As healthcare professionals across the United States drown under financial and mental health distress, federal lawmakers complicit in Managed Care's practices scold UnitedHealth Group publicly
Class action lawsuits against Minnesota's previously untouchable darling are mounting as UnitedHealth stock soars despite the harm to medical professionals and patients
(Andrew Witty, CEO of UnitedHealth Group.)
UnitedHealth Group Stock Soars as Investors Count on Purges, Cuts & Increased Denials in 2024 Q2
UnitedHealth Group drew the ire of federal lawmakers during the first hearing on the fallout surrounding the unprecedented cyberattack on Change Healthcare in late February.
Individuals representing the American Hospital Association, private cybersecurity groups and providers testified before members of the House Energy and Commerce Committee on April 16 to discuss the healthcare industry's response to the attack and how the federal government should act.
"It has been reported that UnitedHealth has exploited this crisis in order to acquire health practices that are in urgent need of revenue just to keep their doors open," Rep. John Joyce, MD, said during the hearing. "While patients and physicians are still struggling, UnitedHealth's day-to-day operations have continued. This underscores that while Change Healthcare was a target of this ransomware attack, ultimately the patients and the physicians were and continue to be the real victims."
No individuals representing UnitedHealth Group or its subsidiaries attended the hearing, but lawmakers said the company had previously briefed the committee; the Senate Finance Committee is planning a hearing with CEO Andrew Witty on April 30. Rep. Annie Kuster suggested that UnitedHealth be subpoenaed to testify.
"The attack shows how UnitedHealth's anti-competitive practices present a national security risk because its operations now extend through every point of our healthcare system," Rep. Anna Eshoo of California said. "This really deserves a strong response by the Congress — the outrageousness of this."
Optum first reported "enterprisewide connectivity" issues on Feb. 21, which quickly led to widespread claims processing delays for hospitals, insurers, pharmacies and medical groups nationwide. UnitedHealth said Change was hit by BlackCat ransomware group, which claims to have stolen 6 terabytes of data, including medical records and Social Security numbers.
In March, the cybercriminal organization received $22 million in bitcoins, though UnitedHealth Group has not addressed whether the company paid the ransom. On April 15, ransomware group RansomHub posted files on its dark web leak site comprising personal and protected health information on patients whose data was taken in the hack. The files also include contracts and agreements between Change and its clients, marking the first time hackers have posted data from the attack.
The AHA found that about 94% of hospitals have felt a financial impact from the attack, and more than half have reported a "significant or serious" impact. Seventy-four percent of hospitals have reported a direct effect on patient care. Optum introduced a temporary funding assistance program for providers struggling with cash flow after the attack. To date, the company has provided more than $6 billion in advance payments to providers.
During the House committee hearing, experts stressed the need for more long-term federal cybersecurity investments within the healthcare sector, a mapping of the nation's healthcare infrastructure, and a more comprehensive federal incident response plan for similar attacks in the future. Experts agreed that President Joe Biden's proposed $7.3 trillion budget — which includes an $800 million investment in hospital cybersecurity protections — is "woefully insufficient," though a good place to start.
Both Republican and Democratic lawmakers pointed to the hack as an example of what they said are the harms caused by vertical integration and industry consolidation. Those testifying recommended that future reviews of healthcare mergers and acquisitions by federal regulators involve cybersecurity considerations. UnitedHealth purchased Change in 2022 following a failed antitrust challenge by the Justice Department.
"The FTC has failed the American people by allowing vertical integration to happen, and it needs to be busted up," Rep. Buddy Carter said.
"We have got to do a better job here," Rep. Larry Bucshon, MD, said. "I do think that vertical integration in our healthcare system, [which is] supposed to save money, is actually going the other direction."
In March, HHS launched an investigation into UnitedHealth and Change over the cyberattack within the context of HIPAA compliance. Unrelated to the attack, the Justice Department has also begun an antitrust investigation into UnitedHealth, The Wall Street Journal reported Feb. 27.
UnitedHealth Group posted a $1.4 billion net loss in the first quarter of 2024 following the sale of its Brazil operations and the cyberattack. Despite the losses, the company beat investor expectations and shares rose 5.2% to almost $469, the WSJ reported.
