come -- >> explore the wonder after wrao mother's day gifts. >> c-span is your infacilitiered view of government. we are founded by the television companies including comcast. you think this is just a community center, no, it's way more than that. come cast is partnering with a thousand community centers to create wi-fi enabled lists so students with low-income

families can get the tools to be ready for anything. comcast support c-sn as public service alo with the other television providers giving you a front-rue seat to democracy. >> united health group ceo andrew testified before the senate finance committee about impact of cyber-attack about change health care, subsidiary of united health group that his corrupted the payment and claims process for providers, he also apologized for the chaos resulting from the cyber-attack, this is about two hours 15 minutes [inaudible conversations] [inaudible conversations]

>> the finance committee will come to order. this morning the finance committee examines the change healthcare hack that nearly brought our country's health care system to a standstill six weeks ago. joining the committee is andrew witty, the ceo of unitedhealth group, which owns change healthcare. i'll put things in perspective. last year, uhg generated $324 billion in revenue, making it the 5th largest company in the country. overall, the company touches 152 million individuals across all lines of business, insurance, physician practice, home health, and pharmacy. with its profits, uhg has purchased dozens of other health care companies and is the

largest purchaser of physician practices. this corporation is a health care leviathan. i believe the bigger the company, the bigger the responsibility to protect its systems from hackers. uhg was a big target long before it was hacked. the fbi says that the health care industry is the number one target of ransomware. it's obvious why. change healthcare processes roughly 15 billion health care transactions annually, and a third of americans' patient records pass through its digital doors. change specializes in moving patient data from doctor's office to doctor's office, or to and from your insurance company. that means medical bills that are chock full of sensitive diagnoses, treatments, and

medical histories that reveal everything from to abortions to mental health disorders to diagnosis of cancer to sexually transmitted infections. military personnel are included in this data. leaving this sensitive patient information vulnerable to hackers, whether criminals or a foreign government, is a clear national security threat. i don't think it's a stretch the impact here rivals the 2015 hack of government personnel data from the office of personnel management, which the fbi called a treasure trove of counterintelligence information for foreign intelligence services. uhg has not revealed how many patients' private medical records were stolen, how many providers went without reimbursement, and how many seniors were unable to pick up

their prescriptions as a result of the hack. the failures of ceos like mr. witty, who months in can't figure out how many people have had their data stolen, validate the fbi's warning. in the wake of the hack, united essentially disconnected change from the rest of the health care system. it took weeks for change to get back online, leaving health care providers in a state of financial bedlam. doctors and hospitals went weeks delivering services but without getting paid. insurance companies couldn't reimburse providers. even today, key functions supporting plans and providers, including sending receipts for services that have been paid and the ability to reimburse patients for their out of pocket costs, are not back up and running. small providers, particularly mental health providers, have

been left holding the bag, stuffing envelopes with paper claims, and unable to get straight answers on how long the outage will last. and patients are bearing the brunt of it. prescriptions went unfilled, patients were stuck at the hospital longer than needed, and americans are still in the dark about how much of their sensitive information was stolen. the credit-monitoring service united offered these patients is cold comfort. the change healthcare hack is considered by many to be the biggest cybersecurity disruption to health care in american history. it is exhibit a for my case that tough cybersecurity standards are necessary to protect critical infrastructure, and patients, in this country. hhs does not require health care providers, payers or health care clearinghouses like change to meet minimum cybersecurity

standards, unlike industries regulated by other federal agencies. meeting a baseline of essential cybersecurity standards is a must, but is meaningless without equally strong enforcement. hhs has not conducted a proactive cybersecurity audit in seven years. as it stands, if a company does not comply with existing cybersecurity regulations, the fines amount to nothing more than a slap on the wrist. federal agencies need to fast track new cybersecurity rules for americans' private medical records and congress needs to watchdog this every day to make sure everything possible is done to protect patient data. finally, the change hack is a dire warning about the consequences of too big to fail

mega-corporations gobbling up larger and larger shares of the health care system. it is long past time to do a comprehensive scrub of uhg's anti-competitive practices, which likely prolonged the fallout from this hack. for example, change healthcare's exclusive contracts prevented more than one third of providers from switching clearinghouses, even though change's systems were down for weeks. accountability for change healthcare's failure starts at the top. before this hearing, i asked u-h-g which members of its board have cybersecurity expertise. uhg pointed to ncaa president charlie baker, who signed some technology-related legislation into law years ago when he was governor of massachusetts. mr. baker is certainly an expert on basketball, but uhg needs an actual cybersecurity expert on its board. mr. witty owes americans an

explanation for how a company of uhg's size and importance failed to have multi-factor authentication on a server providing open door access to protected health information, why its recovery plans were so woefully inadequate and how long it will take to finally secure all of its systems. i'm hopeful that today's hearing can mark the beginning of the finance committee's work to make meaningful improvements in america's cybersecurity on a bipartisan basis. i encourage all members to focus on the subject at hand. that is because this is so important, so vital and as much to discuss. senator crapo. >> thank you, mr. chairman. appreciate your industry today. and thank you, mr. wake him for being here today. on february 21, 2024, unitedhealth group learned that its subsidiary, change healthcare, was likely the victim of a cyberattack launched by a suspected nation-state

associated cyber security threat actor. in response, change, the nation's largest health care clearinghouse, which processes $1.5 trillion in medical claims annually, disconnected all of its systems to prevent the hackers from obtaining additional data. the fallout from this unprecedented attack has affected the entire health care sector. by crippling change's functionality, the hackers left providers unable to verify patients' insurance coverage, submit claims and receive payments, exchange clinical records, generate cost estimates and bills, or process prior authorization requests. in the immediate aftermath of the attack, many providers had to rely on reserves to cover the resulting revenue losses. an american hospital association survey found that more than 90% of hospitals were financially impacted by the cyberattack,

with more than 70% reporting that the outage had directly affected their ability to care for patients. more than two weeks after the cyberattack was announced, the department of health and human services released a public statement and guidance related to the incident. on march 9, the centers for medicare and medicaid services made accelerated and advance payments available to impacted medicare providers. the administration's delay exacerbated an already uncertain landscape, leaving providers and patients with reasonable concerns about access to essential medical services and life-saving drugs. while the february hack on change was by far the most disruptive cyberattack on the health care industry to date, it was certainly not the first. according to a report by the federal bureau of investigation, the health care sector experienced more ransomware attacks than any other critical

infrastructure sector in 2023. in addition to the processing and revenue issues experienced by providers, patients' private patients, private identification and healthcare information was obtained byy malicious actors tugger the breach. unfortunately, personal healthcare data has become increasingly attractive to cyber criminals who seek to use for blackmail or identity theft. for patients and emotional effects for private information can have a devastating impact for years, although many have changed functions have now resumed, trust in the security of itst. platforms needs to be rebuilt. we owe it to american patients and to our frontline healthcare providers fromm health systems o clinicians and community pharmacies to ensure that this does not and cannot happen again.

today's hearing offers a valuable opportunity to learn from united's experience so we can better protect against and quickly react to future cyber-attacks. gaining a deeper understanding of how h the hackers infiltrated change will help identify and address gaps in our existing cyber structure, cybersecurity infrastructure. evaluating steps taken by united in response to the attack from disconnecting its plat forms to notifying law enforcement will offer lessons on how to build a more resilient and collaborative healthcare system moving forward. we must alsoss assess the respoe of the federal government which plays a critical role in those efforts. hhs has a responsibility to serve as a central hub for coordination, convening insights from other branches of government and the private sector to deploy timely information about active threats as well as best practices to

deter intrusions and resources should an attack occur. thank you, mr. witty for being here and discuss building a more resilient and responsive healthcare system and thank you, mr. chairman. >> thank you senator crapo. prior to that he was the -- weappreciate you being here,i believe you're going take five minutes or so to share your testimony and a lot of member interests and you're going to get questions. mr. witty. >> thank you, and good morning, chairman, thank you for the opportunity to testify here today. my name is andrew witty. our mission is to help people live healthy lives and help make

the health system work better for anyone. we pursue this mission through our two missions, united healthcare, optum which brings care delivery and pharmacy services and advanced patient center care. change health care is now part of optum, it enables information claims and payments to flow quickly and accurately between physicians, pharmacists, health plans and governments. i appreciate the committee's interest in the recent cyber-attack on changing health care. the result of this malicious cyber-attack patients and providers have experienced disruptions and people worried about private health data. to all those impacted, let me be very clear, i'm deeply, deeply sorry. our response to this attack has been grounded in 3 principles to secure the systems, to ensure patient access to care and medication and to assist

providers with the financial needs. we have deployed the full resources of united health group in this effort. i want to assure the american public we will not rest, i will not rest until we fix this. cyber experts continue to investigate the incident and while we will learn more and our understanding may change, here is what i can share today, cyber criminals entered a change healthcare portal, on february 21st, deployed ransomware. our response was swift and forceful to contain infection we immediately secured the parameter off the attack to prevent malware from spreading. it worked. there is no evidence of spread beyond change health care. within hours of the ransomware launch we contacted the fbi. we continued to share

information with them so that the criminals can be brought to justice. as we've responded to this attack including dealing with the demand for ransom, my overarching priority hasas beeno do everything possible to protect people's personal health information. the decision to pay a ransom was mine. this was one of the hardest decisions i'vee ever had to make and i wouldn't wish it on anyone. as you know, we found files in the infiltrated data containing protected health informationin d personally-identifiable information which could cover a substantial proportion of people in america. so far, we have not seen evidence that material such as doctors' charts or medical histories were infiltrated. it will take several months before enough information will be available to identify impacted customers and individuals partly because the files containing that data were compromised in the attack.

