lab reconnection is completed by 
Change Healthcare.

We also discussed the extreme health inequities faced in the state of 
New Mexico.

      Maternal mortality rates vary significantly from state to state.
      Mississippi had the highest maternal mortality rate in 2021, 
with 82.5 deaths per 100,000 births, followed by New Mexico with 79.5 
deaths per 100,000 births.
      In contrast, California had the lowest maternal mortality rate 
(9.7), and Massachusetts had the second lowest (17.4).
     https://usafacts.org/articles/which-states-have-the-highest-
maternal-mortality
      -rates/

[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
    
      There are 2,205 LabCorp locations in the United States as of 
March 27, 2024.
      The state with the greatest number of LabCorp locations in the 
U.S. is California, with 324 locations (15% of all LabCorp locations in 
the U.S.).
      The northeast US has a concentrated, high percentage of LabCorp 
locations.
      https://www.scrapehero.com/location-reports/LabCorp-USA/

After exhaustive efforts, Mike Peresie (CEO Change Healthcare), 
Christina Fortner Slade (Greenway Health--Chief Client Experience 
Officer), Dr. Angela Sanchez (Tricore--Chief Medical Officer) and I met 
on April 25, 2024 to coalesce a plan for reconnection of our lab and 
ultrasound interfaces.

As of today, work to reconnect Perinatal Associates of New Mexico, 
Greenway Health, and Tricore Reference Laboratories is ongoing with no 
specific estimate on complete restoration. Our ability to care for 
pregnant patients and improve their outcomes throughout the state of 
New Mexico remain limited due to the lack of connectivity provided by 
United Healthcare Group/Optum Health/Change Healthcare interfaces.

Providing healthcare in the United States is a privilege, honor, and 
challenge. As a physician with over 20 years of experience, clinicians 
face innumerable obstacles in their provision of medical care to 
patients.

A lack of oversight and cybersecurity by the largest health insurer in 
America which created a national outage affecting pharmacy 
prescription, laboratory orders and results, and insurance payor claims 
processing for medical practices and hospitals across our country needs 
serious assessment, corrective action, and protections placed by 
Congress to ensure the security of American healthcare in the future. 
Please address these issues during your committee hearings and 
forthcoming legislative efforts. Patients throughout the United States 
deserve your dedicated attention to this important matter. Their lives 
and their health outcomes depend on your actions today.

If your or any Congressional leaders have the time to reach out, please 
feel free to reach me by cell at 505-506-8744 or by email at 
[email protected].

Sincerely,

Michael S. Ruma, M.D., MPH
President

                                 ______
                                 
                  Statement Submitted by Pamela Reeve

Hacking America's Health Care: Assessing the Change Healthcare Cyber 
Attack and What's Next

May 1, 2024

My name is Pamela Reeve. I was one of the many patients across the 
nation impacted by Change Healthcare's data breach earlier this year.

After visiting the dentist in February for some routine work, I 
received notification of a large outstanding payment for the treatment 
I had received. Confused, I contacted the office and learned that my 
patient data had been part of a much larger breach. As a result, the 
entire dental office was forced to shut down operations to protect 
clients' private health data.

This happened days after I received care. Not only did I feel for the 
office staff who underwent immense stress and financial loss in an 
attempt to protect patient data, but also concern for myself and others 
who may have had their private information shared due to Change 
Healthcare's lax data practices.

Bigger is not always better or safer: We must apply the same 
expectations of privacy and data protection to large companies like 
Change Healthcare as we would any other firm.

                                 ______
                                 
                 Letter Submitted by Ann Smith, LCSW-C
Dear Members,

I am writing as an individual and self-employed mental health provider 
in Maryland to express my concerns about how the Change Healthcare 
cyber-attack in February 2024 has impacted small practices, providers, 
and patients/clients. The corporation Change Healthcare is a ``middle-
man'' data clearinghouse used by health insurers and providers of 
health care for processing eligibility for specific services, 
processing health insurance claims and payments. As you are likely 
aware, Change Healthcare is now owned by United Health Care. United 
Health has taken an ever-larger role in many aspects of our health care 
delivery and payment systems and has come under increasing scrutiny for 
engaging in anti-trust and monopolistic business practices. I am hoping 
that this Senate Finance Committee hearing will result in future 
oversight and regulations for how health information, and the 
overlapping payment systems, are handled and used by large for-profit 
corporations. Please do your part to ensure that protections and 
regulations are in place, and that there is an entity to oversee and 
enforce these protections.

