intervened. >> patrick indy with his book tranfive sunday night at eight eastern on c-span's q&a. you can listen to q&a at all of our podcast on our free c-span now app. >> at c-spanshop.org. discover books, apparel, home decor and accessories. there's something for every c-span mom, plus every purchase you make those toward supporting nonprofit operations. start shopping advice scanning decoder visiting us online at c-spanshop.org. >> c-span is your unfiltered view of government. we are funded these television companies and more including buckeye broadband. ♪ ♪ ♪ ♪

♪ >> buckeye broadband supports c-span is a publi service along with these other television providers giving you a front-row seat to democracy. >> unitedhealth group ceo andrew witty testified before the senate finance committee about the impact of the recent cyber attack on healthcare, a subsidiary of united health group that disrupted the payment and claims process for providers did he apologize for the chaos resulting from the cyber attack. this is about two hours and 15 minutes. [inaudible conversations]

[inaudible conversations] >> the finance committee will come to order. this morning the finance committee examines the change healthcare hack that nearly brought our country's health care system to a standstill six weeks ago. joining the committee is andrew witty, the ceo of unitedhealth group, which owns change healthcare. i'll put things in perspective. last year, uhg generated $324 billion in revenue, making it the 5th largest company in the country. overall, the company touches 152 million individuals across all lines of business, insurance, physician practice, home health, and pharmacy.

with its profits, uhg has purchased dozens of other health care companies and is the largest purchaser of physician practices. this corporation is a health care leviathan. i believe the bigger the company, the bigger the responsibility to protect its systems from hackers. uhg was a big target long before it was hacked. the fbi says that the health care industry is the number one target of ransomware. it's obvious why. change healthcare processes roughly 15 billion health care transactions annually, and a third of americans' patient records pass through its digital doors. change specializes in moving patient data from doctor's office to doctor's office, or to and from your insurance company.

that means medical bills that are chock full of sensitive diagnoses, treatments, and medical histories that reveal everything from to abortions to mental health disorders to diagnosis of cancer to sexually transmitted infections. military personnel are included in this data. leaving this sensitive patient information vulnerable to hackers, whether criminals or a foreign government, is a clear national security threat. i don't think it's a stretch the impact here rivals the 2015 hack of government personnel data from the office of personnel management, which the fbi called a treasure trove of counterintelligence information for foreign intelligence services. uhg has not revealed how many patients' private medical

records were stolen, how many providers went without reimbursement, and how many seniors were unable to pick up their prescriptions as a result of the hack. the failures of ceos like mr. witty, who months in can't figure out how many people have had their data stolen, validate the fbi's warning. in the wake of the hack, united essentially disconnected change from the rest of the health care system. it took weeks for change to get back online, leaving health care providers in a state of financial bedlam. doctors and hospitals went weeks delivering services but without getting paid. insurance companies couldn't reimburse providers. even today, key functions supporting plans and providers, including sending receipts for services that have been paid and the ability to reimburse patients for their out of pocket

costs, are not back up and running. small providers, particularly mental health providers, have been left holding the bag, stuffing envelopes with paper claims, and unable to get straight answers on how long the outage will last. and patients are bearing the brunt of it. prescriptions went unfilled, patients were stuck at the hospital longer than needed, and americans are still in the dark about how much of their sensitive information was stolen. the credit-monitoring service united offered these patients is cold comfort. the change healthcare hack is considered by many to be the biggest cybersecurity disruption to health care in american history. it is exhibit a for my case that tough cybersecurity standards are necessary to protect critical infrastructure, and patients, in this country. hhs does not require health care

providers, payers or health care clearinghouses like change to meet minimum cybersecurity standards, unlike industries regulated by other federal agencies. meeting a baseline of essential cybersecurity standards is a must, but is meaningless without equally strong enforcement. hhs has not conducted a proactive cybersecurity audit in seven years. as it stands, if a company does not comply with existing cybersecurity regulations, the fines amount to nothing more than a slap on the wrist. federal agencies need to fast track new cybersecurity rules for americans' private medical records and congress needs to watchdog this every day to make sure everything possible is done to protect patient data. finally, the change hack is a dire warning about the

consequences of too big to fail mega-corporations gobbling up larger and larger shares of the health care system. it is long past time to do a comprehensive scrub of uhg's anti-competitive practices, which likely prolonged the fallout from this hack. for example, change healthcare's exclusive contracts prevented more than one third of providers from switching clearinghouses, even though change's systems were down for weeks. accountability for change healthcare's failure starts at the top. before this hearing, i asked u-h-g which members of its board have cybersecurity expertise. uhg pointed to ncaa president charlie baker, who signed some technology-related legislation into law years ago when he was governor of massachusetts. mr. baker is certainly an expert on basketball, but uhg needs an

actual cybersecurity expert on its board. mr. witty owes americans an explanation for how a company of uhg's size and importance failed to have multi-factor authentication on a server providing open door access to protected health information, why its recovery plans were so woefully inadequate and how long it will take to finally secure all of its systems. i'm hopeful that today's hearing can mark the beginning of the finance committee's work to make meaningful improvements in america's cybersecurity on a bipartisan basis. i encourage all members to focus on the subject at hand. that is because this is so important, so vital and as much to discuss. senator crapo. >> thank you, mr. chairman. appreciate your industry today. and thank you, mr. wake him for being here today.

on february 21, 2024, unitedhealth group learned that its subsidiary, change healthcare, was likely the victim of a cyberattack launched by a suspected nation-state associated cyber security threat actor. in response, change, the nation's largest health care clearinghouse, which processes $1.5 trillion in medical claims annually, disconnected all of its systems to prevent the hackers from obtaining additional data. the fallout from this unprecedented attack has affected the entire health care sector. by crippling change's functionality, the hackers left providers unable to verify patients' insurance coverage, submit claims and receive payments, exchange clinical records, generate cost estimates and bills, or process prior authorization requests. in the immediate aftermath of the attack, many providers had to rely on reserves to cover the resulting revenue losses. an american hospital association

survey found that more than 90% of hospitals were financially impacted by the cyberattack, with more than 70% reporting that the outage had directly affected their ability to care for patients. more than two weeks after the cyberattack was announced, the department of health and human services released a public statement and guidance related to the incident. on march 9, the centers for medicare and medicaid services made accelerated and advance payments available to impacted medicare providers. the administration's delay exacerbated an already uncertain landscape, leaving providers and patients with reasonable concerns about access to essential medical services and life-saving drugs. while the february hack on change was by far the most disruptive cyberattack on the health care industry to date, it was certainly not the first. according to a report by the