rather than waiting to complete this review, we are providing free credit monitoring and identity theft protection for two years along with dedicated to provide support services. anyone concerned that their data may have been impacted should visit changecybersupport.com for more information. meanwhile, we continue to make substantial progress in restore and change healthcare services. first, the team built a new technology environment in just a matter of weeks. second, we prioritized our restoration effort and pharmacy services claims, payments to providers. and third, while these efforts were underway, we worked quickly to provide financial assistance to those who need it. no interest, no fee loans to

thousands of providers. most of these funds are for claims for nonuhc health plans and about 34% of the loans have gone to safety net hospitals and federally qualified health centers. we will provide this assistance for as long as it takes to get providers claims and payments flowing, preincident levels and if there are providers in your state who need help, please put us in touch with them. fighting cyber crime is an enormous task and one that requires us all, industry, law enforcement and policymakers to come together. i look forward to answering your questions today. >> thank you, mr. witty. let me begin with this, this hack could have been stopped with cybersecurity 101 and i'm talking about multifactor

authentication. mfa. .. .. .. any of your senior management know they were not requiring mf a companywide everything for the question. for externally facing systems. >> so, if the answer is yes then, that makes my points that on your watch your that set

cybersecurity failure. and that is what caused the harm to patients in the healthcare sector and your investors. i don't believe there any excuses for that. so, my second question is will yout commit within six months at the latest to require multi factor authentication companywide meets the tough standards that are required to federal agencies? again he guested out answer requests observed german yes, i'm happy to commit to that. i can confirm to i you as of toy across the whole of all of our external facing systems have got multi factor off the -- box will take that as a yes. it should not have taken the worst cyber attack ever in the healthcare sector for an agreement to do this bare minimum. second, with respect to national security people proclaiming to

be involved they stole data on u.s. government employees including active-duty u.s. military service members. my colleagues remember the 2015 hack opm government personal data which are heavily posed a very serious. i am very concerned as i said a inmy opening statement about national security implications this hack as well. are you in a position this morning to say whether dhec stole data pertaining to u.s. government employees? >> mr. chairman, thank you for the question for it like you i am extremely concerned about any patient information but particular in the context you just described. so far, through the process of working through the data but we aree able to identify is indeea substantial proportion of people across the country dated could be implicated here for that we do believe there'll be members

of the armed forces on the veterans association for a quick swing can you give us in writing the number of military personnel affected your best assessment of who they are? and have that quickly iquestionable as to give you my absolute commit be able be my top party longer than a week request to it? it's a national security priority. two weeks i expected. orcs let's talk about why things are taking so long. how hard providers are being hit. they are paying the price. how much longer will providers sent in a claim for services delivered in febrile have to wait in order to be paid? >> i give her the question. i believe claims flow across the entire country is back to normal. julie from united health group group weoo are paying claims as

soon as they arrive. we are aware of their companies may not pick racks providers or tell me it's going to take at least a june to clear the backlog. can do that earlier? we o can move aptly faster than that right in the meantime we provide. >> when can you expect to have that cleared? orcs we believe the system is almost back to normal now if there any providers and state how you like to refers to we can make sure expect that every provider i bump into is waiting to be paid for. >> those payments from united certainly have been made. we are caught up. we continue. >> review commit to waiving deadlines for timely filings and inappeals for claims until everything is back in order? >> yes stu varney waive those for. >> review commit each provider plan and business operation disrupted? are happy to engage progress please send that to me and writing how compensation would

work. let me mention one other area very quickly. i've been following your various comments and consistently your views seem to minimize the impact of your involvement for percent of payments and in healthcare system. my view is that's hiding the ball. 2022 department of justice for change retains records of at least 211 million individuals going back to 2012. how many people have been impacted? where did you find those files what medical information was stolen? i need answers to those cheap three questions how many been impacted question recorded from the file? what medical information is stolen. kressa said that's very much a top priority. we are working our way through that. itas of this point we have not

identified anything like medical records medical history so we have seen his claims. >> you do not have the logs that would show what data walked out the door. we've been working to get that and we haven't seen it. senator crapo. >> think it, mr. chairman. the fbi has repeatedly warned the healthcare sector's particular attracted to cyber criminals. as your testimony notes united alone experiences attempted cyber intrusion once every 70 seconds. however, nationwide cyber security preparedness and response guidelines for healthcarere sectors appear to e disjointed. without disclosing proprietary or security related details, how you intend to revise united cybersecurity protocols toin incorporate the lessons you've learned from this experience?

consider crapo, thank you very much for the question. firstor and foremost let me me reiterate how seriously we take this. how diligently we are working to make this right both technically and also to make sure we understand the implications. to your question of how we are responding it is first and foremost let me reiterate we have enforced policy across the organization of multi- factual o authentication on all external systems which is in place. >> got her up for just a second? part of my question about to get to that but iha want to make sue you're responsive to this. is it as simple as fixing the multifactor system? >> multi layer. that is what element too. but it's only one element of the efdefense. making sure for example we have implemented in addition to our normal corporate wide scanning of technology environment we have external third parties to double or triple scanning across our system is a further protection layer.

we have also made the decision stto strengthen our oversight of cybersecurity at the company by bringing every meeting faces which is the leading cybersecurity advisory service and america they have been extremely helpful in understanding in this attack. they have become a board advisor to ensure we had the very best advice. >> would you agree this type and maybe even a stronger approach than this type needs to become a standardnd across our healthcare industry everything from government to the private sector. and frankly the entire aspect oa her healthcare system? senator i would agree with that. we saw it and change healthcare it was a company that just came into our group a little over a year end a half ago was an older company is very typical of many

small to medium sized organizations and our healthcare environment. and therefore inevitably there will be a lot of work to be done to upgrade those standards. but i do agree with your assertion. >> think you would like to move on to restoration andst protectn of patient information. your testimony indicates both pharmacy services and medical claims are not m flowing at near normal levels is that accurate? orcs that is our belief. >> while this is welcome as the effects of the cyber attack continue from ongoing revenue backlogs to unfolding details about exposed patient health and identity information. which are functions remain off-line? when do you expect a one 100% of changing systems to be restored? >> thank you very much for theys question. all of our court systems are up and fully functional pharmacy processing claims, payments, the systems which are not s availabe our supportup functions.

which is were the disruption is been caused. i would also like to emphasize that as soon as the attack took place we encourage providers to divert their volumes to other competitor chains of which there are several. many of them continue to operate through those channels which is anotherr way normal service roas resume progressive heard reservations from providers about reconnecting to change? and if so how are you working to address those concerns question. >> yes that's a natural and good concert for peoplees have aftern attack like this you want to be reassured the system is safe to reconnect too. that's why we disconnected so quickly in the beginning so we did not infect anyone else. the reason it's taken longer than you might expect to recover is we have literally built this platform back from scratch. we can't reassure peoplepl there are not elements of the old attacked environment within the new technology that we have

created. we are sharing all of those details with clients and customers as they reconnect i am pleased to say they are reconnecting substantially for. >> thank you. finally would you share an update on your understanding of the magnitude and the type of information that may have been obtained by dhec? when do you expect to begin the process of contacting impacted individuals? >> thank you for your f questio. workingki closely with the legislators on that last point of timing. how to or when to start communicating. went to try to avoid piecemeal and it's a top party to get it done as fast as possible. >> thank you. >> is like to thank my colic on this multifactor authentication. we know we heard from your people he had a policy. but you are not carried get out and that is what we have the problem but senator blackburn. >> think it mr. chairman. thank you for being with us at. i am from tennessee.