The cyber-attack and subsequent disabling of the Change Healthcare 
platform/
system has impacted many small mental health practices. Many larger 
health care provider systems were able to quickly pivot to alternative 
software platforms to process health insurance claims, check for 
eligibility and receive payments. However, small practices did not have 
the financial or administrative resources to quickly amend their 
operations once they learned about the cyber-attack. I heard many 
stories from colleagues who were concerned about how they would receive 
payments so they could continue to provide care and pay staff, 
uncertainty about how long the cyber-attack would impact Change 
Healthcare operations, not to mention how to notify and explain the 
cyber-attack to clients and patients. Increasingly in our field, there 
is general unease and mistrust about whether protected health 
information will be safeguarded by large corporations and technology 
data companies.

This cyber-attack, I believe in general, will further create mistrust 
in the health insurance industry among small practices and providers. 
Already many highly qualified and highly trained and specialized 
licensed clinical social workers, licensed professional counselors, 
licensed psychologists, licensed marriage and family therapists, nurse 
practitioners and psychiatrists make financial decisions not to 
participate as in network providers with health insurance plans, and 
the risk of experiencing cyber-attacks on the very systems we use to 
deliver and be paid for our services will be another reason providers 
will hesitate to accept insurance directly, whether commercial plans, 
Medicare or Medicaid. In turn, more patients, clients, and consumers 
will not be able to access providers who are in-network with plans, 
creating more barriers to accessing treatment by ability to pay out of 
pocket for the entire cost of services.

Thank you for considering my opinions and concerns.

Ann Smith, LCSW-C
Catonsville, MD

                                 ______
                                 
                 Letter Submitted by Eliezer Sternbach
U.S. Senate
Committee on Finance
219 Dirksen Senate Office Building
Washington, DC 20510-6200

To: The Honorable Senator Wyden

CC: Esteemed Finance Committee Members: Mrs. Blackburn, Mr. Mendez, Mr. 
Grassley, Ms. Warren, Mr. Johnson, Mr. Lankford, Mr. Brown, Mr. Casey, 
Ms. Hassan, Mr. Warner, Mr. Barraso, Mr. Bennet, Mr. Young, Mr. Carper

Dear Honorable Chairman, Senator Wyden,

    We elected you because we trust you to discern the truth. So trust 
us to tell you when you're being duped.

    My name is Eli Sternbach, I am the Revenue Cycle Manager at 
Maryland Neuro Rehab & Wellness Center, a family owned and run 
business. And one of the few outpatient Neuro Rehab therapy clinics in 
Maryland. We deal with many insurance companies, and generate less than 
$1 Million in revenue per year.

    My job when I started at the end of 2021 was to ``find out why 
we're barely making any money.'' Our insurance claims were being 
handled by a Medical Billing company that charged us 11% of our claims 
revenue. All I knew at the time was that the therapists would sign 
their documentation in the EMR system and somehow that made it to the 
insurance company and we got paid. Oftentimes we would receive 
remittance advice (claim payment receipts) in the mail with a zero 
dollar check attached saying the claim had been denied for various and 
cryptic reasons. When I followed up with our billing company, they said 
we needed prior-authorization or a physician referral or some other 
clerical reason that they did not follow up on initially. Those claims 
were lost and we were unable to formulate an appeal for the payment 
denials due to our billing company's incompetence.

    At that time, I went on a personal crusade to learn everything I 
could about the claims payment process and how to prevent such 
impactful claim denials from occurring in the future. Needless to say, 
I was petrified. The complex landscape of healthcare coding and billing 
rules, the trepidation that a single misstep could be called fraud had 
me on the edge of my seat during the whole learning process. I was on 
the phone all day with insurance companies for almost a year asking 
them and confirming with them that what we are doing is in accordance 
with their policies and guidelines. As well as conducting my own 
research on current laws and compliance standards.

    Several months into this hunt for knowledge, I became confident 
enough to start submitting claims on my own, without the need for a 
billing company. We used the billing feature offered by our EMR vendor, 
the same system our providers used to write clinical documentation (the 
source of the medical claim). Instead of charging us 11% claims revenue 
for billing capabilities, they charged us an additional $125 per 
provider per month for access to the feature. At that time my job as a 
medical biller involved clicking a button called ``Submit'' which 
somehow transmitted our claims to the insurance companies. A few weeks 
later we would receive the remittance advice/payment or denial in the 
mail.

