WASHINGTON – Today, just weeks after Sen. Chuck Grassley (R-Iowa) pressed agencies to address their cybersecurity vulnerabilities, the Senate Finance Committee held a hearing on the February 2024 cyberattack on Change Healthcare and its industry-wide effects. Grassley’s discussion with Andrew Witty, CEO of Change Healthcare’s parent company, underscored the need to beef up public-private defenses against ransomware and better safeguard the management, storage and privacy of Americans’ health care data.

VIDEO

Read Grassley’s questions of Mr. Witty below. Click the links to skip to corresponding video.

Investigation into Cybersecurity of Critical Infrastructure

  • What’s UnitedHealth Group’s relationship with the Department of Health and Human Services (HHS) and other government agencies as it relates to the cybersecurity of the health care industry?
  • How have HHS and the Cybersecurity & Infrastructure Security Agency worked with your company in the aftermath of this cybersecurity failure?
  • Does UnitedHealth Group use legacy IT systems that need to be updated? If so, what’s being done to update them? 
  • Has UnitedHealth Group taken every available action to immediately remove memory safety risks in its IT and software?

UnitedHealth Group’s Patient Data Management

  • How does Change Healthcare manage and store patient data?
  • Where is the data stored? By a third party?
  • At any point through processing, coding and storing, is patient data ever sent overseas?

Future Preparedness amid Cyber Risks

  • According to the FBI, there were 249 ransomware attacks against the health care industry in 2023. Has UnitedHealth Group experienced another cyber-attack since February 21?
  • Do you feel like your company is prepared for another cyberattack?

-30-