we have been absolutely inundated with phone calls since this came back by people trying get clarity around your statement about a substantial portion of people in america being affected by this right now it looks like anybody doing business with you. and i will tell you this, the reality that hospitals and providers are facing is a wildly different from that rosy picture that you have painted. you haven't made a statement recently payment processing by change healthcare is of at approximate 86% of preincident levels. this morning you said it was back to normal. i will tell you this, there is a backlog many of our providers and hospitals have from and nine

weeks of not being able to get in and make these claims. here's a good for instance for you. a small independent private act hospital and west tennessee. they have been diligently diligently submittedall of theig they are burdened with the backlog of the medicare claims its equivalent to 30 days of revenue. they are waiting for these to be transmitted to b medicare. this is all because of the missteps that you all have had. now every day they called to get update. every single day. they are calling and they get the runaround every single day. repeatedly it is like you all cannot figure this out.

the absence of medicare electronic remittance is compounding the problem and it is requiring manual payment processing. and of course this goes into labor cost you have error rate. so when can tennessee providers and hospitals expect you all to clear the backlog? to catch up and be back to normal? >> senator, thank you very much for the question peremptory storage with the experience in your state. >> a when? >> we will reach out to your office to find out the names of those hospitals we will get connected with every. >> check every hospital, every provider. we have hospitals appoint on a line of credit are you going to pay the interest? are you going to reimburse that? >> we are operating loans ourselves. i said are you going to pay the

interest cost? let me move on with you. one of the surprises and the chairman just mention this is the lack of redundancies that you all have built into the system. now, your revenuesha are bigger than some countriesan gdp. how in heaven's name did you not have the necessary redundancies so that you did not experience this attack and find your self so vulnerable? >> thank you for the question. first and foremost change healthcare to link recently become part of united health group. we were in the process of upgrading and modernizing their technology. the attack itself had the effect of locking up the very same backup systems that have been developed inside change before it was acquired. that is really the root cause of what's taking so long to bring

it back and emphasize we have worked to rebuild a brand-new technical environment so that we know it is a modern and not infected from the attack. >> well, there may be excuses but was there not a thought process put in place on the front end as you are going through this of how you would protect yourself from vulnerability? change healthcare came into the organization about a year end a half ago very. >> and fully aware of that. >> we were in the process of upgrading that technology. >> there again for what ever reason shortsightedness and not having a plan to incorporate --- let's move on. it is widely acknowledged temporary assistance program fails to adequately address the financial setbacks that arefi

caused by this. we have a one tennessee provided the disclosed receiving a one time payment of $8000 significantly below their usual daily revenue of $20000. these providers have resorted into tapping into personal savings, retirement funds, seeking loans from banks. are you going to cover all of those costs that they have had to incur in order to keep the doors open because you did not have an appropriate backup plan? >> is important is this question is briefly because of got a lot of members interested, answer brick et cetera thank you for the question very happy to engage with those providers. >> we look forward to the engagement. >> thank you, senator blackburn, senator menendez. >> your company's slow progress in restoring services and advancing loans to providers has

caused operational disruptions with consequences for providers, pharmacies and patients across the nation. for a weeks, hospitals and providers had to deal with low loan offers an onerous terms from the company for in some cases less than 1% of their typical weekly t billing. all while patients suffered. your company is the nation's largest private health insurer and the largest physician employer in the country. earning billions in profits every quarter. it is unacceptable it took so long to help providers during a crisis of your creating. now i am concerned about what is going ton happen on the back en. do you commit to not exploiting ethe destabilize provider marks you created to further acquire other subsidiaries? a simple yes or be great projects that are absolutely we will not take advantage of that and we have not. i would also like to reassure you we understand the effort to

go quickly in terms of setting up our loan program we did not go all the termsgh and conditios are right. we can fix that very early we have been able to advance six cap billion dollars bequest talk about that united healthcare is you've just said distributed claims six and have billing and financial support to providers. but you arein dealing with the enormous backlog of claims estimated to be easily over $14 billion with some estimates put in the total impacted services at many multiples of that. in other words you are your acceleratedadvance paymenty fraction of theme total amount f services affected. it is my understanding united healthcare and its subsidiaries know to the penny with the average provider bills and every day, week, or month is yet providers in my state and across thee country were struggling to keep their doors open as they waited for these payments. what reasonable explanation could you have for taking so long to get these accelerated

payments out the door? quick senator, thank you again for the question. unfortunately united does not know the flows to folks which is part of the reason why our initial approach was not as effective as we would have liked it to have been put in place a mechanism for the vast majority of providers gives them authorization to interest-free loans within hours of application. that remains open and available for providers who need it. >> it seems to me almost incredible you do not know the company so long established you don't know the flow. a daily, weekly, monthly amount is for certain provider. >> yes we understand the flow where the payer but often times we are not the payer. those to be the situations. david making loans to under rights not just united.

>> it seems to make you wasting a lot of time trying to pull a fast one by imposing onerous long terms on providers. can you commit to not demanding loan repayments until the claims of backlog is clear? >> sewer server we have streamlined our terms and conditions. no recent payt- interest-free loans until 45 days after they have concluded their back to normal progression of the loan terms prohibit health providers from work with any of united p r competitors?s? >> no. breach youg the offered to do breach notifications for entities like hospitals and provider groups. just so grappling with severe and ongoing disruption to daily operations. one step at a provider should not be bound by the burden of providing hip that required breach notifications. no prudent medical group can rely on big promises containing no specifics with respect to timing or implementation.

provide is currently praising mountains of karnes with their yown regulatory exposure should united not fulfill his promises. as more patients become aware of the possible disclosures other sensitive information they will turn to the providers for information and assurances neither of which can currently be provided. so, when can providers expect concrete details on breach notifications in writing? >> this is her top party want to get it done as fast as possible we are working with the regulators to ensure we can get that as quickly as possible but. >> get a gives a timeframe is that a week? is that a month? >> will be the next several weeks. >> of covered entities and will agreements include information that limitation will live building? >> so that we are working through the regulators so we can be very clear. >> i would like you to respond to the committee.

>> think it senator menendez. senator grassley is next. >> welcome to the committee but last month a right to health and human circuit terry regarding protecting critical infrastructure within the healthcare sector. in that letter i highlighted the need for a strong relationship between public and private partners to ensure the safety of u.s. critical infrastructure systems. i also inquired about legacy information technology systems. cyber attacks on our healthcare system not only have severe impact on our economy, but put lives at risk. my first question is what's united health group relationship with hhs and other government agencies as it relates to cyber security of the healthcare industry? how has hhs and cyber security

information agency worked with work withyour company and the ah of the cyber security failure? >> center grassley thank you for the question. we have had a close engagement i would say a daily engagement with critically cms within hhs. we've been extremely engaged in terms support providers and prioritize recovery of the system for the fbi is a private partner in terms of law enforcement response of the attack itself. quest united health group use legacy it systems that need to be updated? if so, what is going on to update? >> change healthcare is a good example of a company with all the technologies the 40-year-old company with many technology generations within it.

as we always do with new companies like that we strive to upgrade them to the standards of health group. companies to bringng into the organization reflects a thank you touch on but let me ask specifically has united health group taken every available action to immediately remove safety risks in its it and software? quick circuits to repeat that please? i get her the second part of the question. >> he asked you to repeat it. repeat your question. >> he just said he could understand. he just asked her to repeat the question. >> has united health group taken every available action to immediately remove memory safety risks in its it and software?

