Health

Americans deserve to have their sensitive health information protected. Energy and Commerce Republicans have been actively working since the February 21st cyberattack on Change Healthcare to understand how it happened, how it can be prevented in the future, and how to help Americans continue to access care.  THE PROBLEM Change Healthcare is one of the largest health payment processing companies in the world. It acts as a clearing house for 15 billion medical claims each year—accounting for nearly 40 percent of all claims. The cyberattack that occurred in February knocked Change Healthcare—a subsidiary of the behemoth global health company UnitedHealth—offline, which created a backlog of unpaid claims. This has left doctors’ offices and hospitals with serious cashflow problems—threatening patients’ access to care. It has since come to light that millions of Americans may have had their sensitive health information leaked onto the dark web, despite UnitedHealth paying a ransom to the cyber attackers. E&C ACTION From the outset, Members on Energy and Commerce have been working with the administration and Change Healthcare to help providers—particularly smaller and rural practices—maneuver through the new, complicated process of getting reimbursed, so they could keep their doors open and focus on caring for patients. Energy and Commerce Republicans were briefed by the Administration for Strategic Preparedness and Response, the Centers for Medicare and Medicaid Services, and Change Healthcare in the weeks following the attack. Following the briefings, bipartisan Energy and Commerce leaders wrote to UnitedHealth seeking answers about the attack. The Subcommittee on Health convened a hearing on May 17th to explore cybersecurity vulnerabilities in the health care sector and discuss possible solutions to address them. This week, the Oversight and Investigations Subcommittee called UnitedHealth CEO Sir Andrew Witty to explain to the American people what happened in the lead up to and during the attack, how the company is responding, and how it plans to prevent such an attack from happening again. WHAT WE LEARNED 1. The attack occurred because UnitedHealth wasn’t using multifactor authentication [MFA], which is an industry standard practice, to secure one of their most critical systems.  Mr. Witty:   We're continuing to investigate as to exactly why MFA was not on that particular service. It clearly was not. I can tell you I'm as frustrated as you are about having discovered that and as we've gone back and figured out how this situation occurred.    Change Healthcare came into the organization toward the end of 2022 after the timing of the declarations you just described.    Change Healthcare was a relatively older company with older technologies, which we had been working to upgrade since the acquisition. For some reason, which we continue to investigate, this particular server did not have MFA on it.   2. It’s estimated that a third of Americans had their sensitive health information leaked to the dark web as a result of the attack.  Oversight Subcommittee Chair Morgan Griffith: "Substantial proportion of the American population." What does that mean? How much are we talking? 20 percent? We talking 50 percent? We're talking 70? Tell us.   Mt. Witty:   Chairman, we continue to investigate the amount of data involved here. We do think it's going to be substantial. Because we haven't completed the process, I'm hesitant to be overly precise on that and and be wrong in the future. I wouldn't like to mislead anybody in that regard.   Chair Griffith:   Well, and I wouldn't want you to mislead us either. But when you say "substantially," at least give me some kind of a range. You can be on the bottom to high. I don't mind giving you a range. Are we talking 20 to 50?   Mr. Witty:   I think maybe a third or somewhere of that level.   3. This might not be the end of the leaks. Despite UnitedHealth paying a ransom to the criminals, it cannot guarantee that more of Americans’ sensitive information will not be leaked.  Chair Cathy McMorris Rodgers:   How were the hackers communicating with UnitedHealth to get the ransom? Did you communicate ever directly with the hackers?   Mt. Witty:   I did not. No. Chair Rodgers:   How much did you pay in ransom? And how was it paid it? In dollars? Bitcoin or other cryptocurrency?   Mr. Witty:   $22 million in Bitcoin.  Chair Rodgers:   What was the date that you paid the ransom?   Mr. Witty:   I'm sorry. I don't have that to mind. But I can certainly get back to you with that.   Chair Rodgers:   Can you affirmatively say that the hackers you paid did not make copies of protected or personal data and then, at a later date, uphold it onto the internet or the dark web.   Mr. Witty:   I cannot affirmatively say that. No. 4. UnitedHealth has resources to help individuals and providers.  Dr. Burgess:   Is there a generally available website or telephone number that a practice can call right now, if they're continuing to have a problem?  Mr. Witty: Yes. And thank you very much for the question. So [ https://support.changehealthcare.com/ ] is the best website for anybody to access, whether it being a provider or an individual.    But, also I would very much like to note the 1-800 number that's available for individuals to call if they have any questions at all about data or anything like that.    