Senators’ letter demands accountability from UHG

Senators Josh Hawley (R-Missouri) and Richard Blumenthal (D-Connecticut) announced Friday that they wrote to UnitedHealth Group Chief Executive Officer Andrew Witty asking a series of questions relating to what they called UHG’s lack of “sufficient redundancy to prevent an outage,” a timeline of events relating to the February 21 ransomware attack and how UHG is filling the revenue gap providers are experiencing.

The senators requested responses by April 15.

WHY IT MATTERS

Hawley, who serves as ranking member of the Senate Judiciary Subcommittee on Privacy, Technology and the Law, announced on his website Friday that the April 1 letter also demands “that UHG proactively advance payments for all claims – not just UHG claims – to providers” and asks what the company is doing to ensure a breach of this magnitude never occurs again.

In more than 12 questions, Hawley and Blumenthal, the subcommittee’s chair, did not only seek granular details about the origins of the Change Healthcare ransomware attack but also what processes Change and UHG are using to identify compromised providers and patients and which cybersecurity improvements have been made.

Hawley and Blumenthal called the downstream financial instability of the healthcare sector “alarming,” particularly for rural and small providers. 

“With its systems still offline, the company is paying out far fewer insurance claims than usual,” they noted in their letter. 

The senators also asked about reported attempts by Optum to purchase medical practices facing bankruptcy, asking the company for a list of names and attempted acquisitions.

“UnitedHealth’s attempts to ‘profit from the desperation’ created by its own failures are unconscionable,” the senators said.

Further, the senators said that the “origin of this crisis” can be traced back to UHG’s purchase of Change Healthcare, one of its subsidiary Optum’s primary competitors. 

“Medical trade groups warned that the merger would not only result in a near-monopoly in health IT but also give UnitedHealth Care – the country’s largest insurer and a subsidiary of UHG – access to competitors’ claims and policy information,” Hawley and Blumenthal said.

THE LARGER TREND

UHG stated most recently on March 27 on its Change Healthcare cyber response page that the company is working together to restore products and services. 

The Change Healthcare parent company also said it has advanced “nearly $4.7B to providers in need,” and will continue to provide financial support until recovery is complete.

UHG previously announced more than $2 billion in advanced payments to providers while the U.S. Health and Human Services’ Office for Civil Rights announced on March 13 an investigation to determine if protected health information was breached and UHG’s compliance with HIPAA was broken with the cyberattack.

On April 3, UHG asked a U.S. court in Nashville, Tennessee, to consolidate at least 24 class action lawsuits that have accused the payment processor of failing to protect personal data, according to a Reuters news story

The attack, which has affected organizations across the entire healthcare continuum, highlights the urgency of contingency planning for healthcare organizations, according to cybersecurity experts who say more effort is needed to avoid cyberattack chain reactions in healthcare.

ON THE RECORD

“The result of UHG’s failure to properly safeguard against cyber threats and the subsequent, extended outage of its services has been dire,” the Senators said in their letter. “Providers were unable to fill prescriptions, verify patients’ eligibility for treatment and submit insurance claims.”

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.