    The claim denials are all coded using standardized X12 code-sets, 
which means that when we receive the actual piece of paper that says 
you're not getting paid for that treatment visit, it's a bunch of 
numbers and letters with a very vague, standardized and not helpful 
description of the code buried somewhere in the document. It usually 
takes a phone call to the payer and several hours waiting on hold to 
get a straight answer as to what the issue is and what our corrective 
action options are, if any. That is assuming of course that there is a 
person to talk to on the other end, which is not the case with all 
payers like Blue Cross Blue Shield of Texas.

    But that's the system, and we either have to get with the program 
or stop accepting health insurance as a form of payment. So we got with 
the program. I learned everything I could about the policies of the 
insurance companies we deal with and what they expect of us. What their 
prior authorization requirements are and what documentation they need 
from us. And that worked for a while, until we started dealing with 
Optum health plans like Cigna and American Specialty Health (ASH), who 
have strict prior-authorization requirements for outpatient therapy, 
unlike Blue Cross Blue Shield and Medicare.

    Plans like Cigna-ASH required us to fill out immensely complex 
prior authorization forms. So complex that I had to schedule dedicated 
blocks of time for providers to complete these forms and some of the 
time they couldn't understand the meaning of the questions. These Optum 
specific requirements ask for information not related to the provider's 
specialty like asking an Occupation Therapist to specify the ``affected 
body part'' when their documented plan of care focuses on tasks like 
cognitive rehabilitation and activities of daily living which isn't 
really a body part as much as it is a critical quality of life. 
Furthermore, most of the information requested is present in 
standardized SOAP format documentation of Evaluations and Progress 
notes which follow basic medical guidelines. Meaning that providers are 
required to document the information Optum is asking for anyway, but 
they also have to write it in the authorization request? I have no 
other words to describe the process other than busy work.

    But filling out their complex forms wasn't enough, there was always 
a clerical reason for the denial and after several months and dozens of 
attempts I gave up and in the end someone with a rare and expensive 
medical condition had to be turned away from our facility because we 
couldn't get ASH to process the authorization request. A single phone 
call from the upset patient to his insurance company and within 24 
hours we received a callback saying our claims would be paid within the 
week. A measly $65 per day (not per provider, per day). For a patient 
who required 3 providers of different specialties to work directly with 
for 3 hours a day (total), 3 times per week. The payment covered the 
cost of submitting the authorization request, barely. Forget about the 
cost of rendering the treatment itself which is our lunch money.

    After the authorization yo-yo-ing from Optum, we met internally, 
all of our providers to figure out a way that we could render quality 
therapy for a patient who needs neuro-rehab with a $65 per day limit. 
This retrospection and clinical practice review spanned the course of 
several months and multiple restructurings of how treatments are split 
across providers, assistants and technicians to try and mitigate our 
cost of paying employees to render healthcare for Optum patients. The 
answer was consistent across our disciplines of Physical and 
Occupational therapy. It costs $65 just to transfer the patient to and 
from their power-chair and treatment room, ready for the therapist to 
render services.

    We have concluded that there are only two scenarios in which Optum 
payments of $65 would make economic sense. For a 30-minute session with 
an hourly speech therapist @ $45/Hour. Or for an Orthopedic patient who 
does not have a complex diagnosis, is mobile and does not need more 
than 45 minutes of Physical or Occupational therapy @ $55/Hour. In all 
other scenarios, the Optum fee schedule does not support the payment 
required to fund medically necessary services or any treatments of a 
complex nature. Our request for exceptions or a fee schedule increase 
was offered to be extended to $75 per day, instead of our requested 
$125 per provider per day even for one-time exceptions of rare and 
expensive medical conditions.

    But let's look at the facts, nearly 17% of our GDP is spent on 
healthcare. We, the healthcare providers, are not getting paid. 
Healthcare plan membership costs me about \1/3\ of my rent, $415 per 
month for good State Marketplace insurance, so I know the savings 
aren't being passed on to the consumer. Where is all our healthcare 
money going?

    It's a legitimate question, and I hope that sharing with you my 
story of navigating the healthcare system as a healthcare facility will 
shed light on where we're burning money.

    I mentioned the cost of utilizing a medical billing company and 
medical billing tools. But the cost is so much more compounded than a 
single billing service or tool with high rates.

