Apr 29, 2024
A Billion-Dollar Hack Puts UnitedHealth’s Empire Under the Microscope
, Bloomberg News
(Bloomberg) -- When a cyberattack on Change Healthcare paralyzed much of the US health-care system, some lawmakers saw it as proof its parent company, UnitedHealth Group Inc., was too big.
UnitedHealth Chief Executive Andrew Witty saw it differently. He has said that the company’s size kept the hack, which crippled a network that handled $2 trillion in health claims a year, from being more harmful. It was “important for the country that we own Change Healthcare,” Witty said earlier this month.
Witty is expected to appear at House and Senate hearings on Wednesday. He is likely to be asked whether UnitedHealth, which runs the largest US health insurer, employs thousands of physicians, and manages prescription benefits for millions of Americans, has concentrated too much risk under one roof.
UnitedHealth, which has a market value of $451 billion, has estimated that the Feb. 21 attack could reduce its profit by as much as $1.6 billion this year, making it one of the costliest hacks ever. Merck & Co. said a 2017 cyberattack that was blamed on Russia cost the drugmaker $1.4 billion. The price tag for large disruptive breaches is more often in the tens of millions of dollars.
A company spokesman said in an email that UnitedHealth believes the hack “will likely be the largest health-care data breach in the US to date.”
Much of the Change Healthcare network has now been restored, according to UnitedHealth, and the company has made billions of dollars available to ease the chaos the hack created.
Read More: ‘It Is a Disaster’: Cancer Clinics Reel From US Health-Care Hack
Yet the upheaval persists. Monadnock Community Hospital, in the small town of Peterborough, New Hampshire, has depleted $5 million in reserves and was getting just a fifth of its normal payments until mid-April. The American Medical Association said doctors, especially those with small practices, are still reporting difficulties two months after the hack.
Such disparities highlight a hard truth about health care in the US: When trouble appears, big hospital networks, sprawling pharmacy chains and national insurance plans can usually weather the storm, while patients and smaller players bear higher costs.
“I would’ve never anticipated something like this,” said Richard Scheinblum, Monadnock’s chief financial officer and top cybersecurity official. He said he’s thinking about how he can make the hospital’s information systems more resilient.
“We can’t afford to make mistakes,” he said. “Mistakes hurt people.”
Change Healthcare, which was created through a series of health-technology mergers and acquisitions, was bought by UnitedHealth in 2022 — in a deal the US government tried to block. UnitedHealth is facing a separate US antitrust probe, though the company has continued to pursue deals, including a pact to buy a large Massachusetts-based medical practice.
Functioning as a central node in the health-care system, Change Healthcare carried terabytes of data for doctors, pharmacies, insurers and the government. When hackers broke in, the intrusion showed how it had become a single point of failure that could compromise patients’ privacy and potentially pose a danger to their health.
“As you see more and more of these mergers and gigantic health-care operations, I think you’re creating a systemic risk in terms of cybersecurity,” said Senate Finance Committee Chairman Ron Wyden, an Oregon Democrat.
Indiana Republican Representative Larry Bucshon said at an April House hearing on the hack that “the massive vertical integration in our system” is not “in the best interest of the American people.”
UnitedHealth said its size allowed it to respond “quickly and decisively” to the attack to repair Change’s systems and offer $6.5 billion in assistance for providers. The company said it has communicated regularly with authorities, customers, and others affected, and that it’s working to reach providers who serve vulnerable patients. UnitedHealth said it improved the funding program in response to feedback and that providers in need should reach out for support, including no-cost, interest-free loans.
UnitedHealth “repels an attempted intrusion every 70 seconds,” according to Witty’s prepared testimony for the House Energy & Commerce Subcommittee on Oversight and Investigations, which the panel released on Monday. The company supports minimum security standards for the industry to counter increasingly sophisticated attacks, according to the testimony.
Lack of Clarity
Last year, US authorities thought that they had a notorious hacking group on the run. A confidential source had helped law enforcement infiltrate the systems of the ransomware gang known as BlackCat, or ALPHV, according to a December search warrant. The Federal Bureau of Investigation seized BlackCat sites and built a tool to counter its ransomware.
In response, the hackers reportedly encouraged affiliates to target hospitals and nuclear plants. Intruders slipped into the Change Healthcare network on Feb. 12 through a compromised login, the Wall Street Journal reported, and went undetected for more than a week, extracting data that the company later said “could cover a substantial proportion” of Americans.
UnitedHealth cut Change Healthcare’s connections to the outside world on Feb. 21 and alerted the FBI that afternoon. By late that evening, executives were in touch with top health-agency leaders, discussing what they knew and their options to fix, replace or bypass damaged networks, according to people familiar with the discussions.
At pharmacies across the US, computer systems used to check insurance coverage and process prescriptions went down. While large chains found workarounds, the outage roiled others, and interrupted dispensing at military facilities. As the hack snarled payments, doctors and hospitals said they weren’t getting much information or a clear sense from UnitedHealth of when the problems would be fixed.