So, it's 1 (866) 262-5342. That service line is available and makes available very quickly is a very simple process. If anybody wants things like credit protection, identity theft protection, those services are all available to be enrolled on just through a simple phone call.   CLICK HERE to watch the full hearing. Check out some of the news coverage from the hearing: UnitedHealth’s handling of the situation will probably be “a case study in crisis mismanagement for decades to come,” said Rep. Cathy McMorris Rodgers (R-Wash.), chair of the House Energy and Commerce Committee.  Witty fielded heated questions from Senators on the House Energy and Commerce Committee about the company's failure to prevent the breach and contain its fallout.  Pressed for details on the data compromised, Witty said "maybe a third" of Americans' protected health information and personally identifiable information was stolen.  Members of the House Energy and Commerce Committee asked Witty why the nation's largest health care insurer did not have the basic cybersecurity safeguard in place before the attack. "Change Healthcare was a relatively older company with older technologies, which we had been working to upgrade since the acquisition," Witty said. "But for some reason, which we continue to investigate, this particular server did not have MFA on it."  Rep. Gary Palmer (R., Ala.), in an afternoon hearing held by the House Energy and Commerce Committee’s subcommittee on Oversight and Investigations, pressed Witty on how many government employees with security clearance were included in the breach. That kind of theft would be a national-security risk, he said.  Still, Rep. Earl L. “Buddy” Carter, R-Ga., railed against the company’s use of vertical integration, in which it has acquired physician practices, pharmacy benefit managers and other players in the health care system. “Let me assure you that I’m going to continue to work to bust this up,” Carter said.“This vertical integration that exists in health care in general has got to end.”  Several members also took the opportunity to chide United Healthcare’s use of prior authorization, which Witty said resumed for its Medicare Advantage plans April 15.   The company should “carefully review how that prior authorization” has affected patient outcomes, said Rep. John Joyce, R-Pa. 

House Energy and Commerce Committee Chair Cathy McMorris Rodgers (R-WA) joined CNBC’s Squawk Box to talk about today’s Oversight and Investigations Subcommittee hearing on the Change Healthcare cyberattack. Highlights and excerpts from the interview below:  On What to Expect at This Afternoon’s Hearing:   “This is an important Oversight Subcommittee hearing for the Energy and Commerce Committee. We expect to get a comprehensive report from Mr. Witty from UnitedHealth as to what happened, why Americans have had their personal health information made available on the dark web, what they're doing to fix this problem, and then also what we and what UnitedHealth must do to ensure that this never happens again.  “UnitedHealth is very large, and millions of families and taxpayers pay billions of dollars to UnitedHealth in premiums, and we need to make sure that their personal health information is protected from these kinds of cyberattacks.”  On Attempts to Catch the Cyber Criminals:   “UnitedHealth decided to pay the ransom. We're going to ask questions as to why they decided to pay the ransom, in this case, because we know that when you pay the ransom, that only incentivizes more of the harmful behavior by those that are perpetrating these kinds of cyber attacks.   “We have been spending a lot of time and had numerous hearings around cybersecurity. Just two weeks ago, we had a hearing on cybersecurity as it relates to health care, on what steps we need to be taking to protect personal, sensitive health information that has been made available on the dark web, in this case, which is very harmful to millions of Americans.  “This is a very serious issue, and that's part of the purpose of the hearing today.”   On the Role of Congress Intervening to Protect Patients’ Data:   “This hearing is part of us getting answers. We need to better understand what happened, why it happened, and then we will look at what steps we need to be taking. Certainly cybersecurity, whether it's in healthcare or other sectors, is top of mind for Americans as we see more and more of our information online. “The Committee is working on protecting American privacy rights online. We've also worked on the Lower Costs, More Transparency Act to give Americans more ownership over their data, but also to understand what the prices are.   “In this case, United has become very large, and the individual, unfortunately doesn't always have a lot of power and control in this, so I believe it's very important that we get legislation that's going to help patients understand what the prices are. We have United as a very large health insurance company that maybe doesn't want to pay the prices, only the doctors that are providing the care and that can be problematic.”  [...]  “We have looked at the consolidation, and we passed legislation with overwhelming support— the Lower Costs, More Transparency Act —to address this consolidation to provide more competition in the marketplace, which ultimately brings down costs and gives consumers more choices.   “We're working with the Senate to get them to take action on this, because we're overall concerned about these larger and larger health care systems.”

