Lawmakers express frustrations over Change Healthcare cyberattack

Lawmakers expressed a variety of frustrations during the first congressional hearing examining the Change Healthcare cyberattack.

U.S. Rep. Cathy McMorris Rodgers, R-Washington

The House Energy & Commerce Committee’s health subcommittee held a hearing Tuesday on the ransomware attack and its ramifications on the healthcare industry.

House members asked health technology leaders and representatives of the industry about the impact of the attack. Witnesses testifying before lawmakers said the cyberattack is the most devastating to ever hit the healthcare industry.

“The Change Healthcare attack is of course, the most recent and certainly the most appalling and disruptive to healthcare delivery that we've seen to date,” said Greg Garcia, executive director for cybersecurity for the Healthcare Sector Coordinating Council.

• Read more: At hearing, health leaders ask Congress for help with cybersecurity

Scott MacLean, board chair of the College of Healthcare Information Management Executives, testified that the Change Healthcare ransomware attack dwarfs the WannaCry cyberattack in 2017.

“This is the largest cyber attack on our sector today, much larger than the WannaCry event experienced several years ago,” MacLean said. “It has and continues to interrupt patient care and the financial impact on our members has been significant. The scale and repercussions of this cyberattack cannot be underestimated.”

• Read more: Change Healthcare cyberattack: Lawsuits emerge, and more are coming

‘Reacted pretty slowly’

Both Republican and Democratic lawmakers offered a number of criticisms about the cyberattack.

Rep. Larry Bucshon, an Indiana Republican who is also a physician, said the government should have acted more quickly to help providers. He also said private companies were slow in their response.

“I think the federal government as well as the private sector reacted pretty slowly in dealing with the consequences of the attack,” Bucshon said.

Hospitals and health systems would have benefitted from a more rapid response from the government, including the Centers for Medicare & Medicaid Services, said John Riggi, the national adviser for cybersecurity and risk for the American Hospital Association.

“The federal government did not step in for weeks,” Riggi testified at the hearing. “Needed flexibilities under Medicare were not immediately available. It took 18 days for CMS to begin allowing providers to apply for advancing accelerated payments.”

Members of the committee also talked about providers in their district who have felt the impact of the attack. U.S. Rep. Troy Balderson, a Republican from Ohio, said the attack has cost Ohio hospitals an estimated $500 million. Rep. Greg Pence, R-Ind., said a hospital system in his district, Columbus Regional Health, has seen millions in payments delayed.

U.S. Rep. Kim Schrier, a Democrat from Washington State, discussed the impact on Kittitas Valley Healthcare, a rural hospital in her district. To date, Kittatas only recouped half of its regular March receipts, she said.

“The Change attack was devastating for them,” Schrier said.

Nearly all hospitals (94%) said they have suffered a financial impact from the Change Healthcare attack, according to a survey by the American Hospital Association. Riggi noted that about three quarters of the nation’s hospitals said the attack has affected patient care.

• Read more: Change Healthcare cyberattack shows ‘no one is immune’

Consolidation concerns

Lawmakers in both parties raised concerns about the growing consolidation in healthcare.

They said the increased number of mergers raises the risk of more damaging cyberattacks, with healthcare giants having mass repositories of private health information on millions of Americans.

“I think the FTC is going to need to look at health care sector consolidation,” Bucshon said at the hearing. He said he believes the growing consolidation “is not in the best interest of the American people.”

Rep. Cathy McMorris Rodgers, R-Wash., the chairwoman of the House Energy and Commerce Committee, asked about the ability of the U.S. Department of Health & Human Services to coordinate cybersecurity efforts. Garcia said the health department’s coordination of cybersecurity efforts and sharing knowledge has improved.

“It’s herding a lot of cats, but we are seeing over the past couple of years a much more coherent and forward-leaning approach by HHS to partner with us,” Garcia said.

Not in attendance

Some lawmakers bristled that UnitedHealth Group didn’t have any representatives at the hearing.

Rep. Frank Pallone, D-N.J., the ranking Democrat on the House Energy & Commerce Committee, was one of a number of lawmakers to express disappointment that UnitedHealth wasn’t present.

“I'm extremely disappointed, I have to say, that UnitedHealth Group did not send a representative to today's hearing,” Pallone said. “They have a critical perspective and insights into the existing vulnerabilities of our healthcare system.”

McMorris Rodgers noted UnitedHealth Group’s absence but said company representatives have briefed lawmakers about the attack and pledged to testify at a future hearing.

The hearing came a few hours after UnitedHealth Group released its first quarter earnings, which beat expectations even with financial fallout from the Change Healthcare cyberattack.

The company reported $99.8 billion in revenue in the first quarter of 2024, up from $91.9 billion a year ago. The company said the impact of the cyberattack represented 74 cents per share in the first quarter, and estimated the full-year impact would be $1.15 to $1.35 per share. UnitedHealth’s stock price rose to $468.89 Tuesday, a 5.2% increase over the day before, but the price has dropped 13% since Jan. 1.

UnitedHealth Group says it has provided more than $6 billion in financial assistance and interest-free loans to providers affected by the attack.

Lawmakers said they expect to hear more from UnitedHealth Group about the attack and why it happened. Pallone noted that a bipartisan group of lawmakers sent a letter Monday to UnitedHealth Group CEO Andrew Witty to get more information about the attack and the company’s response, including steps to deter future attacks.

The U.S. Health Department has launched an investigation of the cyberattack to determine if UnitedHealth or Change Healthcare violated any federal regulations concerning the privacy of patient data.

‘Tip of the iceberg’

House members said they had heard of providers having difficulty in dealing with insurers with the fallout from the cyberattack, including a lack of flexibility in filing claims.

Schrier said she had heard reports that insurers have been reluctant to offer advanced payments to providers. Riggi said that hospitals have encountered resistance from other payers.

“Other commercial payers are reluctant or simply refusing to provide beneficial terms for advance payments,” Riggi said.

He also noted that hospitals have struggled with manual processes to submit claims. “We think the industry could do and should have done a much better job during this situation,” Riggi said.

Rep. Diana Harshbarger, a Tennessee Republican and a licensed pharmacist for over 30 years, said insurers could have offered advanced payments based on historical averages.

Lawmakers said they are worried about the healthcare industry’s vulnerabilities to cyberattacks, and are anxious to see improvements in defenses.

“What scares me is that this is just the tip of the iceberg as to what bad actors could do to our health infrastructure,” said U.S. Rep. Bob Latta, a Republican from Ohio. “We must do better to protect and defend against cyberattacks.”

McMorris Rodgers said it’s imperative to improve cybersecurity in healthcare to protect patients.

“I don’t want this committee to be back here in five or 10 years, after more patients’ healthcare is disrupted by known criminal actors finding vulnerabilities in the cyber security of our health system,” she said.