WASHINGTON, D.C. — In February, a massive cyberattack disrupted healthcare systems nationwide. Many providers are still feeling the impact. Now, federal lawmakers are demanding answers and accountability.
“As a result of this malicious cyberattack, patients and providers have experienced disruptions and people are worried about their private health data,” said UnitedHealth CEO Andrew Witty.
Change Healthcare, a UnitedHealth subsidiary, is the largest healthcare clearinghouse and processes $1.5 trillion in medical claims annually. In February, Change Healthcare experienced a massive cyberattack that disrupted healthcare systems nationwide after Russian-linked cyber criminals gained access and unleashed a ransomware attack.
“An American Hospital Association survey found that more than 90% of hospitals were financially impacted by this cyberattack,” said Senator Mike Crapo (R- ID).
Following the attack, UnitedHealth quickly disconnected the affected systems to limit damage. The company paid a $22 million ransom in bitcoin to the hackers.
“To all those impacted, let me be very clear. I’m deeply, deeply sorry,” said Witty, who recently answered to members of Congress in House and Senate committee hearings.
“This hack could have been stopped with cyber security 101 and I’m talking specifically about multi-factor authentication,” said Sen. Ron Wyden (D- OR).
The absence of multi-factor authentication enabled hackers who used compromised credentials to gain access to the system. In addition to cyber security shortfalls, senators on the Senate Finance Committee also pressed Witty about lingering impacts on providers and patients.
“Patients are bearing the brunt of it. Prescriptions went unfilled. Patients were stuck at the hospital longer than needed, and Americans are still in the dark about how much of their sensitive information was stolen,” said Sen. Wyden.
UnitedHealth says most systems are now up and running. The company has also issued $6.5 billion in assistance loans, but many doctors and hospitals who went weeks delivering services without getting paid are still dealing with major backlogs.
“Doctors and hospitals went weeks delivering services, but without getting paid. Insurance companies couldn’t reimburse providers. Even today, key functions supporting plans and providers, including sending receipts for services that have been paid and the ability to reimburse patients for their out-of-pocket costs are not back up and running,” said Wyden. “Practically every provider I bump into is waiting to be paid,” he added.