>> i'm not sure i completely understand the question about memory safety risk. i can assure you since the attack. >> want to do this answer that question in writing. >> aptly happy to doo so. is changeanding healthcare touches one and three medical records in the unitedal states. i would s like to better understand how change healthcare stores and manages patient data. how does change healthcare manage and store patient data? where is the data stored? is it stored by third parties and at what point through processing coding and storing as patient data ever sent overseas? >> stole data on premises and data centers and p also to a limited extent in the cloud. we rebuild the technology environment we have moved much more into the cloud which is a

much more secure future environment. exit onto the fbi there's 249 ransom aware attacks against the healthcare industry in 2023. has united healthcare group experience another cyber attack since february 21? >> i'd have to come back to you on that. we are under attack consistently. i would like to make sure i'm accurately and how i respond to that question but i'll be happy to come back to that. >> in writing. >> okay. do you feel like your company is prepared for another cyber attack? and this will be my last question. >> the senator thank you to that question but we are doing everything we can to be as prepared as possible. but we recognize the pressure of the attacks that come in. i believe we are taking every

sensible precaution we have brought in multiple third-party expert organizations to supplement our own teams. where i hope we can also look for is ways we can start to reduce the attack pressure on the systems that we are all trying to manage it. >> thank you center grassley protector cassidy is next. >> thank you for being here. thank t you for the conversation you and i have had prior to this first let me acknowledge i spoke to doctors back home we kind of worst case has passed many have said it is result. let me credit you for the hard work you've done. that does present a different set of questions. one, even she united is waving prior authorization essentially but change handles lots of claims for other insurers. and as we know it sometimes prior is denied retroactively.

so surgery will be approved and that at a later point in its unapproved on the dollars are clogged back. some of the docs say we don't of the full width of the shoe that will drop in the future but whether signet will have a problem with the process et cetera. to what degree has united work with other insurers to address the uncertainty regarding prior authorization to what degree would united hold the doc who is penalized if you will because of the damage done to the system from another insurer? >> thank you very>> much for the question i very muchn appreciate the time you spared to talk to some his issues with me. we thought of after our last conversation on some of these print from a united healthcare perspective i would like to confirm when settlement applies for prior authorization it is granted we never go back to contradict. we never go back in time to

change if they've already acquired that. to your broader point we are very, very supportive of efforts to modernize and enhance prior authorization away secrete much ioless burdensome on the system and much more effective in terms of ensuring patients get access. >> yes but in guard to other insurers in this process of change was an intermediary i can use them because they come to mind. there's an issue of prior off how would that be handled? >> in that situation that would be a cigna responsibility request is united reach out to smooth it over in the spirit which change in the ability provide the essential question or. >> thank you. i am clear it with the question now. people have acted in good faith.

pharmaceutical dispense without getting authorization. the cup that was okay there is no system to check. we are honoring all of that. >> through cigna? oxo will cover that. let me ask you this a broader question something for this committee to consider. and our conversations and on earnings call you pointed out ask about the breach the cyber attack was paradoxically a validation of the size and scope of the united business practice. i have been told "washington post" article 5% of u.s. gdp somebody by nicholas to leave he would say the fact you are so big and so dominant with the special vulnerability. yes you have the deep pockets by width to address this. the very fact you are so big means you have a wide ranging ripple effects that was outsized.

i'm so i think for us we would have to ask. is the dominant role of united to dominant because it is into everything andnd messing up unid messes up everybody question or a quick center to thank you. it's really important to be clear the change for activity was exactly the same of the day it was attack from before it was acquired by united health group. it did not change because event health group. >> i do know and to limit our imagination to just change. 5% of our nation gdp goes to united every day then is there something else that could be incurred upon united that even further reaching effects? >> is a bit look across the whole of united we continue to be as always focused on how we defend and protect the organization. we look to how we can upgrade to quickset is not my point. my point is the size of united it's almost too big to fail

insurer. because if it fails is going to bring down far more than ordinarily would progress i don't believe it is despite our size for example we have no hospitals we do not own any drug manufacturer. >> don't you own some incredible percentage of physician practices now? >> we employeds less than 10,000 physicians. hospitals across america employs a 400,000 physicians. we contracted an affiliate with the further 80000 physicians and voluntarily choose to work alongside our awesome colleagues. we are very proud of the physicians who work for us but often times i think people confuse the affiliated contracted with the employed positions where we employed less than 1% of doctors in america for. >> them out of times i yield to quickset or cassidy is an extraordinary important issue you're raising. classic too big to fail kind of policy. i said a while back i believe

the bigger the healthcare company the bigger the responsibility to protect systems from hackers. i think this can be senators on both sides of the alley want to pursue what you're talking about prayer look forward to work with you. >> thank you. >> our next person in order of appearance would be senator warren. >> thank you, mr. chairman. so in 2023 united health raked in a whopping 22 billion dollars in profits. making you the most profitable healthcare company in the country. in fact fight raven united health is the 11th largest company in the entire world. now, united health group owns the country's largest insurer. the largest claims processor, the country's third largest pharmacy benefit manager a huge pharmacy chain. it's the largest employer of physicians nationwide or

controller. with at least 90000 physicians as you just testified. that's one out of every 10 doctors in the country. is that correct about your size? >> thank you, senator. as far as the physicians are considered we employed just under 10,000. >> i think you have control over about 90000 but i would say not control they choose to work with us. eight. great. because united health has a bottom up every link in the healthcare chain, you are now in a position to jack up prices, squeezed competitors, hyatt revenues pressure doctors to put profits ahead of patients. united health is a monopoly on steroids. the opportunity for price gouging are everywhere for it for example united health is the biggest participant at medicare

advantage. the government program for paid private insurers to administer medicare benefits. with this a web of subsidiaries united health is well-positioned to rake in more taxpayer money by using a practice called up coding. it is noticing a patient has a cane and adding a diagnosis of vascular disease to the medical charge in the subclinical basis for the diagnosis and the treatment plant. according to a 2019 binvestigation by the hhs inspector general, united health was far and away the most aggressive abuser of up coding practices. do you know how much, according to the inspector general, united health cheated taxpayers out of in 2017? , thank you for the question but i'm not familiar. >> the number is $3.7 billion.

and that is just a single year. that is only from two of coding practices.th that was five years ago. now as we speak, is united health under investigation fromm d.o.j. for among other things are billing practices? et cetera thank you for your question. live eight long-standing practice of not commenting on matters such as that. >> i understand why you might not want to comment on it. public reported for the wall street journal confirms that it is. although your company does not disclose this investigation. in fact yesterday, i sent a letter raising concerns about over $100 million in stock sales that united health executives and made in the days and weeks before the investigation was revealed by thenved press. i like to make that part of the hearing record if i can pick. >> so united health is huge

boost is multi billion dollar profits with among other things of billing tactics. that takes me to the data breach. after the largest cyber attack on the healthcare industry in american history" hundreds of thousands of healthcare providers have risk of collapse. united health is now using the crisis to expand its monopoly even further. for example an organ united health tried to purchase a local physician practice. but faced enormous public opposition. after the data breach we are talking about today, these doctors could not get reimbursed for their services. which pushes into the financial breach. so, what did unitedhealth do? belt emergency petition with regulators to allow them to acquire the doctors practice audit expedited basis. will this acquisition make

unitedhealth even bigger? et cetera, thank you for your question but like to put on the record. >> i have a very simple question. will it make united health, this giant 11th largest company in the entire world even bigger? >> is the organizations join us i hope it becomes better as new physicians. >> not better with a heart attack but business practices the question is bigger? >> is bigger will becomee large. >> united health using its own databo breach to snap up doctors to practices that have been driven to the edge of bankruptcy by that same data breach. it is no wonder united health told its shareholders this data breach would have quote no material impact on the company's finances.

bigger and bigger and bigger as we speak. not health is trying to pick the bones of stuart healthcare in my home state of massachusetts. it was run by private equity and corporate greed. it's time for regulars who say no to these efforts to get bigger and sucked even more health dollars away from patients and providers who need it. for the sake of our patients are doctors and nurses in the american taxpayer it is time to break out. >> the time for my college has expired next order of appearance to be senator johnson. >> now for a different perspective. largest financial entity in the world is united states federal government. we will spend close to $7 trillion this year and that 35 members of congress is the board of directors. the board of directors has a large than that largest national entity to incur $35 trillion

worth of debt. the largest national of the world gets hacked all the time. lastla year going to gao childrn $36 billion in improper payments through all the government programs run by the largest entity in the world. little balance here. i will state the obvious unitedhealth you were a victim of, a crime, correct? >> quickset is correct sir. i'm sympathetic the people are victims of crime but i don't think you went out and sought to be hacked. what i was hoping it will be more about utilize your experience to figure out what went wrong. so other people watching this can try to correct it. we sent out yesterday i preacher take the time meeting with me talk about change healthcare, there was one server did not

have dual authentication part does the source of the breach. again the cyber attackers are very sophisticated they exploitt their weaknesses. most tax occur to tell the security breaches the history of change healthcare. how it built? why you bought it? rthow's it supposed to function? >> senator thank you for the question. change health grew over 40 years through series of its own acquisitions and organic growth to become a network connector across the healthcare system. it's one of four or five companies who do the same kind of thing pick up the same kind of thing is processes payments quester. >> process claims and provided two pairs and send payment back exactly. >> recently complex and to do progress highly complex because of medical rules, insurance rules it is a complex thing to