federal bureau of investigation, the health care sector experienced more ransomware attacks than any other critical infrastructure sector in 2023. in addition to the processing and revenue issues experienced by providers, patients' private identification and health care information was obtained by malicious actors during the breach. unfortunately, personal health care data has become increasingly attractive to cyber criminals, who seek to use that information for blackmail or identity theft. for patients, the emotional and financial effects of leaked private information can have a devastating impact for years. although many of change's functions have now resumed, trust in the security of its platforms needs to be rebuilt. we owe it to american patients and to our frontline health care providers, from health systems to clinicians and community pharmacies, to ensure that this

does not, and cannot, happen again. today's hearing offers a valuable opportunity to learn from united's experience so we can better protect against, and quickly react to, future cyberattacks. gaining a deeper understanding of how the hackers infiltrated change will help identify and address gaps in our existing cybersecurity infrastructure. evaluating steps taken by united in response to the attack, from disconnecting its platforms to notifying law enforcement, will offer lessons on how to build a more resilient and collaborative health care system moving forward. we must also assess the response of the federal government, which plays a critical role in these efforts. hhs has a responsibility to serve as a central hub for coordination, convening insights from other branches of government and the private sector to deploy timely

information about active threats, as well as best practices to deter intrusions and resources should an attack occur. thank you, mr. witty, for being here to discuss building a more secure, resilient and responsive health care system. thank you, mr. chairman. >> thank you, senator crapo. and what is chief executive officer of the unitedhealth group. prior to that he was executive vice president of unitedhealth and ceo of optimum. from 2008-2017 he eight-2017 he was ceo and director of glaxo smith kline. mr. witty, we appreciate you being here. i believe you will take five minutes or so to share your testimony and we've had a lot of member interests and you will get questions and do everything i can to keep them on this is an important topic. mr. witty. >> thank you and goodbye, chairman wyden, rate member crapo and members of the committee. thank you for the opportunity to testify here today.

my name is andrew witty. i service chief executive officer of unitedhealth group. our mission is to help people live healthier lives and help make the health system work better for everyone. we pursue this mission to our two distinct businesses, united healthcare which provides a full range of benefits, and optimum which brings together care delivery, pharmacy services, and technology and data to advance patient-centered care. change healthcare is now part of optimum. it enables information claims and payments to flow quickly and accurately between physicians, pharmacists, health plans and government. i appreciate the committee's interest in the recent cyber attack on change healthcare. as a result of his malicious cyber attack patients and providers have extensive disruptions that people are worried about the private health data. to all those impacted let me be very clear. i am deeply, deeply sorry.

our response this attack has been granted three principles. to secure the system come to ensure patient access to care and medication, and to assist providers with their financial needs. we have deployed the full resources of unitedhealth group in this effort. i want to ensure the american public we will not rest, i will not rest, until we fix this. cyber experts continue to investigate the incident and why we will learn more and our understanding may change is what i can share today. cyber criminals enter the portal, axel traded data and on february 21 deployed ransomware. the portal that access was not protected multi factor identification. our response was swift and forceful, to contain infection we immediately set up connectivity and secure the perimeter of the attack to prevent malware from spreading. it worked. there is no evidence the spread

beyond change healthcare. within hours of the ransomware launch we contacted the fbi we continue to share information with them so these criminals could be brought to justice. as we've responded to this attack including dealing with the demand for ransom, my overarching priority has been to do everything possible to protect peoples personal health information. the decision to pay a ransom was mine. this was what are the hardest decisions i've ever had to make, and i wouldn't wish it on anyone. as you know we found files in the axel traded data containing protected health information and personally identifiable information which could cover a substantial proportion of people in america. so far we have not seen evidence that materials such as doctors charge for full medical histories were axel traded. it will take several months before enough information will be a payable to identify and

notify impacted customers and individuals, partly because the files contained in that data were compromised in the attack. rather than waiting to complete this review, we are providing free credit monitoring and identity theft protections for two years along with a dedicated call center staffed by clinicians to provide support services. anyone concern that their data been impacted should visit chained cyber support.com for more information. meanwhile, we continue to make substantial progress in restoring change healthcare services. first, the team built a new technology environment in just a matter of weeks. second, we prioritize our restoration effort on services most vile to ensure access to care. pharmacy services claims and payments providers. and third, while these efforts were underway, we worked quickly to provide financial assistance to providers who need it.

we have advanced more than $6.5 billion in accelerated payments and no interest no fee loans to thousands of providers. most of these funds offer claims for non-uh-60 health plans, and about 34% of the loans have gone to safety net hospitals and federally qualified health centers. we will provide this assisted fertile as it takes to get providers claims and payments flowing at preaccident levels here if there are provided in your state who need help, , plee put us in touch with them. fighting cybercrime is an enormous task, and when the requires of us all, in addit, law enforcement, and policymakers to come together. i look forward to answering your questions today. >> thank you mr. witty. let me begin with this. this attack could have been stopped with cybersecurity 101.

and i'm talking specifically about multifactor authentication, mfa. when your bank at asks you to enter a code sent by text or e-mail, that's mfa. it secures your account even if your password is learned. yet, your testimony reveals this first server that was hacked didn't have multifactor authentication. so question one, i'd like a yes or no answer to, mr. witty. prior to the hack did you or any of your senior management know that uhg was not requiring mfa companywide? yes or no? >> mr. chairman, thank you for the question. our pols is to mfa for externally facing systems. >> so if the answer is yes, then

that makes my point, that on your watch there was a cybersecurity failure, and then that's what caused the harm to patients healthcare sector and your investors. i do believe there excuses for that. so my second question is, will you commit within six months at the latest to require multifactor authentication companywide and meet the tough mfa standards that are required of federal agencies? again, a yes or no answer. >> tricky yes, i'm happy to commit to that. fact i can confirm to you that as of today across the whole of uhg all of our external facing systems have got multifactor authentication enabled. >> we will take that as yes. it shouldn't have taken the worst cyber attack ever in the healthcare sector for an

agreement to do this bare minimum. now, second with respect to national security. people claiming to be involved with this hack have asserted publicly that they stole data on u.s. government employees including active-duty u.s. military servicemembers. my colleagues remember the 2015 hack of opm government personal data which pose a serious counterintelligence concerns. and i'm very concerned as i id in my opening statement about the national security implications of this hack as well. are you in a position this morning to say whether the hackers stole data pertaining to u.s. government employees? >> mr. chairman, thank you for the question. like you i am extremely concerned about any patience information but particularly in this come in the context you just described. so far through the process of working through the data what we've been able to identify is indeed a substantial portion of people across the countries data

could be implicated here. we do believe there will be members of the armed forces and the veterans association. >> when can you give us in writing a number of military personnel affected and your best assessment of who they are? can have that quickly? >> i give you my commitment -- >> a week? >> who will take longer than a week but assessed as we possibly can. >> two weeks? this is nationals could priority. two weeks i expected. >> we will absolutely prioritized that. >> all right. let's talk about why things are taking so long and particularly how hard providers are being hit. because they are paying the price for the failures that of the meat on your watch. how much longer will a provider who sit in a claim for services delivered in february have to wait in order to be paid? >> mr. chairman, thank you for the question. our belief at this point is that claims flow across the entire

