UnitedHealth Group CEO Andrew Witty is scheduled to be on Capitol Hill Wednesday, responding to lawmakers demanding answers about the company's failed cybersecurity measures and response to the Change Healthcare cyberattack.
Witty plans to testify before the Senate Finance Committee Wednesday morning and the House Energy and Commerce's Subcommittee on Oversight and Investigations in the afternoon. The House committee released Witty’s written testimony ahead of the hearing.
Related: A billion-dollar hack puts UnitedHealth’s empire under the microscope
UnitedHealth Group executives were noticeably absent from a hearing about the Change Healthcare cyberattack conducted by the House committee nearly two weeks ago. That same day, executives reported first-quarter earnings and said the incident could cost the company up to $1.6 billion this year.
Here are five things Witty is expected to discuss.
1. The Change Healthcare attack lasted nine days
Witty will confirm media reports that the ransomware group BlackCat, also called ALPHV or Noberus, infiltrated its systems nine days before encrypting the systems and locking UnitedHealth Group out. He also will offer insight into how the group gained access.
“On February 12, criminals used compromised credentials to remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops,” Witty wrote in his testimony.
The portal did not have multi-factor authentication, making it more vulnerable to a breach. The hackers moved throughout Change Healthcare’s systems and stole data before infecting systems nine days later on Feb. 21.
2. Paying the ransom was a hard decision
UnitedHealth Group confirmed last week it paid an undisclosed ransom. "As chief executive officer, the decision to pay a ransom was mine," Witty wrote in his remarks. "This was one of the hardest decisions I’ve ever had to make. And I wouldn’t wish it on anyone."
Witty will elaborate on the company's response to the cyberattack, which centered around securing systems and ensuring patients' access to care by offering financial assistance to providers, according to the prepared remarks. The company has worked closely with law enforcement and enlisted help from Google, Microsoft, Cisco, Amazon, Mandiant and Palo Alto Networks.
3. UnitedHealth has advanced $6.5 billion to providers
Witty will acknowledge the challenges smaller and rural providers have faced to meet payroll and the workarounds pharmacists have developed to process claims. “To all those impacted, let me be very clear: I am deeply sorry,” Witty wrote.
UnitedHealth Group has advanced more than $6.5 billion in payments to thousands of affected providers via its interest-free loan program. Safety-net hospitals and federally qualified health centers have received one-third of the loans, he wrote.
Witty will reiterate what the company said last week — that there is no evidence that doctors’ charts or full medical histories were stolen.
4. UnitedHealth Group is looking for other vulnerabilities
UnitedHealth Group is working to determine potential vulnerabilities across the company and bolster its cybersecurity, Witty wrote. He also is expected to discuss the company’s commitment to sharing information with law enforcement and the public.
“We are working tirelessly to uncover and understand every detail we can, which we will use to make our cyber defenses stronger than ever,” he wrote.
5. Healthcare needs stronger cybersecurity investments
Witty will talk about the frequency of attempted attacks against UnitedHealth Group and call for mandatory minimum security standards and stronger notification requirements.
“The Change Healthcare attack demonstrates the growing need to fortify cybersecurity in healthcare,” Witty wrote. “I look forward to working with policymakers and other stakeholders to bring our experience to bear in helping develop strong, practical solutions.”