david. >> exactly. it's a software network business is not a pipeline business in a physical sense. so when it is exactly vulnerability is the software is impacted or encrypted and that freezes the whole system. which is why this has been such a devastating impact. >> this subsidiary of united purchase have been built up over years through private equity. one group describe exactly where the vulnerability was. >> we were in the process of upgrading the technology that we had acquired. but within the server which i'm incredibly frustrated since i was not protected by msa. that was the server there which the cyber criminals were able to get into change. they led up a ransom or attack that encrypted. >> you found out -- when your it people were aware of the breach

were notified immediately. you contact the fbi within a couple of hours question. >> all on the same day. february 21 i was at a board meeting, they came in and told me on february 21 i would call the fbi. >> you probably been breach estimate for that? >> we think in the hindsight we did not know at the time. if we gone back and on the forensics we believe they entered probably nine days before. >> by previous work on homeland security, average as a couple hundrede days dhec are actually inside the system exploring its for the vulnerabilities before all the said they are made known. so again these are sophisticated actors here. what was your response? i mean what did you do? >> the minute we know about this even before i'd been briefed our team and filed the right set and disconnected change from all other connections. it is critical to prevent the infection any other provider

network in the country. that worked we know that did not happen so we contain the blast radius to just change. >> you shut down the system? >> a check on the whole thing regrets honestly denying your customers payment which you admitted you could have handled that better. very difficult things to do here you establish this loan program in general.gr percentage of your customers, how many are satisfied with yourresponse to this versus thes that are still pretty upset with you? >> first about your right we did not get it first-rate in the first week or so. we quickly change that. since then we've had extraordinary uptake from folks across them country. and judging by the correspondence i get from small providers in particular, how grateful they are not just the loan but the ease with which it was provided usually in just hours or overnight they've beenn able to be supported. we continue those loans the debris inn the loot we believe

the overall system is back to normal but we know some people not been paid yet for quick think of your testimony. >> senator thank you. >> i'm going to go to the senator from nevada and just a second period i want to make sure because you've been all over the map and respect the personal accountability. we have consistently downplayed your role in this. you are head of cyber security told us last week about this. we still need to know whether you knew you did not have msa? did you even know that? works on those? no actually not. >> why not? >> as the company had only recently relatively recently come into the group it was in the o process of being upgraded. >> why it wasn't the first thing you would do?

>> so, my understanding is when change came into the organization there was excess sx extensive amount of modernization required. unfortunately very frustratingly the server had not had it deployed on the part of the attack. >> but you coming in was that we've got to do with this. this is a server at this is not an abstract issue. the senator from nevada. let me follow up on some the line of questioning paid the ransom are correct to dhec question quickset is correct or. >> how much? >> $22 million per let me follow up on some that line of questioning paid the ransom are correct to dhec question quickset is correct or. >> how much? >> $22 million per. >> information dhec obtained was that i identifiable patient information? quickset x will traded pii mpa scheiber quickset's most personal healthcare inflammations would provide to you, correct question mike don't have an obligation to protect the information?

because we certainly do we take that obligation seriously. we are frustrated by this attack. you are required to state law and federal law that is correct we check that obligation very seriously because of the same law you are required to notify those affected partners and patients their data at their ispersonal data has been compromised, correct question if you haven't done that yet is that right? how long is it going to take you? >> we think that will take several more weeks to finish the data analysis to understand what is therapy. >> several more weeks since this attack was 59 days ago? >> yes and thank you for the question. were o only able to start the process about a month after the attack we got the date setback. we were able to deal with and start to interrogate a very complex process.

>> is a conflict of so much patient that it's hard to identify all this? because it's more the complexity of the datae structure making sure we get it right and are notifying people. >> as we sit here today there are many patients who do not other healthcare information has been compromised they cannot put protections in place to protect themselves against identity theft? >> notot yet been able to notify people. >> quickly jump too something else that's happening that i'm hearing in my state. nevada health center with locations across the state of nevada mate ryan change may ryae healthcare for real-time patient eligibility verification i am hearing despite portal being back online critical provider patient information is often missing or mismatch with 50% of payer information being an accurate rate seeks clarity on when the systems will be corrected to get reliable answer

from you healthcare groups. i hope you can buy the clarity but when will the real-time eligibility verification functions of the change healthcare network be up-to-date and accurate? thank you for the question. if mal come back to you today i do not have that with the rightt now regrets i hope you do many are asking this question. provider's message here to timely filing deadline set by insurance companies for claim reimbursement. rsif you miss these deadlines insurers may deny payments delayed patient care and creeped chris vernon. challenges for providers to meet the deadline. when you commit to extending united health plan filing deadline for any claims affected by the change healthcare hack

and subsequent system outage? >> yes absolutely. >> we agreed to extend the filing deadline for claims file before the february 21 cyber attack considering the appeals process for these claims have been disrupted by united health group systems outage for. >> are happy to do whatever is necessary. >> is that a yes? >> yes. thank you. so also let me address this. i am concerned about the lasting effects of the security failure on healthcare sector. providers i've been talk and are missing out on interest from delayed payments. in nevada it went help center reports spending $12000 every week on overtime first staff word thing with them building and eligibility issues caused by this change healthcare outage. for many small care providers in my state, missing just two topayments could force their

foreclosure. so my question to you is what stepsit will united healthcare group take to compensate providers for the administrative costs they are incurring to the cyber attack? >> thank you very much for the question. first and foremost we continue to make available the interest-free relevance. and e we engage with individual providers and their on the circumstance as you describe for. >> interest-free loans will address these administrative issues? or are they conditions a pop in the interest-free loans? >> i'm sorry there are no conditions on the interest-free loans. other than they be repaid 45 days after the provider has confirmed they are back to normal. works okay. thank you. >> make my colleague. center tillis is next. >> thank you mr. chair for thank you for beingou here. i know people if asked questions about your redundancy plan and

multi factor authentication. can you give me some sense whether internal or external audits identified this audit risk in the past? >> i've got to believe any qualified internal auditor on systems control were identified on densification. not being in use as a major risk factor. do you know if there's a record out their management would have been made aware of? >> of this particular service questionnaire. >> guest rickwa except that i'm aware of. got to be interviewed for the find any we could information or external audit that wasr identified. it was identified as an actionable matter. tell me little bit about redundancy. who used to work in billing systems, cut over systems for it sounds like it was not a very smooth cut over.

how did that not make it do a system audit as well? >> thank you very much for the question. i agree with it's very frustrating there's not a quick redundancy switchover. >> you are information>> technology provider. at a large scale. >> that its right within change healthcare which was again a company that only recently come into our organization but it is in the process ofga being upgraded. the attack itself implicated both the prime and the backup environments. that was partly due to the age of the technology. and the large amounts of the climb. the other elements of the cloud we are able to bring back almost immediately. all of the data centers how we do and multi layers historical legacy who would challenge on the restart. >> i actually brought in pretty simpering that when essence and armed services but had get on

give a up senate armed services get on finance. i was brought this would cyber attack upon packing for dummies at the fifth addition. include the nature of the breach that you will develop but this is some basic stuff that was missed. it's a shame on internal audit, external audit and your systems post task with redundancy but they are not doing their job. the job. and as a result we have a data breach where i have said and judiciary committee of the first meeting i've had were talk about data privacy, data breach and sweet i have been on finance. i really do believe it is your problem to fix. and the damage to the consumers data is you've got to give them whole. your entire enterprises base of the movement of data, movement and exchange of data for that is how you create value. my health records the records of people moving. when you have a breach it's got to be your problem, not my problem. so everything that you do to keep those folks whole for any

damage i think is a function of doing business. i agree with that. >> the eye do so. i take full responsibility and we are waiting for the notification. we've already stood up and tried to do identity theft protection for anybody they can't reach us through a 1800 neighbor or cyber. >> it raises interesting challenges about timeline et cetera. we will submit some questions for the record about just how long you're willing to make that commitment and how easy it is. i for one do not want to estimate i got a notice of onpossible involvement of data breach. i was kind of interesting to say it will help you with your problem. and i'm thinking no, i will help you with your problem. you are not going to make this difficult for consumers. and i'm talking to those folks were going to take at face value going to do it right.