country is essentially back to normal. certainly from a unitedhealth groups perspective we are paying claims as soon as they arrive. we are aware that other companies may not be speedy providers are telling me it's going to take until at least june to clear the backlog. and you do that or you're? >> we can move absolute fast of the net. the meantime we are providing -- >> when you expect to have that clear? >> we believe, we believe the system from the back to normal now. if there any providers in state he would like to refer us to make sure that our speed is practically of a provider i bump into is waiting to be paid. >> those payments from united certain have been made. we are caught up and we continue to advance significant interest loan -- >> when you commit to waiting deadlines for timely filings and appeals for claims until everything is back in order? >> yes, we worry waved at those. >> we commit to bring meaningful compensation each provider and plan his business operations you

disrupted? >> were happy to engage with providers to discuss at. >> please send that to me in writing of the compensation system would work. let me mention one other area very quickly. i've been following your various comments, and consistently your views seem to minimize the impact of your involvement. he said that united healthcare payment processing accounts for only 6% of payments in the healthcare system. my view is that's basically hiding the ball. 20222 the department of justice said the change retains records of the lease 211 million individuals going back to 2012. so how many people have actually been impacted? where did you find those files? and what medical information was stolen? i get answers to those three questions. how may have been impacted, where did you find the files can what medical information stolen? >> mr. chairman, thanks for the question.

as i said that is very much the top reformist to get to the bottom of your we're working our way through that. as of this point we have not identified anything like medical records or medical histories. what we have seen his claims information. >> you don't have the logs which show what data walked out the door because we have been working to get that and we haven't seen it. senator crapo. >> thank you, mr. chairman. mr. witty, the fbi has repeatedly warned that the healthcare sector particularly attracting to cyber criminals. as your test my nose, united about experiences and attempted cyber intrusion once every 70 seconds. however, nationwide cybersecurity preparedness and response guidelines for healthcare sectors appear to be disjointed. without disclosing proprietary or security related detail, how do intend to revise united

cybersecurity protocols to incorporate the lessons that you find on this experience? >> senator crapo thank you very much for the question. first and foremost let me reiterate how seriously we take this and how diligently we are working to make this right, both technically and also to make sure we understand the patient information implications. to your question of how we are responding to this. first and foremost let me reiterate we have and a force policy across the organization to multi factor authentication on all of our external systems which is in place. >> can interrupt for a second? part of my question is and you are about to get to that part of what to be sure you are responsive to this. is it as simple as fixing the multifactor system? >> multilayered. that is one element that it's only one element of the defense. making sure, so, for example, when have you permitted in addition our normal corporate wide scanning of our technology environment we've now brought

external third parties to do double or treble scanning across assistant as if for the protection layer. we've also made the decision to strengthen our oversight of cybersecurity at the company by bringing to our board on and every meeting basis mandate which is leading some cybersecurity devisees of an america. they've been actually helpful in understanding this attack and you become a board advisor to ensure that we have the very best advice at the top of the company. >> would you agree that this type and maybe even this stronger approach than this type needs to become standard across our healthcare industry, everything from government to the private sector and, frankly, the entire aspect of our healthcare system? >> senator, i would agree with that. what we saw an change healthcare which was a company which just came into our group a little over a year and half ago ways a company which was an older

company, had older legacy technologies. but i think it's very typical of many small to medium-sized organizations in our healthcare environment and, therefore, inevitably there's going to be a lot of work to be done to upgrade the standards. but it do agree with your assertion. >> well thank you. i'd like to move on to restoration and protection of patient information. your testimony indicates both pharmacy services and medical claims are now flowing at near-normal levels, is a packet? >> that's what i believe come a. >> on this is welcome news effects of the cyber attack continue from ongoing revenue backlogs unfolding details about exposed patient health and identity information. which functions remain off-line? and wind you expect when of% of change's system to be restored? >> thank you very much for the question. all of our core systems are now up and fully functional. that means pharmacy processing,

claims payments, the systems which are not available are really ancillary support functions, so not not determinative of the main claims activity for the payment which is where the disruption has been cost. i would also like to emphasize essence of the attack took place we encouraged providers to divert their volume two other competitors to change of which there are several. many of then continue to operate through those channels which is another way in which normal service has risen. >> have you heard reservations from providers about reconnecting to change? and if so, how are you working to address those concerns? >> mr. chairman, yes, i think that's a natural and could concern for people to after a data, after an attack like this. you want to be reassured the system is safe to be reconnected. that's why we disconnected so quickly in the beginning so we didn't infect anybody else hear the reason why it's taken longer than you might expect to recover is real literally built this platform back from scratch.

so that we can reassure people that there are not elements of the old attacked in private with the new technology, at the new technical environment that we've created. we are sharing all of those details with clients and customers as they reconnect and i'm pleased to say they are reconnecting substantially. >> all right. thank you. and finally would you share an update on your understanding of the magnitude and the type of patient information that may have been obtained by the hackers? and when you expect to begin the process of contacting impacted individuals? >> thank you for your question. we are working closely with the regulators on that last point of time, how to and when to start communicating. want to try and avoid piecemeal communication and it's our top priority to get this done just as fast as possible. >> thank you. ..

getting clarity about substantial portion of people in america affected by this because it looks like anybody doing business and i will tell you the reality and providers in placing is wildly different picture you statement processing similar 86% incidence levels this morning you said it was back i will tell you there is a backlog any of

our providers in hospital staff are not able to get in and make these claims here's a good instance small independent hospital. they have diligently submitted all of their claims burdened with the backlog of medicare claim equivalent to 30 days of revenue. waiting things to be transmitted because of the missteps you all have had.

experience. we will reach out to find the names and we will get connected. >> every hospital, every provider. hospitals pulling on a line credit, are you going to pay that interest?

>> we are offering -- like i said, are you going to pay the interest cost? one of surprises the chairman mentioned is lack of redundancies built into the system. your revenue is bigger than some companies gdp. how in heaven's name do not have the necessary redundancy so you did not experience this attack and find yourself so vulnerable? >> they for the question. first, the united health group, were in the process of upgrading. the attack itself backed up.

we have work so we know and it is not aggressive from the attack. >> was there not in thought process in place on the front end? you can protect yourself from vulnerability. >> you are in a hospital. >> i'm fully aware of. >> there again, for whatever reason for sightedness not having a plan to incorporate -- let's move on. widely acknowledged the

temporary assistance program fails to adequately address financial setbacks caused by this. we got one provider disclosed receiving a down payment significantly below their usual daily revenue of $20000. these providers resorted tapping into personal savings, seeking loans from banks. are you going to cover all of those costs they had to incur in order to keep the doors open because you did not have an appropriate backup plan?