    At first we thought the fault lay with us, because everyone else 
uses the same healthcare system, why are we the only ones suffering 
financially? It must be something we're doing wrong. So we took another 
look at ourselves to see how we could improve. And our practitioners 
said that well written and clinically sound documentation for patients 
of a high-complexity medical diagnosis is difficult and time consuming. 
So we set our sights on a system that would help providers write good 
documentation more efficiently, in a naive effort to mitigate our cash 
flow issues.

    In November of 2022, I was tasked with transferring out of our 
current EMR system into a new system that cost about $425 per provider 
per month. A whopping $300 increase per user from our previous system. 
But we were convinced this would help our providers maintain quality 
and increase efficiency in their note taking with features like speech-
to-text. It would be worth the cost, so we thought.

    The process involved not just transferring patient records, but 
also transferring the billing connection to various payers from our 
previous EMR into the new system. The new EMR vendor gave us access to 
a special enrollment portal outside the EMR system where we selected 
which payers we use and the transactions we deal with (837 professional 
claims and 835 Remittance Advice). We had to set up an account with 
their Clearinghouse TriZetto which cost us more than double what we pay 
for an EMR user per month, but the EMR handled the integration with 
TriZetto so we could submit claims directly in the EMR and they would 
make it to the clearinghouse which would then forward it to the payer. 
However, we were warned that we must check TriZetto regularly to make 
sure our claims were being submitted correctly and to monitor if there 
were any issues with sending or receiving claims or remittance advice 
through TriZetto.

    After several months of transferring our patient records, a few 
weeks of intermittent connection issues as we transferred our payer 
connection between systems one by one, we finally made it into the 
shiny new EMR system. Only this was just enough time for our providers 
to unanimously conclude that the new system is worse than the old one, 
as it is far more restrictive in how it lets provider's write 
documentation. The majority of templates available were for Physicians, 
Nurse Practitioners and Physical Therapists who don't regularly 
document complex outpatient therapy treatments and interventions as 
they pertain to neuro-rehab.

    So we found another EMR system and did the process over again. 
Except this vendor didn't offer a direct integration with TriZetto or 
Availity, clearinghouses that we already submitted a lot of paperwork 
with to get our payer connections setup during the last two EMR 
systems. However, they did offer an export option that we can take a 
file from the EMR and upload it into the clearinghouse and that would 
allow us to submit claims, so we were the integration so to speak. We 
would have to move files back and forth between the clearinghouse and 
EMR to submit claims and receive remittance advice.

    Because Availity offered the file upload option and TriZetto did 
not, we decided to use Availity. I was informed by our first EMR 
billing tool vendor that our connection for submitting claims and 
receiving remittance was actually handled by a different company other 
than the EMR, it was the clearinghouse Availity. We had the company 
login for Availity stored in our records, so we logged in and saw all 
our payer connections from the first EMR still active, so switching 
back to that system should be easy, right?

    Needless to say, the claims processing blackout we experienced 
during that EMR transition period is identical to what we experienced 
during the Change Healthcare outage. We couldn't connect with any 
payers or receive any payment notices. The moment we switched systems, 
we were flying blind.

    I promptly contacted Availity to find out the reason for our claims 
blackout. Apparently, our connections to these various payers were not 
actually connections we had any control over. They were all assigned to 
the Tax ID of the billing tool we licensed from our first EMR vendor. 
We were told that we needed to re-enroll for these electronic 
transactions under our Tax ID which took about 3 months to complete for 
80% of our payers and over a year for the remaining 20%. The reason it 
took so long was (1) Any clerical rejections of the forms took several 
weeks to notify us about before we knew we needed to correct it. And 
(2) Many payers have multiple payer IDs used for electronic 
transactions. One payer ID for submitting claims, one payer ID for 
receiving remittance etc. Different for most transaction types. Finding 
the right payer ID for our specific insurance companies we deal with 
that have our remittance advice was difficult to find.

    But we got our billing connections back online and we were able to 
submit claims and get paid. And the system we were in did help us 
generate quality documentation faster, but still we experienced 
financial hardships beyond what we feel should be normal for 
healthcare.

    Having been professionally traumatized from seeing our billing 
connections so easily disconnected and with great difficulty re-
connected, so many times. I realized that the issue must not be with 
us, it's with the system we have no choice but to use. The system that 
dictates how we have to write documentation and how we're allowed to 
get paid. So I set out to build an EMR system of my own to address 
these concerns.