this is not the problem of the person here now may have to deal with the consequences of the use of their data is got to be your problem to fix. mr. chair, i just want to bring up, i hope we can get back a pretty fume or three or four years ago after your past the data privacy data breach everybody is done without congress and its act on that. congress has done nothing in part because it's a multi jurisdictionalil issue that wads into commerce. it wades into judiciary. think there's a third committee as well. we are making a huge mistake by not having federal rules of the road on data privacy, data breach and now this enterprises have to mitigate things. weig have got to really work ont but we have a patchwork of over a dozen states doing it differently. i think it creates distraction because really businesses that take them away from our data.

hopefully we can work on this birthrate critical subject. senator tillis, a couple of very important point to make the last one in terms of bringing together the various committee is essential. i do not want to leave the other important points that you make. multi factorr authentication is of vital for prevention. but redundancy, which you touched on base and helps the company get back on its feet. this company flunked both and i thank you for your quick senator lankford. >> german, thank you. thank you for beingor here. there's a lot of conversations happening and i appreciate the phone call we had a couple days ago just to be will talk to some these things in greater depth. i doing to tell you w a story getting started. i'm going to combine several people together just to be able to tell you a story for oklahoma in the lives in a rural area pit

she's in her a mid- 70s. several years ago she used to go to her local physician but the local physician practices closed down because it's just the administrative burden could not keep it going. so now she drives to a hospital it's about 30os minutes away toe government the doctor there. the hospital and that position are on her insurance. should medicare advantage. but, by the time she scheduled an appointment she lined up the appointments and found out know they just switched off they are no longer on medicare advantage. but they were when she originally signed up for the plan. then, she found the ghostly doctor on that. she gets in the doctor needs to run some tests. but she cannot do the test on that day because they have to do prior authorization of the insurance company so she has to drive home what is a test she needs that they could do that day but they cannot do that they because their work and prior authorization to be able to go through. the hard part is two years later that hospital has stopped taking

medicare advantage at all. with that several of our hospitals do in oklahoma saying just the realized reimbursement is 20% less than medicare. they just cannot keep up with medicare advantage because of all the prior authorizations and on the denial of service. so they stopped taking medicare advantage entirely which for her puts her in a difficult spot. shows are like a pharmacist that she's gone to for years. finds out there's a pretty remarkable pressure on them they are going to have a hard time for the not sure they're good but will stay open but the insurance company. tells her we want you to do a mail order pharmaceuticals. it's pretty complicated diseases. to talk to. i wish this was a story that wasn't true but it is. it is the complications engaging in all of those areas medicare advantage. this is just a reality we are

facing here especially in rural areas and in my state 2 million people living urban a >> so it's and reality for those folks that live in a rural area of those exact challenges that are laid out. i'm not asking to answer all of those, i'm just saying those so you'll hear it because that really is a reality of what's happening on the ground every day in rural oklahoma and they just want to get health care and get access to that. i do want to clarify something you and i walked about. it is when hospitals and pharmacies will be made whole reimbursements are done, when is the target time when everybody will be made completely whole? >> senator, thank you very much. just on your first comment if may. . a government state company

obligation. we do need to reduce both positions and make it easier to navigate the system provides the help mitchell this is and how it helps we are very open to ideas and suggestions. >> the new line. >> there are families that sign up with plans because i know that physicians and sign up in october november but then they find out it switched over in

january but they signed up in october. they need to know they sign up for physician opposition will. >> i agree with you in these key areas we need to work together. >> we continue to make sure interest on the capacity remains available work with providers on other issues. >> what you think of it they? hope months or six weeks. >> that will be helpful for providers. any pacific ideas on the other side the fbi could have dealing with both sides of this ransomware attack, things the fbi could happen doing better that could have been helpful so any books in your company want to pull together a list work on

that side as well. >> time has expired. as reluctant as i am breakup was psychic, we have people coming and going. i want to get senator casey but we can break this up. >> thank you, mr. chairman. roger here. owns and operates tells you about the problems going on in our healthcare system. i hear from orders forced to make impossible decisions and considering closing their doors entirely and shut down abms the same story driving up costs or abusing direct and endeavor

these are pharmacies. for you aware recent national disease association survey independent pharmacy owners and managers over one third reported considering closing this year due to financial constraints, are you aware? >> i am aware of. >> to the significant role in these closures? >> thank you for the question. we are -- we do not have these. >> do you acknowledge abms like a significant role? >> i don't necessarily believe that to be the case. i think they provide significant service at a variety support sorry to cut you off i only have five and it's. it's clear that contribute to local pharmacy closures. i met with due process last week

forced to close stores. they are in rural areas, five pharmacies and five communities where they have to drive at least five to 10 miles they had record sales they can't even break even. it here the company a lot of money you know that. i'm assuming he writes about that last year brothers of 116 billing dollars so it's pretty clear you could lower or eliminate peace and still make plenty of money. we'll commit in front of the committee to lower and eliminate the pharmacist from ohio and across the country? >> we've already eliminated -- you help us in the industry claimant your colleagues to do the same? >> we will encourage that it's

clear they are not going to reform on their own right we need to pass legislation to remain in corporate middlemen and pass moving on in the financial burden from doctors and hospitals and health systems and the most dire consequences from the attack you know how important they are and i serve those most audible and operate on markets. was a health center in ohio dropped from an average of 600,000 week 20,200,000 week on unacceptable can't continue to operate like this without certainty it will be compensated for these losses. what is united plants to

compensate for these financial burdens? >> think about the question. in the context described in that situation we have an interest in program, 200 billing what would be happy to reach out to your office. it's still available and what bridge the gap loans required to pay back. >> when they are fully back to normal and weird. >> they will make the determination? >> correct and then 45 business days payments of two calendar months. >> and low interest rates means -- no interest. >> no interest.

>> thank you. >> thanks very much. statements united healthcare claims the vast majority of services has been restored to pre-levels i providers in pennsylvania struggling to their patients and family reimbursement doctor christine meyer who owns a practice in pennsylvania initially taking out a home equity loan or practice afloat and reached out to participate in your loan probably only offered 4000 a month% of her monthly expenses. months later she is receiving or from the received more generous loan from optima but is worried

about repayment. she said the term dark here and read she will have to pay back the loans before or practice is up and running. when you commit to supporting providers delaying the deadline of the loan repayment to the back or claims. regardless? >> let me apologize for the delay in the right level of loan capacity in the efforts to move quickly recognize we didn't get it right always at the beginning of this process. this. we have detention asking for sean street they let and back to normal. even then would not look for

repayment of 45 business days no interest no fee associated want to ask while the risk especially complex of children the obvious click on healthcare or financial information is reached. how child stalling cyber criminals to open up years apart longer to repair damage. for seniors in older adults, victimization has been skyrocketing. data breach even more scammers use in the future. united healthcare southern company becomes the cyber attack

predicates and more than two months according to the company website it will take several months unquote to identify and notify impacted diverse -- customers, individuals and i think it's clear united has defenses differently time united going to expand and flocking but from he's not worried about personal profit health information upfront along much has happened break of relief

that we can to minimize the possibility of it being happy today notification, in america who come to our services to provide prevention and protection of within first use of the substance. a straightforward enough time i will submit the record. >> before you leave, i appreciate family more discussions often impeach.

it is absolutely inefficient. >> thank you for this hearing today provides direct her hospitals saw all that wrote severe overnight stereos that visits to hospitals under terms for unnecessary the first work hospitals during what was spent isis but she returned to operations. i hope we can get more lobby

senator has asked, from basic information portion of people in america from of millions of families obtained by cyber criminals in the attack on your company for breach required to notify individuals within six decays of health reasonably you have to affected. however acute health or the secretary health information is compromised. to meet your obligations need to send informationis little

because at first that michael reportedly begins the first is not ten weeks away too long for millions of americans cannot know their this lady available to criminals oligarchs web so i urge you medially notify family so they can take i urge you to use united read

but as you think about smaller organizations often times they navigat so i do think refresh and i think minimum standards do make sense. we would be very happy to engage. >> one of the things we need, we would -- people wouldn't be surprised if an individual provider or the united parent being a huge entity but, you know, my understanding of changes and, effect, they were

the rails that folks didn't understand allowed the insurer, provider to communicate information from them. i think we think of minimum standards, it has to be all the way up and down the food chain. we can't just chuck them off, let the provider uncover. we have to through that whole supply chain in a way that quite honestly i don't know if we have transparency overall. i thought it was authentication problem. you guys are the biggest in the business and the fact that you required change, you were 3 years in acquisition and you didn't put the type of standard that united corporate would already have in place into change, why was it taking so