Washington, D.C. — House Energy and Commerce Committee Chair Cathy McMorris Rodgers (R-WA), Subcommittee on Health Chair Brett Guthrie (R-KY), and Subcommittee on Oversight and Investigations Chair Morgan Griffith (R-VA), on behalf of the Health and Oversight Subcommittee Republicans, wrote to National Institutes of Health (NIH) Director Monica Bertagnolli. In the letter, the Chairs ask the NIH to confirm by May 14, 2024, whether the agency has complied with White House guidance to stop funding projects led by researchers and entities in Russia.  BACKGROUND :  On June 11, 2022, the White House Office of Science and Technology Policy (OSTP) issued guidance stating such projects and programs that commenced and/or were funded prior to Russia’s further invasion of Ukraine in February 2022 may be concluded, but new projects in affected subject areas will not be initiated.   The OSTP advised applicable departments and agencies to curtail interaction with the leadership of Russian government-affiliated universities and research institutions, as well as those who have publicly expressed support for the invasion of Ukraine.  In a statement in an April 9, 2023, article in The Washington Times , the NIH’s Office of Extramural Research claimed that “NIH currently does not fund any research in Russia.”  However, the Data Abyss tracker for the OSTP Russia guidance on federal funding agencies indicates that, as of April 5, 2024, the NIH has potentially 240 instances of problematic research collaborations since June 2022 that do not comply with the guidance. CLICK HERE to read the letter.

Washington, D.C. — House Energy and Commerce Committee Chair Cathy McMorris Rodgers (R-WA), Subcommittee on Health Chair Brett Guthrie (R-KY), and Subcommittee on Oversight and Investigations Chair Morgan Griffith (R-VA), on behalf of the Health and Oversight Subcommittee Republicans, wrote to National Institutes of Health (NIH) Director Monica Bertagnolli. In the letter, the Chairs ask the NIH to confirm by May 14, 2024, whether the agency has complied with White House guidance to stop funding projects led by researchers and entities in Russia.  BACKGROUND :  On June 11, 2022, the White House Office of Science and Technology Policy (OSTP) issued guidance stating such projects and programs that commenced and/or were funded prior to Russia’s further invasion of Ukraine in February 2022 may be concluded, but new projects in affected subject areas will not be initiated.   The OSTP advised applicable departments and agencies to curtail interaction with the leadership of Russian government-affiliated universities and research institutions, as well as those who have publicly expressed support for the invasion of Ukraine.  In a statement in an April 9, 2023, article in The Washington Times , the NIH’s Office of Extramural Research claimed that “NIH currently does not fund any research in Russia.”  However, the Data Abyss tracker for the OSTP Russia guidance on federal funding agencies indicates that, as of April 5, 2024, the NIH has potentially 240 instances of problematic research collaborations since June 2022 that do not comply with the guidance. CLICK HERE to read the letter.

Washington, D.C. — House Energy and Commerce Committee Chair Cathy McMorris Rodgers (R-WA), Subcommittee on Health Chair Brett Guthrie (R-KY), and Subcommittee on Oversight and Investigations Chair Morgan Griffith (R-VA), on behalf of the Health and Oversight Subcommittee Republicans, wrote to Department of Health and Human Services (HHS) Secretary Xavier Becerra.  The letter outlines concerns with the role HHS Office of Civil Rights (OCR) plays—or fails to play—in investigating instances of sexual harassment that occurs at research institutions which receive grants from the National Institutes of Health (NIH).  KEY EXCERPTS :  “There have been several public reports of sexual harassment occurring on NIH-funded research or NIH-supported activities over the last decade, and it raises concerns about what, if any, actions the NIH has taken to resolve these issues. The NIH’s own statistics show a significant problem with more than 300 cases related to sexual or gender harassment since 2018—with about a third of those allegations being substantiated. This also represents hundreds of men and women who may be forced to operate in a hostile or unsafe research environment.”  [...]  “According to the HHS website, OCR does investigate and resolve complaints of sexual harassment in the education and health programs of recipients of grants or other federal financial assistance from HHS—including the NIH. Moreover, HHS OCR is required to conduct periodic compliance reviews of institutional Title IX programs to ensure compliance with the law—including examining the way in which complaints are handled by the institution.”  The Chairs have requested answers to questions about HHS OCR’s role by April 30, 2024.  