The top Democrat on the House Oversight and Accountability Committee wants UnitedHealth Group CEO Andrew Witty to explain his company's actions in the weeks since the Change Healthcare cyberattack that continues to disrupt healthcare operations.
Rep. Jamie Raskin (D-Md.), in the perhaps the most pointed congressional inquiry so far to the Feb. 21 ransomware attack, sent a letter to Witty on Monday seeking information on subjects ranging from how the company is aiding providers suffering cash flow problems to how forthright UnitedHealth Group has been with federal agencies. Change Healthcare is a unit of UnitedHealth Group subsidiary Optum.
Related: 5 weeks of uncertainty: How the Change breach has unfolded
The impact of the Change Healthcare outage has been enormous because of the company's reach. According to data Raskin cites in his letter, Change Healthcare is connected to 90% of hospitals, 80% of health insurers and more than 67,000 pharmacies.
Raskin seeks a detailed accounting of the Change Healthcare cyberattack and the company's activities since, including what it has done to assist affected healthcare providers.
"Our immediate focus is to restore our systems, protect data and support those whose data may have been impacted. We are working with law enforcement to investigate the extent of impacted data," a UnitedHealth Group spokesperson wrote in an email Monday. Raskin gave Witty until April 8 to reply to his letter.
Raskin asks when and how Change Healthcare notified clients and customers; what specific systems were impacted, the types of data affected and whether that includes personally identifiable information; how much personally identifiable information was related to Medicare, Medicaid and TRICARE; how the company is coordinating with the Health and Human Services Department, the FBI and the Homeland Security Department's Cybersecurity and Infrastructure Security Agency; and when, why and how long affected systems were disconnected in response to the attack.
Raskin suggests Witty and UnitedHealth Group have not been sufficiently forthcoming to federal authorities about the attack and its fallout. "The committee is concerned that UnitedHealth Group is restricting the ability of federal agencies to provide applicable assistance to Change Healthcare," he wrote.
The Cybersecurity and Infrastructure Security Agency reported to the committee March 13 that it is “handcuffed in this instance because of the lack of transparency and lack of information flowing into us" from UnitedHealth Group, Raskin wrote.
The lawmaker also asks whether the company was aware of or did anything to respond to a Dec. 19 federal cybersecurity alert about the ransomware group BlackCat, also called ALPHV or Noberus, that allegedly committed the Change Healthcare breach.
Oversight and Accountability Committee Chair James Comer (R-Ky.) did not sign Raskin's letter and his office did not provide comment. Comer began an investigation into possible anticompetitive practices by OptumRx, UnitedHealth Group's pharmacy benefit manager, last year.
Senate Finance Committee Chair Ron Wyden (D-Ore.) aims to call Witty before his panel for a hearing expected to occur April 30. Rep. Brett Guthrie (R-Ky.), who chairs the House Energy and Commerce Committee's health subcommittee, is mulling hearings and legislation. HHS opened its own probe March 13.
Sen. Maggie Hassan (D-N.H.) pressured Witty directly in a March 12 letter focused on assistance programs for providers.
"As this weeks-long disruption continues, many providers are approaching a financial cliff that could endanger the availability of care," she wrote. Hassan is a member of the Finance Committee, which has legislative and oversight authority over much of the healthcare system.
Since the Change Healthcare attack, lawmakers such as Senate Majority Leader Chuck Schumer (D-N.Y.) have primarily focused on pressuring HHS to intensify its efforts to aid providers through advance Medicare and Medicaid payments and to persuade health insurance companies to follow suit.
On Friday, Senate Intelligence Committee Chair Mark Warner (D-Va.), who also sits on the Finance Committee, introduced the first bill connected to the Change Healthcare breach. Warner's measure would facilitate federal aid to providers affected by cyberattacks, but would condition assistance on providers and vendors meeting cybersecurity standards dictated by HHS. This proposal aligns with a policy in President Joe Biden's fiscal 2025 budget plan.