long? >> senator, thank you for that question. that is very much what we try to dig exactly why that server has not been protected by multifactual indication. i'm as frustrated than anybody about that fact and we are working to try and understand why it was not covered at the time. >> well, mr. chairman, one of those areas where we don't have resilience. i have providers that have not only gone through literally weeks of not being able to have payments made and lost faith in change that they are now talking ngabout getting a new a new provider. i think we m need to look, not only at minimum standards but also how we build resiliency into this system. i think the whole business

model, any entity providing and affect the connections from a telecon guy that i used to be, the connections between doctors, providers, insurers, there has to be a backup system backup system and the business model has to change so that whoever you sign up you have a backup in reserve because without that you have the kind ofca crisis the system has prevented here. you said you were going to try to change that. >> certainly the agreement and we would encourage people to have backup systems and provide alternatives, they were able to go to backups and able to carry without interruptions, essentially. some did not have those backups. we need to work with providers

and second rail which would allow them -- >> i know you want to take on this issue. we knew it was going to happen. >> i think those points are well taken senator warner and i think that there's an opportunity to link up number of the issues as i understand, your proposal is essentially a medicare related kind of effort. we have financed committee staff all of the members over the hippaip security rule as well. and i think your point as it relates resiliency allows us and started us to walk-through how

all of this actually works. i mean, you can be the walk into a coffee shop and talk about multifactor authentication. everybody would look at you like what planet did you descended from. senator tillis came in and gave us link prevention and getting up up and running quickly h redundancy efforts is all about. we link up these issues and work in a bipartisan way, i look forward with my colleague. >> all right. let's see. next we would have -- we would have senator barrasso. >> thanks, mr. chairman. thanks for being with us today. >> so 26 days for the processing

to be restored like other hospitals, taking months for which to recover. over the 26 days they were delayed in filing 17,000 claims result about 20 million of services, rural hospitals all across wyoming in the u.s. provided access with central health services and they represent the most financial vulnerably. how are you prioritizing the processing of claims? >> senator, thank you very much for the question and let me say how sorry i am to hear the kind of pressure that you just

described. >> i would encourage them to do so. so we believe most of the backlog, not like obviously i cannot 100% but where there's lag is payment on those claims. for example, if a claim is to united health care, we will pay instantly, but not full payers are paying instantly. some maybe paid 30 days after claim is received. that would explain the delay. we are permitted to maintain interest reloan capacity from

yfolks until they -- >> we want to make sure that your specifically prioritizing hospitals because they need to keep their doors open. it's been a lot of discussion about two-factor verification today and we haver a small community hospital that i try to get to every year in wyoming, town of 2500 people, in 2023 they spent nearly a million dollars on cybersecurity. it's not as clear. we had every person here ask those questions.

they are operating in the red and health care was established in 2007. this was a hospital established in 1961 and has already been updated, so financial resources to implement and authentication system, i'm not sure why you haven't had this in place yet. >> senator, thank you for the question. i'm very disappointed and frustrated. some of the legacy in that company go back 40 years. unfortunately, we discovered which was not covered and as a result it was exploited. >> have you implemented the requirements since the breach? >> oh, absolutely.

we are using external support to ensure we have all those in place. continue penetration tests to make sure they are active, very frustrating situation which we continue to try and investigate. >> 5 or 6 physicians in the practice are getting hit as well. larger practices. you have any l plan to change policies to ensure that providers aren't financially in the hook in the future? >> we certainly -- important i will provide really unlimited to get to cash flow situation and we are willing to talk to providers on a case-by-case basis. thank you, mr. chairman. >> senator barrasso, before you go, i want to associate myself with your remarks because this

is so important as it relates to the small families and we've been add it for two hours i think you touched on what i regard as one to have key areas and we just heard excuse after excuse this morning from mr. witty, and, you know, the fact is that first server that was hacked did not have multifactor authentication and mr. witty's head of cybersecurity knew about it. so we got to get to the bottom of it. it's going to be completely bipartisan effort. we haven't had any senators and i very much appreciate. >> thank you, mr. chairman. thank you, mr. witty, for being here today. similar issues i want to talk about. mr. witty, i appreciate the

initial efforts that uhd made to offer financial assistance. this is affecting cash flows across the state. we have patient in colorado that are continuing the care and my office has been working, until 2 or 3 months away from their normal clash flows and they are already as you know, operating on shoe string as this is. on top of what they're dealing, normal reimbursement processes to come back online, one critical access hospital in colorado has $1.5 million in outstanding payments that is half of a revenue and their ability to pay doctors and nurses and other staff is at risk as a result so operation is at risk not just hospitals,

pharmacies like good day pharmacy in colorado that have been forced to pass on the cash piece of medication to payments to patients some of which cost over a thousand dollars for over 30 days. so colorado can't afford that expense and they haven't gotten their medicine. tthey are left empty handed asa result of that. they are unable to pay their bills. they can't pay it online. i know you heard this today, one more state, the single attack has kicked off cascading series of crisis. maybe in addition to what senator barrasso asked you about, what costs you think you

might be responsible for here and how you're thinking about those challenges? >> senator, thank you very much for the question and sharing the situation at colorado. i'm very sorry for the disruption being caused. we are working very hard to fix those technical solutions as fast as possible. financing capacity remains in place. still has $1.4 billion issue. we will reach out to your office to connect with those folks to ensure that they have the support to breach them to lead them back to normal. we are willing to keep that support in place if that's a month or two or three months. that would be no cost to that hospital. >> well, i appreciate that, mr. witty, we will take you up

on that. how are we going to avoid from this happening in the future? >> that's a good question. we are all taking the responsibility of this attack and we are also trying to learn from it. we want to make sure we share the things we are learning, we will continue to do that as the investigations continue to pursue any other understanding. but the attacks were sustained and they are going up. it's not going down, the attacks are becoming more and more so exist kateed and the levels of technology that we are going the need to protect against those tax will continue and that's going to be a challenge i think for many to keep up with the pressure which is why important on thousand reduce the attack rate and making sure that the

numbers of attacks that come into the health system and more broadly in the country begin to draw and simply escalated and i think -- i think the probability of the breaches in other parts of the health care environment must be high given the pressure that the system is under. >> thank you, thank you very much. >> next is senator young, i believe, and then senator carter. >> thank you, mr. chairman. mr. witty, good to see you. thank you for making yourself available to me and my office and the back end of these attacks. health care entities and devices are increasingly connect today the internet and other health care facility networks to provide features that manage administrative functions, increase efficiency or improve the ability of healthcare providers to treat patients. we, of course v to have confidence in the systems the tools can be used safely and securely in order to refuse

risks and vulnerabilities for patients and providers. there remain some unanswered questions and lessons to be b learned from this attack. you've acknowledged that. mr. witty, one to have work-arounds for pairs and providers which we discussed was to move to a different clearing house including change health care competitors, how long can a transition take for a provider to be fully up and running with a new vendor? >> senator, thank you for the question. that can be, i think, within just a few days. i can come back to you with a more educated assessment of that but i would say a few days to week or so. >> okay. and that's okay. that gives me a rough estimate. does change health care helping with these transitions? >> , in fact, we recommend to as many alternative competitors as possible and we will continue to encourage clients to have a

backup system in place, so to have at least -- at least two channels in case there were future attacks. >> and i know this is already been covered a bit but to confirm, there's been reporting of exclusivity clauses. would any exclusivity clauses be enforced and what should providers be aware of if they transition to a new provider. >> you're quite right. the legacy health care waive those and not intend to force them. we want to make sure people have backup capabilities in place. >> okay,y, all right, thank you. family healthcare is a community health center in southern part of my state. it's unable to switch clearing houses and time sensitive process for their billing

department which has new people and connecting two people can cyber liability insurance at risk since it hasn't been guarantied secure. they've turned to a 100 paper percent submission by claims by mail incurring all kinds of overtime expensive and significant postage cost for a small health care center that tries to provide the most they can for their patients. tulip tree learned of the attacks from the national news. do you have a notification process in place, sir? >> that's one of -- that's a very good question and that's one of the areas where i think we need to figure out how to communicate not just the company but the government. we saw the same thing in covid. very difficult to communicate with providers across the system. this particular attack where compromised in the attack so they were encrypted which made

it very difficult for us and reach out directly to those clients. i would say in this particular situation that you describe, we love to reach out to your office fanned we can help them during the bridge to the new supply, we would be happy to help. >> and you did mention those mechanisms you've created to provide that financial bridge, i'm encouraged by that, how are you more broadly disseminating information to providers particularly, you know, the small safety net health centers like tulip tree? >> again, thank you for the question. insurance providers which is millions physicians across the country. we sent something like several hundred thousandu emails and worked with the key medical associations, we encourage associations to get the word out

to provide with others and, of course, we've been running regular national telephone calls, more technology lead across all of the organizations and encourage, encourage them to spread the word. but i do think community diagnosis providers, i think that is an area which comes up, an area for opportunity. >> thank you for answering my questions, mr. witty.i guess the only otherwe thing i would ask , you know, you will have all manner of lessons learned including that there may be limitations under existing law to being able to respond to these sorts of attacks and serve your clients optally to extent those lessons are learned i to s to communicate to my office and this committee so we might consider changing the law. >> thank you.