>> your companies slow progress restoring services advancing prd operational disruptions with consequences for providers, and patients across the nation. for weeks, hospitals and providers had to deal with low offers to the company and in some cases less than 1% of the typical filling while patients suffer. the company is the nations largest private health insurer and largest position employer in the every quarter. it is unacceptable but it took so long to help providers during a crisis of your creating. now i'm concerned what's going to happen on the back so commit to not exploiting the markets you created to further acquire city areas? >> absolutely will not take

advantage. we have not. i would like to reassure you we understand in the efforts to go quickly we didn't get all of the terms right. we fixed very early and have been able to advance $600 billion. >> united healthcare divided about volume and financial support to providers but you are dealing with an enormous claim easily over $14 billion. some estimates at many multiples. your exhilarated event payments for a tiny fraction of the total amount of services. it is my understanding united healthcare and city areas no the money the average provider bills. providers in my state and across country are struggling keep their doors open as they waited

for payments. what reasonable explanation could you have for taking so long to get these payments out the door? >> thank you again for the question. you not know from other payers why our initial approach is not as effective as we would like. put in place a mechanism giving them loans within hours of applications and it remains available. >> it seems almost incredible do not know a company established even though flow of the daily weekly monthly amount is, hard to believe. >> we understand the flow we are payer and those would be the situation as i'm sure you are

aware making loans for the cash flow. >> it seems you waste a lot of time trying to pull a fast fast one on providers. coming loan repayments and claims backlog is clear? >> we have streamlined and yes, we've already told providers is no need to repay interest-free loans until 45 days after they have concluded. >> do the loan terms prohibit how providers from working with united or ockham's competitors? >> no. >> following the breach you were offered to do notifications for hospitals and providers still grappling with ongoing disruptions to daily operations. this commitment is an important step in the right direction as writer should not be found by the burden of providing notifications but no medical

group can rely on vague promises and containing no specific for implementation providers mounting concerns about their own regulatory exposure united not fulfill these offices. patient aware of disclosures of their senses provide even has proven biden. when concrete details on notifications and writing on united healthcare? >> you want to get it done as fast as possible the was regulars. >> i think it will be in the next several weeks. >> mentation about the

reliability very clear. >> are likely to respond to the committee. >> health and human services regarding article and perception within the healthcare sector. the need for strong relationship public and private partners to ensure the safety of critical structure systems. i inquired about legacy technology systems. cyber attacks on healthcare system not only have severe impact on our economy but it's up. my first question is, united health relationship and government agencies as it

relates to cybersecurity of the healthcare industry, how have hhs and cybersecurity and information security agency work with your company in the aftermath of the failure? daily engagement within hhs truly engaged in terms of how we work to support providers to prioritize system and the fbi has been our prime partner in response to the attack you not health group that need if so, what is venting to update?

>> a company that came into our organization with older technologies in many different technology generations. as we always do with companies like that probably strive to upgrade united which i believe higher than the companies with brought into the organization. >> i think you touched on it but let me ask havoc taken and software? you repeat that, please? >> he said he couldn't understand. >> has united health group taken every available option to remove

safety risk and software? >> i'm not sure i completely understand the safety risk. i can assure you -- answering and writing. >> i can do that. my understanding is the change healthcare is one of the medical records in the united states. i like to better understand how bunker source patient data. how does change healthcare management, is it stored by third parties loading and storing his patient data sent overseas? >> both on premises and a limited extent in the cloud.

we into the cloud which created much more secure computer environment. >> in 2023 is united healthcare experienced another cyber taxes room 21. >> out how to come back to you. we are under attack consistently and i would like to respond out be happy to come back to you will not. >> do you feel company prepared for another cyber attack? >> thank you question. we are doing everything we can to be as prepared as possible

but recognize the pressure of the attacks that come in. i believe we are taking every sensible precaution and brought multiple organizations. while i block ways in which we can pressure on the systems we are trying to manage. >> thank you senator grassley. >> the conversation. first let me acknowledge as i spoke to doctor spectrum the worst is passed on many have said resolved so credit you for the artwork with don. it presents a different set of questions. one, he mentioned united is waiting authorization but change handles claims for others and as

we know, sometimes it is denied retrospect retroactively so it is approved and they are called back. we don't know for the it will drop in the future or it will have a problem with the process. to what degree has united work with other insurers to address the uncertainty front authorization and penalized because of damage done to the system from another insurer. >> thank you question it issues with me and followed him from united your perspective, when somebody applies for prior

authorization and it's printed, we never go back in time if they have acquired not. we are supportive prior authorization on the system in terms of getting access. >> the other insurers in this process change within the intermediary. how about be handled next. >> do they reach out to smooth it over in this. orange the ability of change provides a function? >> thank you. i am clear with the question. let me reassure you think there

what people have acted in faith for example, from suitable without getting authorization, they thought it would be okay. we are ordering all of that. >> let me ask you this is a broader question. in our conversation and i gather on an earnings call you point out that asking about the breach, cyber attack was paradoxically validation of the size and scope of the business partners. i've been told washington post article that i% of u.s. gdp closer united everyday. yes but if you read, the fact that you are so big and dominant presents special vulnerability and you have deep pockets by which to address this but the

fact that you're so big means is a wide ranging ripple effect out sized so thing for us would have to ask. is the dominant role of the united to donna because it's into everything it messes with everybody? clear the activity was the same of the day before, it didn't change. >> but i don't want to our imagination to just change. 5% of our nation's gdp closer united everyday been is there something else that could be incurred upon united don't have further reaching effects? >> the whole united are we defendant protect the organization and the two how we can upgrade.

>> the size of united is almost on too big to fail insurer because of it fails it will bring down more than it ordinarily would. >> i do believe it is because for example we have no spills in america we do not own any drug manufacturers. he. >> we employed less than 10000. hospitals across america 400,000 she's. we contract an affiliate with physicians who voluntarily choose to work alongside of colleagues so we are very proud of the positions who were breast but oftentimes the dishes with employed physicians with our less than 1% of adults. >> this is an extraordinarily important issue you are raising.

classic too big to fail policy. i the bigger the healthcare company, responsibility to protect i think california beak senators on both sides of the aisle to look forward to working with you. >> our next president in order of appearance would be senator warren. >> in 2023 united health brings it $22 billion making it the most profitable healthcare company in the country. by revenue, united health is the 11th largest company in the entire world. united health group owns the country's largest insurer of the country's largest claims processor about the country's third-largest benefit manager, pharmacy chain, the largest

employer of physicians nationwide or control and with at least 90000 positions testified. one utterly ten doctors in the country, is that correct? >> as part is positions under 10000. >> i think not controlled the work with. >> because united health brought up every link in the healthcare chain, you are in a position to check up prices and squeeze competitors and revenues and the opportunities for price gouging

are everywhere, united health is the biggest purchase in medicare advantage. the government programs that pay private insurers to administer clinica benefits. this web of assisted city areas well-positioned to reagan taxpayer money praxis follow-up cutting to make it look thicker. the vascular disease for the medical art and no clinical basis for the diagnosis and no treatment plan. according to a 2019 investigation by the hhs specter general, united health is far and away the most aggressive abuser of according practices. you know how much according to the inspector general united health treated taxpayers out of 2017?