    I slaved away day and night, I poured my blood sweat and tears into 
a creation I put my faith into. A creation I hoped would answer our 
cries for help in these financial crises. A piece of software 
engineering that cares about patient outcomes, that wants providers to 
succeed and get paid, a system that holds HIPAA sacred and says no-
entity is above being audited. And to an extent I prevailed, and I 
birthed a software architecture that makes our provider's smile. A 
software that ensures our patient's receive timely refunds for 
miscalculated copay percentage to dollar amounts. A software that makes 
sure doctor's are up-to date on their patients plan of care and 
actually sign off on that plan of care.

    And now that I had designed a HIPAA compliant Electronic Medical 
Records System, I decided to tackle the goliath of Electronic Data 
Interchange (EDI), the framework of healthcare transactions, claims and 
payments in the U.S. I didn't want to rely on third-party vendors who 
maintain connections with payers that they don't want me to understand. 
I want to understand. I want to know why it takes us so long to get 
paid. Why do we only hear about denials when it's too late to do 
anything about it? Why is our healthcare system so complicated to 
navigate? I wanted to see the truth for myself. So I studied EDI 
guidelines, regulations, TR3 Mandates and implementation instructions. 
I examined claim files from EMR systems, companion guides from payers, 
public sources, Medicare 4010 to 5010 ANSI crosswalk data and I pieced 
together how PHI is meant to be transmitted according to HIPAA 
guidelines: 837 professional claims. 999 acknowledgments, 277 claim 
statuses, 835 remittance advice and other transactions. The heartbeat 
of electronic healthcare. The things that tell provider's what's 
happening with the bill they submitted for the services they render and 
it's in a language that can only be understood by machines (or nerds 
like me).

    So what did I learn from trying to integrate HIPAA transactions 
into my system? I learned that it's a very precise framework. I learned 
that there's a lot of rules and regulations and guidelines. And I 
learned that no one follows the same standards and no one is 
communicating using the same language! A simple example is Medicaid. 
For many of their claims they don't send us the line item details like 
CPT codes and Modifiers in their remittance. Critical information that 
is needed for any other insurance company to even look at the claim. We 
have received rejections from payers because files were sent to us 
missing information, and HIPAA says we are not allowed to modify the 
835 file to correct it, it must remain in it's original format even 
with errors that will cause payers to not even look at our claims and 
outright reject them. So I'm stuck. Another example is splitting a 
single claim into several remittance advices, like several line items 
being split into several receipts. Another insurance would look at one 
split remittance, say it's missing information, reject it and do the 
same for the rest of them.

    It gets worse. We have seen outright skimming off the top by 
Medicare Secondary payers like Cigna and Colonial Penn Life Insurance. 
They will literally drop line items off claims, or lower their paid 
amount from the Medicare coinsurance amount (without providing a Claim 
Adjustment Reason Code (CAS) code for it). And we have no way to appeal 
these decisions because there is no contact information for Medicare 
Secondary payers, or if there is they always defer blame and 
responsibility to Medicare.

    Furthermore, the CAS codes used for telling us why we're not 
getting paid what we think we should for services we rendered, are all 
from an X12 data-set that is not used in a uniform manner across payers 
and healthcare entities. Different payers use different codes for 
different denial reasons, and the reasons are different across payers. 
A simple example of this massive and dysfunctional connectivity can be 
seen with Amerigroup (a Medicaid Plan). In short we requested 
authorization to treat a patient. We received authorization for 8 
visits. We treated the patient for 8 visits. Three weeks later we 
received a denial notice that the rendering provider is not active with 
the state Medicaid system, which we did not know at the time. But they 
knew. They knew when they approved our request, they knew they were 
going to deny it 3 weeks later when we couldn't do anything about it. 
They had access to the information and only shared it with us when it 
suited their goals.

    The fact that other EMR systems have not picked up on these issues 
or do not have adequate systems to deal with them tells me that no one 
from the programming and application development side of things really 
cares what's happening to provider's or patients, just whatever keeps 
the cow mooing.

    Shame on us for allowing the healthcare system to grow into such a 
complex and expensive, basic human service. I wish I could say that the 
impact of the Change Healthcare outage felt far-and-wide, was the 
result of poor cyber security or a lack of two-factor authentication, 
but that's not the systemic reason for these hardships.

    It's a problem much older than computers, it's basic human greed!