>> thank you. >> mr. chairman. >> i thank my colleague and i look forward to working with him. we've had a very good bipartisan, youed know, effort d my colleague has had interest and i'm struck about how little we know about the data that could involve our personnel. i look forward working with them. >> senator carper. >> to our ranking member, thanks for pulling this together and thank you for taking to time to talk and your testimony earlier today among the things i shared with you, roles i've been privileged to serve. one is everything i do, i can do better and i think everything i do i know i can do better. i think that's true. that's the goal. >> another one of my guiding principles is to treat other

people the way i want to be treated. i will try to put myself in other people's shoes whether it happened to be constituent or a practitioner or provider for myself i will put myself in those shoes and let myself guide me. the other thing i mentioned is shared responsibility, the idea of shared responsibility. obligations that you and your colleagues have but there's role for government and it's shared responsibility. he said the role of government is to do for the people what they cannot to for themselves and -- local government and we have federal government. a role for all of us to play. we are proud, a hundred miles

north and south, 50 miles to west. something i love to do and easy to do. people that have been not just, you know, disadvantaged but really hurt, potentially put in harm'st way. we heart from practitioners and providers in a real way, human way, so for us this is very real but thinking in terms of the role of government since we are the government, the federal government. role of government here, what might be one or two that we could play and should play. >> thank you very much for the question and your comments. i think what areas that i would suggest, one is helping the health care system think through what the minimum standards, what the kind of t -- the right level

of system protection and redundancy too try and guard against impacts of future attacks and the second is to see what further can be done or more can be tone to reduce the attack velocity that is coming at the u.s. healthcare system from cyber criminals and other possible actors. so i maybe suggest those two areas first of all. >> thanks. >> the people that depend on that system, but the ramifications remain widespread. it was not prepared but actually be fully prepared for any type of distinction. you shared with my and becoming more frequent and aren't stupid and not getting any dumber unfortunately. but it's clear that change health care wasn't prepared for

this attack, lack of security measures left healthcare providers and patients vulnerable to disruptions in care and sensitive data being stolen and like my colleagues, as i said, we heard from practitioners, families with individuals throughout the state who were directly impacted from this attack. one individual that we talked was unable to receive prescription for several days because significant pharmacy delays. mr. witty, why do you think it took so long for your systems to get back up and running and why are many pharmacies are still offline today? >> thank you if the question. and i'm very sorry to hear the situation of the patient who was waiting. we have tried to make clear that we would honor any prescriptions which were filled with the pharmacist, uncertain what the

reimbursement status was but challenges of communicating across such a wide group of providers, the speed of recovery of our s systems is really determined by the way the attack encrypted large parts of the environment and ensure system that when it was brought back edonline guarded participants in the environment that it was safe to reconnect and remember the change healthcare is a big connecting system. we really built the environment from scratch. crso we did not resuscitate whih would have brought suspicion of infection and led to, i think, people not being willing to reconnect at all. we spent a lot of time rebuilding from scratch and having third-party organization, penetrate today make sure it was super robust before it came back but unfortunately that took time and consequence of the way the attack has impacted the first system and then the commitment

to bring back better lane system was the explanation. i thank my colleague. just a few additional questions i'm not clear on. patients, the real a victims remind you of your negligence. equifax for the people that have their information stolen, sent to individuals $5, how are you going to go about compensating people for their stolen data and do you think that's right to give people $5. >> mr. chairman, we are working hard to get notification as soon as possible and to understand who is potentially impacted but in the meantime we have stood by to wait for that and we have put in place help people understand

the situation to make sure that they already can access for anybody and whether that data is in this or not. anybody in america can access credit protection, identity theft protection for the next two years. >> identity theft and protecting against is something that i'm very supportive of. but i also i'm very hawkish on protecting people's private medical data and when i saw equifax giving people $5, this happened very recently, i wanted to know from you all whether you thought that was reasonable, how are you going to go about it, you envisioned sending out 5-dollar checks? >> mr. chairman, at this time i do not feel like -- i feel that the important thing is to reassure people that, a, we are doing everything that we can to ensure thatca they did not in fact, leak, b, that we would

make sure that their data -- that their situation is protected through the services that were already made available and available to anybody in the country. let's also get on the record one of the questions that senator menendez touched on with respect to doctors because per a lot of particular -- represented small urcommunities in our states that oregon, much of oregon is rural, senator barrasso was talking about as well, our positions are very much at risk. they owe you for these loans and i'm concerned that the loans will give you valuable financial information that based on the company's history is going to be used to gobble up and i asked you about what was going on in oregon that senator warren touched on as well. this is not a hypothetical

question for your company because your company is buying these people up hand over fist. so i would like to see at a minimum a fire wall established so as you can't use the data from these doctors that were glenned from the loan process, you goe out and buy out more doctors because that's the last thing we need in america. would you support that? >> first of all, do i support that. i think that's a good idea. a good recommendation. we have not asked for any loan repayment from anybody and we will be guided by the providers confirmation that they are back to normal. so it would be under their guidance that that conversation thwould begin. but your suggestion is a good suggestion and while that's very confident, we will never take advantage of that information to

being absolutely clear. we are happy to put in place the process you just described. so we've been add it for more than two hours, you know, now and there's a lot we don't know. there's a lot the american people don't know. we don't know what data was stolen. i'm not convinced that we are going to find that out any time soon. we mayay never find out and this data as i said several hours ago can reveal abortions, mental health conditions, sexually transmitted infections and more and i just -- i just want to see evidence that the company is willing because the company is so big that we heard my colleagues talk about too big to fail and i think they were frankly more eloquent than i was a couple of hours but i think

companies that are so big have anl obligation to protect their customers and to lead on this issue and much of what i read about this, you're kind of saying the american you should feel lucky that we are big. iwi think that a lot of americas today don't buy that and i think that your clean on your watch let the country down, these millions of people on both the prevention side which is two-factor authentication, multi-factor authentication is all about and on getting them back and going, still questions about getting back and going and that's redundancy. so there's a lot of heavy-lifting to do. i want you to know that this is the area that i tried to concentrate on in the years over the years in public service, director of the senior citizens groups. this is one to have most important issues i've taken on because i think the intersection

of health policy, economics, national security is now front and center and i am all in on gthis. that's one of the most important fights that i've taken because what worried me all of these people that are professionals and shoot, this is an example of the bad guys of what they can accomplish and you're going to have to be much more active and much more forthcoming in terms of these kinds of specific issues that we've talked about today if we are going to turn this around so with that, the finance committee is adjourned. [shouting]

[shouting] >> shame on you. >> shame. [inaudible conversations] >> sunday on q&a former rhode

island congressman patrick kennedy author of profiles in mental health coverage talked about americans that struggled with mental illness and role of family members play in their care. >> in my own case with my mother, my brother and sister i had to get guardianship over my mother. we saved her life so she could be around with my kids. my kids never met my father obviously who died before they were born but they got to meet my mom and they got to meet my mom because my brother and sister and i went to court to get guardianship over our mother to keep her from killing herself. she was so happy at the time she wasn't happy but she ended up being so grateful that she was able to make -- we intervened. >> patrick kennedy with his book, profiles in mental health courage, sunday night in c-span q&a. you can listen to q&a in all of

our podcasts in free c-span now app. >> explore the wonderful array of mother's day gifts waiting for you at c-spanshop.org. there's something for every c-span mom plus every purchase you make goes towards supporting nonprofit operations start shopping now by scanning the code on the right or visiting us online at c-spanshop.org. c-span is your infiltered view of government including media com. >> at media com we believe whether you live here or right here or way out in the middle of anywhere you should have access to fast reliable internet.