>> thank you, i'm not familiar. it's only up connie practices. that was five years ago. united health under investigation from the d.o.j. for among other things, billing practices. >> we have a long-standing practice i understand you might not want to comment on it. although your company has not disclosed this investigation. yesterday i sent a letter raising concerns about $100 billion stock sales united of executive made in the days and weeks before the investigation revealed by the press.

>> united health this huge and loose some of the profits with among other things, illegal early tactics and that takes me to the data breach. after the largest ever talk on the healthcare industry in american history hundreds of thousands of healthcare providers at risk of collapse from united help using price expanded monopoly even further. how do? they filed with regulators to allow them acquire the doctors

practice on an expedited basis. while this position united health even bigger? like to put on the record. >> i had a very simple question. will make united health is 11th largest company in the entire world even bigger? >> the organization i hope becomes better. >> regarding talked about business practices. the question is bigger. for the make united health bigger? as we grow, who become larger. >> using its own data breach just about doctor practices by the same data breach. it's no wonder united told shareholders this would have no

material impact on the company's finances. united stop at nothing to grow bigger, bigger and bigger as we speak. it is ruined by private equity and corporate greed. for the psaki of doctors and nurses. mike next in order, go ahead. >> a different perspective. the largest financial energy in the world is the united states federal government.

to incur $45 trillion worth that the largest in the world had all the time. last year we had 236 billing dollars of improper payments run for the largest entity in the world. how 60 obvious you are a victim of the crime, correct? victims of crime, was hoping utilize your experience to figure out what went wrong so the people watching can try and corrected.

they are very sophisticated exploit weaknesses they are well-known. most packs are because of security breaches from can you describe the history and change of healthcare from a hawaii audit and how it supports the function. >> through a series of interactions and organic growth connector across the healthcare system. one of four to five like the same thing process payments to providers the payers and back a

complex thing to do medicare rules hospitals a complex thing to software in network business of about five-point so when against the vulnerability the embrace of the system which is a devastating impact it buildup over years and there was one -- describe exactly where the vulnerability was we were in the process of upgrading and they were not protected in the server which criminals were able to get in and the policies.

>> is probably been breached for that as we go back and do forensics novelty nine bait days before. >> averages about a couple hundred days there inside the system before they are made known. these are sophisticated actors. what was your response? >> before i was about to change

network in the country. that works from a happen. >> we shut down the whole thing. you could have had about better and history own program and respond to this. we quickly changed that we have had extraordinary updates from folks across the country and judging by respondent like it for the loan which they are

chatting just hours supported. we show those loans today even though we do know people who have. >> being subjective. micro center from nevada in a second you have instantly downplayed euro and kind of cybersecurity. last week and so need to know whether happened. did you know that? >> company only recently come

into the group. it was in the process of being upgraded but why wasn't it the first thing you would do? like my understanding the organization and the amount of organization required frustratingly not the. >> to deal with our server, it's not abstract, senator from nevada think of. meet follow-up on a line of questioning you paid a ransomware to the attackers? 22 million back in the information packers obtained, was that identifiable identification? likely traded. >> and the most personal

information individuals were provide you? you have an obligation to protect that? certainly do and we take it very seriously. of course we are incredibly frustrated. >> and bylaw you are required to protect the information state law and federal law, correct? that is correct, and we take the obligation seriously you are also required to be fine those affected that there personal data has been compromised, correct? and you haven't done that yet? >> we are still -- how long will it take? >> we think it will take several to understand what is the. >> if you happen several weeks how long ago? denied base? >> yes and thank you for the question. we were only able to solve this exactly is talk without data sent back and able to deal with

the complex process. >> is a complex because you so much data does hard to identify? >> it's more the data structure making sure we get it right and making sure we get the correct information so there are many nations who do not know their healthcare information is optimized? we have not yet been able to notify people connect let me to something else happening i'm hearing my kate. a federally horrified el centro with locations across the state like nevada and they rely on and healthcare for real-time eligibility verification. i am hearing despite being back online, critical patient information often seen or mismatched with 50% of payer information in accurate.

health centers clarity on where the systems will be corrected but struggled to get reliable answers from united healthcare group so hoping you can provide clarity, when will real-time eligibility and benefits verification functions healthcare network be up-to-date and accurate? >> i will come back to you today with that, i do not have that with me right now but i hope you do because not just my across the country many asking this and for that reason you are aware providers must adhere to timely filing deadlines set by insurance companies claim reimbursement. if they missed the deadlines, insurers make and i payments lead denied patient care burden the recent act requiring healthcare poses challenges for providers. what you meant to extending

health plans deadlines for any claims affected by the change hasn't subsequent out of? >> absolutely michael you agree to extend claims filed before the every 21st ever attack considering the appeals processes for the claims have been disrupted by united health outages? we are happy to do whatever necessary. >> that would be a yes? thank you let me also address but i am concerned about the effect of united healthcare providers i'm hearing from basic drops in revenue and i missing out missing from the light. 12,000 dollars every week on staff dealing with billing at eligibility issues caused by this healthcare outage.

small providers in my state missing just to payments could force foreclosures so my question to you, what steps will united health to compensate the administrative cost cyber attacks? >> thank you very much for the question we continue to make available reloads and more than willing to engage in providers on this as you described industry loans will address administrative? >> there are no conditions other than they would be repaid 45 days after the provider confirmed they are back to normal. >> okay thank you. >> senator tillis is next. >> thank you in here.

