51˶

Lawmakers Take Up Fallout From Change Healthcare Cyberattack

— Health sector likely to remain an "attractive target," says congressman

Last Updated April 17, 2024
MedpageToday
 A photo of Adam Bruggeman, MD speaking during this hearing.

Over $1,000 for diabetes test strips? That's what one patient was told he would have to pay during the Change Healthcare cyberattack earlier this year, a lawmaker said at a House Energy & Commerce Health Subcommittee on Tuesday.

"This left him with the impossible choice of trying to come up with the money to pay for these strips, or potentially face life-threatening complications from his inability to test his blood sugar," said Rep. Frank Pallone (D-N.J.), the ranking member of the full committee.

During the hearing, House lawmakers questioned expert witnesses about the February 21 cyberattack, which dragged on for weeks, and discussed potential ways to prevent future attacks like it.

Change Healthcare, a subsidiary of UnitedHealth Group, is the largest clearinghouse for medical claims in the country, reviewing some 15 billion medical claims annually. As a result of the attack, Change Healthcare took three of its key systems offline: claims processing, payment and billing, and eligibility verifications.

Witness John Riggi, national advisor for cybersecurity and risk for the American Hospital Association, noted that the "ransomware blast radius" was far reaching.

For instance, subcommittee chair Rep. Brett Guthrie (R-Ky.) reported that one of his constituents -- an independent provider in Bowling Green, Kentucky -- said they lost staff because of an inability to make payroll. And Rep. Kim Schrier, MD (D-Wash.), said a small rural hospital in her district, Kittitas Valley Healthcare, has still only recouped 50% of its March receipts.

It's "critical that we take whatever action is necessary to reduce the risk to our healthcare systems from cyberattacks," said Pallone, noting that the healthcare sector is likely to remain an "attractive target."

Risks of Consolidation

During his opening remarks, Pallone said that no one anticipated that patient access to care and the financial stability of so many providers could be hurt by "one single point of failure," and questioned if the consolidation of health technology companies might pose "unreasonable risks" to the healthcare system. UnitedHealth bought Change Healthcare . The Department of Justice (DOJ) attempted to stop the acquisition, but a federal . The DOJ of the ruling in 2023.

Rep. Larry Bucshon, MD (R-Ind.), also suggested that Congress and the Federal Trade Commission look more closely at healthcare consolidation and integration. "The massive vertical integration in our system ... is not in the best interest of American people," he said.

Greg Garcia, executive director for cybersecurity for the Healthcare and Public Health Sector Coordinating Council, said one recommendation of his council is that any future mergers in the healthcare sector take into account antitrust considerations, such as market concentration, competition, and "the potential for there becoming a single point of failure of either low redundancy or no redundancy that could cause a catastrophic cyberattack."

"If that finding is positive, then that should be very seriously taken into consideration as to whether to approve a merger or some kind of consolidation that could increase cyber risk," Garcia said.

The Blame Game

Rep. Michael Burgess, MD (R-Texas), said what bothered him about the cybersecurity attack was the tendency to blame the victim.

Speaking to witness Adam Bruggeman, MD, an orthopedic surgeon at the Texas Spine Center in San Antonio, Burgess said, "You are the victim in this. This is not your fault. You did not leave the data out on the sidewalk for someone to drift by and pick it up like it was an abandoned wallet."

"You were attacked," Burgess said "The government should be helping you with that. Change Healthcare should be helping you with that."

Burgess asked Bruggeman if Change Healthcare had made any effort to look at a practice's past history of payments, and pre-pay them what they would have typically billed, in order to help those practices stay afloat.

Bruggeman said a fund was established to help practices cope with the "cash crunch," but there were still challenges.

Change Healthcare had visibility into UnitedHealth's claims, but not into Blue Cross, Aetna, or Cigna, for example, and due to the fragmentation of these systems, "there was an inability to provide the right amount of money," Bruggeman said.

He noted that, according to stories that he read online, some practices received "hundreds of thousands of dollars less than what their actual cost was to run their practice and what they were billing."

Asked if it was possible to predict these kinds of incidents and reduce the impact on physicians going forward, Bruggeman said it will be important to study and track the data to identify ways to protect physicians and small rural hospitals.

Garcia pushed back on the idea that physicians were victims of these attacks. He said he agreed that third-party technologies can introduce new vulnerabilities, but that health systems bear some responsibility for assessing third-party services and providers.

"You need to know what you're buying and who you're letting into your network," he said. "Yes, [health systems] are the victim, but if we live in a bad neighborhood, we don't leave our doors unlocked and our windows open."

"And the internet is a bad neighborhood," Garcia added.

Playing Offense

Later in the hearing, Rep. Ann McLane Kuster (D-N.H.) asked what steps Congress should take to support hospitals, and in particular rural and safety net hospitals from cyberattacks.

Riggi said the American Hospital Association had worked with UnitedHealth to "loosen up the funds" and contract terms to allow advanced accelerated payments to flow through to hospitals that need them. The group also lobbied the Centers for Medicare & Medicaid Services to provide advanced and accelerated payments, which he said "came late" but are being provided.

"Ultimately, we are strongly suggesting that hospitals do what they can reasonably and financially to enhance their cybersecurity defenses," he said, while recognizing that hospitals are not cybersecurity companies.

"Job one is to take care of patients and save lives," said Riggi. "We have to do what we can, but we need resources from the government."

"This is not purely a defensive issue," he added. "We need to encourage offensive operations by the U.S. government against these foreign hackers to degrade their capability to attack us."

Separately, Rep. Anna Eshoo (D-Calif.), the ranking member of the subcommittee, asked whether the $1.3 billion in the Biden administration's budget proposal was sufficient to address such attacks.

Riggi said that it was "woefully insufficient" given the 6,000 hospitals that would utilize the funds.

Lastly, Rep. Cathy McMorris Rodgers (R-Wash.), chair of the full Energy & Commerce Committee, said she was "disappointed" that UnitedHealth did not make a witness available for the hearing, although a UnitedHealth representative told committee members that the company has committed to testify at a future hearing.

  • author['full_name']

    Shannon Firth has been reporting on health policy as 51˶'s Washington correspondent since 2014. She is also a member of the site's Enterprise & Investigative Reporting team.