"Without UnitedHealth Group owning Change Healthcare, this attack likely would still have happened," Mr. Witty told investors April 16. "It would have left Change Healthcare, I think, extremely challenged to come back. Because it is a part of UnitedHealth Group, we've been able to bring it back. We're going to bring it back much stronger than it was before."
UnitedHealth estimates a full-year business disruption between $0.30 to $0.40 per share. In total, the attack had an $872 million impact on the company in the first quarter, which is expected to rise up to $1.6 billion for the full year.
Patient Data and Private Medical Records Exposure
Hackers leaked contracts and patient records purportedly stolen in the Change Healthcare cyberattack, TechCrunch reported April 15.
Ransomware group RansomHub posted files on its dark web leak site April 15 comprising personal and protected health information on patients whose data was taken in the Change hack, according to the story. The files also include contracts and agreements between Change and its clients. It marked the first time hackers have posted data from the cyberattack.
RansomHub claims to have 4 terabytes of data pilfered from the UnitedHealth Group subsidiary and is demanding an undisclosed amount of money in return for not selling the information — despite Change Healthcare reportedly already having paid another cybercriminal gang $22 million in ransom. Change took IT systems offline after the cyberattack Feb. 21, leading to widespread claims processing delays across the U.S.
"We are working with law enforcement and outside experts to investigate claims posted online to understand the extent of potentially impacted data," a Change Healthcare spokesperson emailed Becker's. "Our investigation remains active and ongoing."
Cybersecurity experts say the "double extortion" attempt shows the danger of forking over ransom to hackers. Change Healthcare reportedly paid off the BlackCat/ALPHV ransomware group, but that gang disappeared while stiffing its affiliate that helped pull off the hack and still had the data.
"The payment of a ransom doesn't guarantee the cybercriminal will decrypt a victim's files or reinstate access to their systems," Darren Guccione, co-founder and CEO of cybersecurity firm Keeper Security, emailed in a statement to Becker's. "They are criminals and, as such, they cannot be trusted."
Meanwhile
Behavioral telehealth company Cerebral will pay over $7 million of a $15 million settlement to resolve an investigation by the Federal Trade Commission into its privacy practices.
Under a proposed settlement, the company will pay $5.1 million to provide refunds to customers, and a $10 million civil penalty. Cerebral is unable to pay the full $10 million, so the agency will suspend the payment after it pays $2 million.
In an April 15 news release, the FTC said Cerebral failed to disclose how it distributed members' data to third-party platforms and did not provide members with a straightforward way to cancel their subscriptions.
The FTC alleges that Cerebral provided sensitive health information from over 3 million members to LinkedIn, TikTok, Snapchat and other parties by embedding tracking in the site. Cerebral also failed to secure customer's health data in several ways the FTC alleged, using unsafe marketing practices, allowing former employees to access protected data and using insecure access methods.
As part of the proposed settlement, the company will be prohibited from using personal or health information for marketing purposes.
"Cerebral violated its customers' privacy by revealing their most sensitive mental health conditions across the Internet and in the mail," FTC Chair Lina Khan said in the news release. "To address this betrayal, the Commission is ordering a first-of-its-kind prohibition that bans Cerebral from using any health information for most advertising purposes."
The FTC is also investigating former Cerebral CEO Kyle Robertson. The agency alleges Mr. Robertson directed the company's data security practices and instructed staff to remove buttons that made it easier to cancel services. The settlement does not resolve allegations against Mr. Robertson, which will be settled in court, according to the FTC. The former CEO left the company in 2022.
In a statement, Cerebral said it has "agreed to implement enhanced consumer protection, privacy, and compliance measures to further protect the personal information of our clients, increase transparency into our data practices, and implement enhanced data security protocols and tools to allow our clients control over their privacy settings."
"The settlement allows Cerebral to move forward with a continued focus on our mission of building a new era of mental healthcare with a safe and secure platform for our clients. We look forward to continuing to be a trusted provider of high-quality mental health care to all those who need it most," the company said.