i know people have asked about your redundancy plan authentication, could you give me a sense or not internal or external audits identify as a compliance our audit risk? effectively if any qualified systems controls to defy multi- authentication use as a major risk factor, do not there's a record affect middleware? >> not that i'm aware of. >> if we can find nation or your auditor, if it was identified as an actionable matter. tell me a little bit about redundancy. i used to work in redundancy

systems, it sounds like it was not smooth. how does that not make it into an audit as well? >> thank you for the question. i agree it is frustrating switchover. >> your an information technology provider a large-scale democrats right so within change healthcare company that only recently came in the organization in the process of being graded. the attack itself implicated prime at back up environment so partly do to the technology. the elements we bring back immediately and the

technologies. >> i used to bring this we had to go and finance but hacking for dummies, the best addition that doesn't include the nature developed some basic stuff so shame on the systems for redundancy, they are not doing their job and as a result the data breach right side judiciary committees by been on finance the damage to the consumer's data is you got to keep them whole. enterprise is based on movement of data, exchange data and that's how you create data so you have a breach, except to be

your problem, not my problem so everything you do to keep those old for any damage is just a function of doing business, do you agree? >> full responsibility and we are waiting for that. for anybody can reach us through 1800 interesting challenges about online etc. but we will make questions for the record. i do not want -- i got a notice think about data breach and interesting will help you with your problem and i will help you with your problem you will not make this difficult for

consumers. i will take it for face value you will do this right but it's not a problem of a person who now they have to deal with the consequences of the use of their data, it's got to be your problem i hope back if you remember three or four years ago after passing the data breach everybody was talking about how congress needed to act congress has done nothing in part because of the will jurisdictional issue but ways and to judiciary. we are making a huge mistake not having federal rules of the road data breach and how empathizes have to mitigate the now we haven't devastated thing at different and has distractions

for making sure data is captured. >> in terms of bringing together various committees the important. a litigation is vital for prevention it basically helps the company gets back on its. >> senator langford. >> thanks for being here and there's a lot of conversations. i want to tell your story right

together was very bright oklahoman in a rural area and for making these she's the local physician that has close the valve because of the burden think the design self matthew got to the hospital 30 minutes away to meet with doctor that position is one of the provider thursday schedule all she light of the appointment the medicare advantage. she the coast let's see if there the doctor needs to run tests she can't get done that day insurance company so she has to drive home and they could do it that they can't because they are

waiting on prior authorization to procure pop. two years later the hospital stopped taking medicare advantage general saying the reimbursement 20% less than medicare medicare athletic because of prior authorizations out of service for her put her in a triple spot she goes to a local pharmacist to talk to for years and finds out there's a remarkable pressure from a they not sure it will be able to say open. insurance company tells her we want you to mail your resentful so she part diseases and wants to talk to. i wish this was a story that wasn't true but it is. it is the complications engaging in all of those areas medicare

advantage. this is just a reality we are facing here especially in rural areas and in my state 2 million people living urban and 2 million and also it is a reality for those folks propose exact challenges i played out. just saying so you will hear it because it really is a reality of what's happening on the ground. everyday there want to get healthcare and get access to that. or to put up something we talked about, when hospitals pharmaceuticals will be made whole the issues and reimbursements. one is the time.everybody will need made whole? >> let me first comment one 100% aligned with what you described there and how we can help

modernize the system. a government state company obligation. we do need to reduce both positions and make it easier to navigate the system provides the help mitchell this is and how it helps we are very open to ideas and suggestions. >> the new line. >> there are families that sign up with plans because i know that physicians and sign up in

october november but then they find out it switched over in january but they signed up in october. they need to know they sign up for physician opposition will. >> i agree with you in these key areas we need to work together. >> we continue to make sure interest on the capacity remains available work with providers on other issues. >> what you think of it they? hope months or six weeks. >> that will be helpful for providers. any pacific ideas on the other side the fbi could have dealing with both sides of this ransomware attack, things the fbi could happen doing better

that could have been helpful so any books in your company want to pull together a list work on that side as well. >> time has expired. as reluctant as i am breakup was psychic, we have people coming and going. i want to get senator casey but we can break this up. >> thank you, mr. chairman. roger here. owns and operates tells you about the problems going on in our healthcare system. i hear from orders forced to make impossible decisions and considering closing their doors entirely and shut down abms the same story driving up costs or

abusing direct and endeavor these are pharmacies. for you aware recent national disease association survey independent pharmacy owners and managers over one third reported considering closing this year due to financial constraints, are you aware? >> i am aware of. >> to the significant role in these closures? >> thank you for the question. we are -- we do not have these. >> do you acknowledge abms like a significant role? >> i don't necessarily believe that to be the case. i think they provide significant service at a variety support sorry to cut you off i only have

five and it's. it's clear that contribute to local pharmacy closures. i met with due process last week forced to close stores. they are in rural areas, five pharmacies and five communities where they have to drive at least five to 10 miles they had record sales they can't even break even. it here the company a lot of money you know that. i'm assuming he writes about that last year brothers of 116 billing dollars so it's pretty clear you could lower or eliminate peace and still make plenty of money. we'll commit in front of the committee to lower and eliminate the pharmacist from ohio and across the country? >> we've already eliminated -- you help us in the industry claimant your colleagues to do

the same? >> we will encourage that it's clear they are not going to reform on their own right we need to pass legislation to remain in corporate middlemen and pass moving on in the financial burden from doctors and hospitals and health systems and the most dire consequences from the attack you know how important they are and i serve those most audible and operate on markets. was a health center in ohio dropped from an average of 600,000 week 20,200,000 week on unacceptable can't continue to operate like this without

certainty it will be compensated for these losses. what is united plants to compensate for these financial burdens? >> think about the question. in the context described in that situation we have an interest in program, 200 billing what would be happy to reach out to your office. it's still available and what bridge the gap loans required to pay back. >> when they are fully back to normal and weird. >> they will make the determination? >> correct and then 45 business days payments of two calendar

months. >> and low interest rates means -- no interest. >> no interest. >> thank you. >> thanks very much. statements united healthcare claims the vast majority of services has been restored to pre-levels i providers in pennsylvania struggling to their patients and family reimbursement doctor christine meyer who owns a practice in pennsylvania initially taking out a home equity loan or practice afloat and reached out to participate in your loan probably only offered 4000 a month% of her monthly expenses.

months later she is receiving or from the received more generous loan from optima but is worried about repayment. she said the term dark here and read she will have to pay back the loans before or practice is up and running. when you commit to supporting providers delaying the deadline of the loan repayment to the back or claims. regardless? >> let me apologize for the delay in the right level of loan capacity in the efforts to move quickly recognize we didn't get it right always at the beginning of this process. this.

we have detention asking for sean street they let and back to normal. even then would not look for repayment of 45 business days no interest no fee associated want to ask while the risk especially complex of children the obvious click on healthcare or financial information is reached. how child stalling cyber criminals to open up years apart longer to repair damage. for seniors in older adults, victimization has been skyrocketing. data breach even more scammers use in the future.

united healthcare southern company becomes the cyber attack predicates and more than two months according to the company website it will take several months unquote to identify and notify impacted diverse -- customers, individuals and i think it's clear united has defenses differently time united going to expand and flocking but from he's not worried about personal profit health information upfront along much has happened break of relief

that we can to minimize the possibility of it being happy today notification, in america who come to our services to provide prevention and protection of within first use of the substance. a straightforward enough time i will submit the record. >> before you leave, i

appreciate family more discussions often impeach. it is absolutely inefficient. >> thank you for this hearing today provides direct her hospitals saw all that wrote severe overnight stereos that visits to hospitals under terms for unnecessary the first work hospitals during what was spent isis but she returned to operations.