Cybersecurity officials who briefed a congressional committee March 13 felt “handcuffed in this instance because of the lack of transparency and lack of information flowing into us” from the company, according to a letter Maryland Democratic Representative Jamie Raskin sent to Witty. HHS in a letter told UnitedHealth to “communicate more frequently and more transparently” with the rest of the industry.
By early March, Change Healthcare’s e-prescribing system was largely restored. In late April, the company said claims were at “near-normal levels” and about 80% of Change’s functions on major platforms were working. UnitedHealth said it paid hackers a ransom to protect patient data, though it didn’t disclose an amount. The company hasn’t notified patients whose data may have been exposed and said it will take months to ascertain.
The financial damage to UnitedHealth has been limited. While its shares are down about 6% since the attack, the $1.6 billion hit it projects this year would come out of an expected annual profit of $24.7 billion, according to estimates compiled by Bloomberg.
Capitol Pressure
Publicly, officials in the Department of Health and Human Services were largely silent immediately after the breach. The agency oversees Medicare and Medicaid, which cover health care for about 150 million people at a cost of $1.7 trillion annually. Insurers that administer those programs, including UnitedHealth, continued to collect premiums, but payments to medical providers stalled.
Andrea Palm, the deputy secretary of HHS, said in an interview that agency leaders have been in touch almost daily with UnitedHealth executives since the hack was discovered. HHS pressed the company to expand its advance-payment program when care providers complained that it was inadequate, she said.
“Ultimately, HHS’s responsibility is to patients and their care, and if providers couldn’t keep their doors open that was a problem for patient care,” said Palm, who noted that the agency set up its own effort to get money into providers’ hands. “We pushed them hard to expand that program.”
Read More: Hackers Roil Entire Industries With Attacks on IT Supply Chain
Still, lawmakers including Senate Majority Leader Chuck Schumer, the New York Democrat, were pushing the Biden administration to act. HHS made its first statement on the attack on March 5, urging insurers to loosen prior-authorization requirements and telling administrators of government health programs to help providers find workarounds while Change’s systems were down.
Senator Maggie Hassan, the New Hampshire Democrat, discussed the hack with President Joe Biden when he visited her state on March 11. Some rural hospitals told Hassan 98% of their cash flow vanished after the hack.
“I think about the fact that I needed to reach out to the President of the United States and the Secretary of Health and Human Services to bring them into this conversation too, because UnitedHealthcare is so large and has such an impact across the country,” Hassan said in an interview.
Hassan, a member of the Senate Finance Committee that is expected to hear testimony from Witty, said the US should consider what is needed “so that an attack on one of these very large operators doesn’t put at risk such a huge proportion of our health-care system, and ultimately put patients at risk.”
After Hassan brought her concerns to Biden, top administration officials met with Witty and health trade groups. Hassan pressed Witty to get cash into hospitals’ accounts. UnitedHealth made the terms of a provider loan program less burdensome.
Hassan met with hospital executives in her Manchester office on March 15. Scheinblum, the Monadnock CFO, told her he was still struggling to get assistance from UnitedHealth. That afternoon, a top executive reached out to him, and a $2 million advance was on the way.
Financial Fallout
The fallout from the hack was widespread and its effects have lingered, especially where financial setbacks are harder to brush off.
Patients calling safety-net clinics in Philadelphia couldn’t get through when call centers outsourced to Change went down. North Carolina Medicaid officials held daily briefings on the situation, which they felt posed high risks to beneficiaries.
Some companies expect extended logjams. Option Care Health Inc., a publicly traded infusion business with $4.3 billion in annual revenue, said in a March 14 filing that more than half its claims hadn’t been processed since the hack. This month, it said it expected its cash collection backlog to stretch into the third quarter.
Small practices face acute challenges. Angeli Maun Akey, a primary-care doctor in Gainesville, Florida, was mostly unaware of the cyberattack until she went to pay her 19 employees in early March. She found that the $25,000 a week that usually flowed into the clinic’s account had dwindled to less than $6,000.
Akey told her family she might need to close or sell the clinic, where she had “grown old together” with patients over 25 years of practicing in her hometown. To get cash, she sold retirement investments and started asking patients at the front desk to advance her $45 when they came in.
“People came and dropped checks for $100, $200, $2,000,” she said. The generosity helped her keep her doors open. Akey also got advances from Medicare and other companies she works with, but a glitch delayed assistance from UnitedHealth: On April 25 she was approved for a loan of $31,000, an amount she said is inadequate.
Across the US, there are similar stories. Anastasia Taylor, a social worker and therapist, started a nonprofit clinic called EmpathyHQ in the Dallas-Fort Worth area in 2013. Taylor accepts insurance, unlike many mental-health care providers. But when the Change network went down, several dozen prospective patients left and never returned after being told there was no way to verify their coverage.
“We are here to help and our mission is being clouded by actions outside of our control,” said Taylor. “It’s incredibly frustrating and heartbreaking because we don't know if any of those people will ever come back.”
--With assistance from Sana Pashankar.
(Updates with CEO’s prepared testimony for US House panel in 16th paragraph)
©2024 Bloomberg L.P.