BACKGROUND :  Based on a recommendation from the U.S. Government Accountability Office (GAO), HHS OCR and the NIH adopted a memorandum of understanding (MOU) to facilitate communication between the two components of HHS as it relates to sexual harassment.   This MOU was intended to clarify procedures on how the enforcement arm of HHS and the grant-making arm share valuable information with one another in an effort to respond appropriately to complaints of sexual harassment and prevent federal grant money from going to those with a history of sexual misconduct.   TIMELINE OF INVESTIGATION :  August 10, 2021 : E&C Republican Leaders Question NIH’s Handling of Sexual Harassment Complaints  August 11, 2022 : E&C Republican Leaders follow up with NIH on Insufficient Response to its Letter on the NIH’s handling of Sexual Harassment  November 30, 2022 : E&C Republicans to NIH: Turn Over Previously Requested Information Ahead of New Congress  March 14, 2023 : E&C Republicans Press NIH for Information on Handling of Sexual Harassment Complaints  October 6, 2023 : E&C Republicans Signal Intent to Issue Subpoenas to Obtain Information on NIH’s Handling of Sexual Harassment if Questions Go Unanswered  January 26, 2024 : Chair Rogers notifies NIH of Imminent Subpoena  February 5, 2024 : Chair Rodgers Subpoenas NIH for Documents Related to Investigation into Sexual Harassment at NIH and NIH Grantee Institutions February 20, 2024: HHS Responds on behalf of NIH to offer a rolling in camera document review to the Committee. Documents produced in the review have been highly redacted, including the redaction of the names of individuals convicted of criminal offenses, public news articles about individuals who have been found guilty of harassment, and redaction of the names of the institutions where the abuse occurred—effectively preventing the Committee from understanding if NIH continues to fund work performed by substantiated abusers at other institutions—a practice known as “pass the harasser.”

Washington D.C. — House Energy and Commerce Committee Chair Cathy McMorris Rodgers (R-WA) and Ranking Member Frank Pallone, Jr., (D-NJ), Subcommittee on Health Chair Brett Guthrie (R-KY) and Ranking Member Anna G. Eshoo (D-CA), and Subcommittee on Oversight and Investigations Chair Morgan Griffith (R-VA) and Ranking Member Kathy Castor (D-FL) wrote to UnitedHealth Group, Inc., CEO Andrew Witty today seeking information about the cyberattack on Change Healthcare. Change Healthcare, which was acquired by UnitedHealth Group’s Optum subsidiary in 2022, is one of the nation’s largest providers of health care payment management systems. On February 21, UnitedHealth Group reported it had experienced a cyberattack on its platforms, and it had taken all Change Healthcare systems offline to contain the incident. As a result of the outage, critical services affecting patient care—including billing services, claims transmittals, and eligibility verifications—became inoperable. Though UnitedHealth first notified users that it expected the disruption to “last at least through the day,” several of the company’s products have now been inoperable for more than a month. “Change Healthcare is a central player in the country’s health care system, which has been upended by the recent breach,” t he bipartisan Committee leaders wrote to Mr. Witty. “We are interested in your efforts to secure Change Healthcare’s systems since it was acquired by your company and the efforts you are taking to restore system functionality and support patients and providers affected by the attack.” Change Healthcare’s platforms touch an estimated one in three U.S. patient records. Its systems process roughly 15 billion transactions annually, and are linked to approximately 900,000 physicians, 118,000 dentists, 33,000 pharmacies, and 5,500 hospitals nationwide. The breadth of Change Healthcare’s infrastructure all but ensures that the scope of the current disruption, and any disruption in Change Healthcare services, will be extensive. “The health care system is rapidly consolidating at virtually every level, creating fewer redundancies and more vulnerability to the entire system if an entity with significant market share at any level of the system is compromised,” the Committee leaders wrote. “In order to understand better the steps UnitedHealth has taken to address this situation, we request information about the impact of the cyberattack, the actions the company is taking to secure its systems, and the outreach to the health care community in the aftermath.” As a result of the system outage, providers reportedly struggled to make payroll while some patients have been forced to pay out of pocket for crucial medications including cancer therapy drugs and insulin because pharmacies are unable to verify coverage. The Committee leaders requested answers to a series of detailed questions by April 29, 2024. CLICK HERE to read the full letter.