i hope we can get more lobby senator has asked, from basic information portion of people in america from of millions of families obtained by cyber criminals in the attack on your company for breach required to notify individuals within six decays of health reasonably you have to affected. however acute health or the secretary health information is compromised. to meet your obligations need to

send informationis little

because at first that michael reportedly begins the first is not ten weeks away too long for millions of americans cannot know their this lady available to criminals oligarchs web so i urge you medially notify family so they can take i urge you to use united read

but as you think about smaller organizations often times they navigate those things so i think a refreshed you, i think they make sense. we would be happy to engage on that. >> one thing people wouldn't be surprised for individual united

parent on the entity but my understanding of change is the rails that folks didn't understand to communicate information better. we think about this and it has to be all the way up and down the food chain. you can't just check a box trace back to the supply chain in a way that we don't have enough transparency overall. i know from wire change, years into the acquisition and still have not put standards united

and do change. why does it take so long? trying to understand why it was not part of. >> an area where we don't have resilience, i've got providers not only going through not being able to have payments made bathing change they are talking about getting a new provider. any meantime, patients and providers are not getting payments made.

i think the whole business model of any entity providing the connections was about means that the provider you have a backup system and the whole model has to change so whoever you set up you have a backup in reserve because without that you got some tear. >> certainly agree with that and we encourage people about backup systems. those backups we need to work

with those providers to have that second pipeline from of the rail and the technology failure. >> the time as well overdue waiting for a crisis like this and we knew it would happen. >> i think it's well taken. there's an opportunity to make up the numbers. your proposal is essentially a medicare -related effort. all of the hipaa security rule which gives a chance to look at these issues relating to enforcement and accountability. as it relates to resiliency

allows us to walk through how this works. you can't walk into a coffee shop in america talk about multifactor authentication. >> that's all about prevention and senator tillis came in and give a chance to make a link between prevention getting everybody up and running again quickly which is what it's all about. we link the the issues and work in a bipartisan way and i look forward to working with my colleagues. >> next senator brasa. >> thanks for being with us today the cyber attack all across wyoming out of sure you've heard from people across the country. memorial hospital the impact so

the processing can be shared recover. they were delayed and 17000 unpaid business rural hospitals across wyoming in the u.s. essential health services so 50% of rural hospitals right now the rent. fist may send them into a financial spiral. so how are you prioritizing the process claims?

>> working with everything we have not just players but also make sure loan programs are available at rural hospitals. they have not yet, i would encourage them to do so. claims processing is back to normal so we just mostly. we still have black, payment on those claims so if a claim is submitted united healthcare fate instantly but not all are paid instantly.

some receipt, that would the delay. we are committed to the industry loan capacity to get through the cash flow college. >> need to keep their doors open. there's a lot of discussion about to factor verification today small community culture. a town of hundred people. 2023 they spent nearly a million on cybersecurity. it's evident hospitals spend and take cybersecurity very seriously. it's not as clear, we got just about every person here asked

questions. i heard responses, to me it seems like an excuse. mostly factor authentication operating in the red and change hunger established in 2007. source 1961 in a system already updated. the financial resources. great in that policy since we acquired, some of legacies have gone back years and they were covered by not an exploited.

the services external support to ensure we run the risk situations to make sure they are active. >> the larger practices and any plan to ensure. >> to get through the cash flow situation and provide a

case-by-case basis. >> it's so important as it relates to the two hours and i think touch on one of the key areas and referred to several excuse. the head of cybersecurity we knew so we got to get to the bottom of it and we haven't had any senators. very much appreciate this. >> thank you for being here today. similar issues i want talk about

and i'm very grateful. this has been cash flows in colorado that are continuing in the cash flow critical access in colorado and $1.5 million and half of the monthly revenue for

others -- at risk. they've been forced to pass on the cash. understandably they can't afford that expense and they haven't gotten their medicine. they been left empty handed as a result. they can't pay it online. i know you have heard this on cascading, unmasking the vulnerabilities in the healthcare systems and subject

asked, what you think you might be responsible for account look about most challenges. in the technical solution. me reassure your financing capacity remains in place and they still have $1.4 billion. and there is no customer for that hospital.

>> we take you up on that. a going forward basis to deal with -- how are we going to afford this in the future? continuing to pursue the understanding of the attacks were not going up or down, we were more and more sophisticated. the levels of technology to protect against those tax elevated about be a challenge for many keep up with the

pressure and howie those and making sure the numbers of attacks into the country and begin to drop and escalate in the probability of breaches in the healthcare given the pressure of the system is up on the next time you're young and then senator carver. >> thank you, chairman. for making yourself available. healthcare entities and prices are increasingly connected to the internet and on facility networks provide teachers that manage fenestrated functions, increased efficiency or improve the ability of healthcare providers and patients.

we have not evidence which was can be used weekly and securely to reduce risk and vulnerabilities providers. there are still some unanswered questions and blessings to be learned we acknowledge that. one of the workarounds for providers we discussed was to move to a different clearinghouse including healthcare competitors how long transition to be fully up and running? >> i think back to be within a few days and more educated. >> that gives me a rough estimate. is it helping with these transitions? >> we've recommended diverted

too many alternative competitors as possible and we will continue to encourage back system. at least they were in the system. >> i know this has already been covered a bit. to confirm, there is reporting of passivity process rockwell any exclusivity clauses be enforced and partial providers be aware of that they transition to a new provider? >> exclusivity we waive and do not to force the because we want to make sure they have backup abilities in place. >> family healthcare community health center in the southern part of my state, it is unable

to switch to time sensitive process in the department which has two people in the new system could put cyber liability insurance at risk the paper submission lames by mail and current expense of significant postage costs personal healthcare center to provide the most they can for patients. the attack from the national news, do you have a notification process in place? >> that's a very good question and that is one area to figure out how to communicate not just companies but the same thing in

covid providers across the system and customer files compromised difficult. i was at the situation described would love to reach out to the office and financial support. >> you did mention the mechanisms to provide financial bridge. i am encouraged by that. how are you disseminating information to providers? ... you did mention the mechanisms

you created provide that financial branch. i am encouraged by that. particularly, the small safety net health centers. >> again, thank you for the question. we have used everything which goes to our million physicians across the country. we have used social media, something like 700,000 e-mails to a variety of different provider addresses. we try to use every channel. working with the key medical associations to get the word out to providers and others. we have been running regular national telephone calls for technology across all of the organizations. for example, the encouragement to spread the word. i do think that communication to providers whether repeatedly