    As a software developer, Healthcare Clearinghouse, EMR system 
designer, and Medical Biller, I have seen first hand the negative 
impact Clearinghouses have on healthcare as an industry. I am afraid, 
not of being hacked, not of losing our data and not being able to 
recover it, I am afraid of losing my trust in our healthcare system 
which we work so hard to maintain.

    I have tried to connect healthcare providers as directly to payers 
as possible and limit the amount of middle men, billing services and 
clearinghouses needed for provider's to submit claims and receive 
payment for services rendered. What I discovered was jaw dropping to 
say the least.

    Even clearinghouses use clearinghouses. An issue which became 
alarmingly clear once the vendors we trusted to handle our transactions 
revealed that they were just passing it along to Change Healthcare to 
make a buck. Clearinghouses once served as virtual train-stations. A 
one-stop location from which providers can connect to all their payers 
for all their transactions and it was industrious. But now you go and 
it's toll booth after toll both of transaction fee this and transaction 
fee that. Only to find out that this clearinghouse vendor is just 
forwarding my claims to another vendor.

    It was only after I started connecting directly AS a vendor to 
payers (at no cost) did I see just how fast the turnaround time for 
claim payments could be. Some payers went from 21 days to 13.5 days 
faster than our former clearinghouse, and some processed claims in 5 
days instead of 21 days.

    We're also saving tens of thousands of dollars using our own 
systems instead of packaged services readily available to take our 
money.

    It was the clearinghouses that were slowing us down and costing us 
every single day. It is clearinghouses' reliance on other 
clearinghouses that has stifled our ability to connect with and get 
paid from almost every insurance company we regularly deal with. 
Clearinghouses are doing just that, clearing-house and draining our 
economy.

    It is the exclusivity imposed by organizations like Change 
Healthcare that limit small-time healthcare facilities from connecting 
directly to major insurance companies like Blue Cross Blue Shield, 
Aetna, Anthem and the like for claim payments, eligibility and 
benefits, prior authorizations and electronic remittance advice 
(payment receipts) and claim statuses. This forces providers to 
continue to rely on major vendors like clearinghouses for payer 
connections. Fixing cyber security does not address the systemic issues 
of using a centralized healthcare transaction system (clearinghouses).

    There is only so much we can do to prevent Cyberattacks by 
determined and malicious actors. We need to invest in our ability to 
recover from attacks, more so than to mitigate them. This can only 
happen by ensuring that if one or many systems are targeted, a 
redundancy or connectivity option exists at the payer-level so that 
individual providers reserve the ability to submit claims and get paid 
for services rendered. Don't tell me that paper claims or payer portals 
are a valid option, because if we relied on those processing times or 
the admin work required for manual entry, compared to direct electronic 
methods, we may as well go out of business. This connectivity option 
should be as direct and as speedy as clearinghouse middle-men are 
allowed to enjoy.

    Unfortunately, HIPAA has empowered major corporations to maintain 
their dominance of the healthcare information industry by limiting 
transactions to ANSI X12 Electronic Data Interchange (EDI) encoding 
format. An arcane language and structure used for encoding healthcare 
data. This language has acted as a barrier limiting the development of 
new technologies and consolidating the existing technologies of 
established companies. Clearinghouses have taken advantage of this 
ancient requirement and provide their customers with more modern data-
format options like JSON, which only enforces this toll-booth mentality 
of ``you have to use a clearinghouse because direct connections are too 
complicated.''

    We have enabled a healthcare-data culture of complexity to the 
point of mysticism. Claim denial codes are used differently across 
different payers resulting in the perceived need of a medical biller to 
``Interpret'' the claim and ``make sure you get paid and not denied.'' 
You need to pay someone to go after low-hanging fruit, take their 11% 
bite and say real denials are your fault. We have fostered a culture of 
banditry in which clearinghouses are allowed to set up toll-booths 
between us and our insurance companies, demanding a payment for passing 
along our envelopes in addition to their processing times.

    It is my hope that you hold not just the clearinghouses, but the 
insurance companies accountable and actionable regarding exclusively 
using an outside vendor for claims and payment processing. Vendor's 
which have endowed themselves with border-patrol authority in the 
digital healthcare world. Please, also enforce a uniform, and 
meaningful implementation of claim denial reasons across all payers. It 
would not take long for payers to build a claims processing system of 
their own, as is evidenced by UnitedHealth Group's rapid replacement of 
their own system.

    I hope my story helps you more precisely discern the truth, honored 
senators.

    Thank you for advocating on our behalf.

    Your average American,

    Eli Sternbach

                                   [all]