comes up is an area of opportunity. >> thank you for answering my questions. i guess the only other thing that i would ask is, you know, you will have all manner of lessons learned including that there may be limitations under existing law to be able to respond to these sorts of attacks and serve your clients optimally to extend those lessons are learned isu communicate that information to my office and to this committee so we may consider changing the law. thank you. mr. chairman. i am really struck by how little we know about the data that could involve our service personnel. look forward to working with them. >> mr. chairman, to our ranking

member. thank you for putting this together today. thank you for the time to talk. thank you for your testimony today. among the things that i shared with you, some of the principles that guide me in this role another that i've been privileged to serve. one of my guiding principles is everything i do, i know i can do better. everything i do, i know i can do better. i think that that is true for us driving in our profession. another one of my guiding principles is treat other people the way i want to be treated. i tried to put myself in other people's shoes whether you happen to be a constituent, a patient, a practitioner or provider. put myself in their share -- shoes and help guide me. this is a shared responsibility. the idea of shared responsibility.

you and your colleagues have this spirit there is a role for that. one of the things that i mentioned yesterday quoting abraham lincoln. what is the role of government. he said the role of government is to do for the people what they cannot do for themselves. local government. probably that role for all of us to play. about a million people of delaware. 50 miles from east to west. something that i love to do and it is easy. people that have been, you know, disadvantaged, but potentially put in harm's way. we have heard from practitioners and providers. on the phone and in person.

so for us, this is very real. in terms of the role of government, the role of government here. it may be one or two. >> thank you very much. thank you for the comment. maybe two areas that i would suggest. helping the healthcare system through what the minimum standards, the right level of system protection and redundancy for the impacts of future attacks. to see what further can be done to reduce the attack velocity that is coming up the u.s. healthcare system from cyber criminals. i know the possible act may be suggesting those two areas. >> thanks. this attack was as i understand

maybe the worst of its kind against our healthcare system with people that depend on that system. the ramifications remain widespread. it is clear that they change healthcare's to prepare for this attack. i don't know if it's possible to actually be prepared. but you shared with me yesterday that the attacks were outgoing. they are not stupid. they are not getting any dumber, unfortunately. it is clear to change healthcare when prepared for this attack the lack of basic cyber security measures left them vulnerable to disruptions and care. and sensitive data and personal information being stolen. like my colleagues i heard from from families and individuals throughout our stay. directly impacted from this attack. unable to receive her

description for seven days because a specific pharmacy delays and that is not acceptable for any of us. why do you think it took so long for your systems to get back up and running. why are many pharmacies still out there today? >> thank you for the question. hearing the situation of the patient waiting for their incident. we have tried to make clear any prescriptions filled. what the personal status was. i also emphasized the challenges of communicating across such a wide group of providers. the speed of recovery was really determined by the way the attack encrypted large parts of the environment and to ensure that the system when it was brought back online garnered the confidence in the environment that it was safe to reconnect to

remember the change healthcare is a big connecting system. we really built the environment from scratch. we did not resuscitate large parts of the old environment which could have brought with it the risks and suspicion of infection and would have led to i think reconnecting at all. we spent a lot of time rebuilding from scratch. the third party organizations, test and penetrating to make sure it was super robust before they came back. consequence the way it impacted the first system and then the commitment to bring back the clean system was the explanation >> i think my colleague. just a few additional questions i am not clear on. the apropos of the patient's, the real victims, in my view, through negligence, the people who have their information

stolen sent the individuals $5. how are you going to go about compensating when they have stolen data. do they think that that is right >> we are working hard to understand he was potentially impacted. in the meantime, we have not stood by to wait for that. we have already put in place services, call centers to help people understand the situation if they need advice and also to make sure and for anybody, whether that is in this or not. everybody in america can access theft protection for the next few years. >> identity theft and protect against it is something that i am very supportive of. i am also very hawkish on

protecting people's private medical data. when i saw equifax giving people $5 and this happened very recently, i wanted to know from you all whether you thought that that was reasonable. how are you going to go about it can you envision sending this out to? >> this time i do not. i feel as if the important thing here is to reinsure people they are doing everything they can to ensure the data does not in fact leak. that we would make sure that the situation is protected through the services that we have already made available. >> let's also get on the record, one of the questions that senator menendez touched on. for a lot of us representing small communities in our states that much of oregon, senator

brosseau talking about that, you know, our physicians are very much at risk. they owe you for these loans. i am concerned that these will give you value financial information and based on the company's history will be used to gobble up lots of other small providers across the country. asking you about what was going on in oregon. this is not a hypothetical question for your company. buying these people up to hand over fist. i would like to see at a minimum a firewall established so as you cannot use the data from the doctors from the loan process to go out and buy more doctors. that is the last thing that we need in america.

>> first of all, i do support that. i think that is a good idea and a good recommendation. reassuring you. guided by the providers confirmation that their cash flow is back to normal. it is under their guidance. the suggestion is a good suggestion. i am very comforted. to be absolutely clear. >> we have been at it for more than two hours now. there is a lot that we don't know. a lot the american people don't know. i am not convinced that we will

find that out anytime soon. we may never find it out. this data as i said several hours ago can reveal abortions, sexually-transmitted infections and more. i just want to see evidence is willing because this company is so big i heard my colleagues talk about too big to fail. i think that they were more eloquent than i was a couple hours ago. companies that are so big have an obligation to protect their customers and to lead on this issue. much of what i read about this, you are kind of saying the american people, you should feel lucky that we are big. i think that a lot of americans today do not buy that. on your watch, let the country

down. millions of people on both the prevention side. getting us back in going. back in going. that is redundancy. the years, over the years in public service. directing the senior citizen group. one of the most important issues i've taken on. i think the intersection of health policy, economics and national security is now front and center. this is one of the most important fight that i have taken on. what worries me is all these people who are professionals in the field say, shoot, this is an example for the bad guys of what they can accomplish. they will be much more active in

much more forthcoming in terms of specific issues that we are talking about today. the finance committee has adjourned.

[inaudible] shame on you. >> do you solemnly swear that in the testimony i'm about to give will be the truth the whole truth and nothing but the truth so help you god? >> watch the congress investigate as we explore major investigations in our country's history by the u.s. house and senate. each week telling these stories. historic footage and will examine the impact and legacy.

the committee hearings examining within the u.s. intelligence community. watch congress investigate saturdays at 7:00 p.m. eastern on c-span2. >> explore the wonderful array of mother's day gifts are waiting for you. discover books the core and accessories. there is something for every c-span plus every purchase you make goes toward supporting nonprofit operations. start shopping now by scanning the code on the right are visiting us online at c-span shop.org. >> this is your unfiltered view. funded by these television companies and more. ♪♪