UnitedHealth Group CEO Andrew Witty on Wednesday blamed outdated technology for a hack that likely exposed the health care information of millions of people and crippled claims processing for thousands of providers for several weeks.

During an appearance at a Senate Finance Committee hearing — his first before lawmakers since the Change Healthcare hack in February — Witty noted that UnitedHealth Group acquired Change Healthcare in 2022 and was still in the process of upgrading and modernizing its dated technology when the attack happened.

Senators didn’t buy that explanation. Finance Chair Ron Wyden, D-Ore., accused UnitedHealth Group of failing its customers by not employing widely recommended cybersecurity practices, like multifactor authentication, which requires users to log into systems with more information than just a password. 

“I think your company, on your watch, let the country down,” Wyden said. “This hack could have been stopped with cybersecurity 101.”

UnitedHealth Group discovered the attack in late February and took systems offline to prevent malware from spreading. That resulted in thousands of providers being unable to receive payments for claims that are processed by Change Healthcare. Witty also said Wednesday he personally made the decision to pay a $22 million ransom to the hackers. 

Witty said Change Healthcare “unfortunately and frustratingly” did not yet have multifactor authentication on its servers despite it being a company-wide requirement at UnitedHealth Group.

“We’re trying to dig through exactly why that server had not been protected by multifactor authentication,” he said. “I’m as frustrated as anybody about that fact.”

And because of the “age of the technology,” backup systems — called “redundancies” — that were intended to mitigate the impact of an attack were also compromised, Witty said. 

“Multifactor authentication is vital for prevention, but redundancies… help the company get back on its feet,” Wyden said. “This company flunked both.”

Witty said that as of Wednesday, all external-facing systems have multifactor authentication. It has also hired third parties to review its technology to ensure it is secure against attacks.

“This was some basic stuff that was missed,” said Sen. Thom Tillis, R-N.C., waving a copy of a book titled “Hacking for Dummies.”

Wednesday marked the first time Witty publicly answered questions about the attack. Later, Witty appeared before the House Energy and Commerce Subcommittee on Oversight and Investigations.

The long-term consequences and fallout are still largely unknown, with Witty saying the hack could potentially impact a “substantial proportion” of Americans, though what type of information was obtained is still unclear. 

Files obtained by the hackers contained protected health information and personally identifiable information, but there is no evidence yet doctor’s charts or full medical histories were stolen, Witty said.

Witty said he expects UnitedHealth to notify impacted patients within the “next several weeks.”

“We want to try and avoid piecemeal communication and it’s our top priority to get this done just as fast as possible,” he said.

Still, senators pressed Witty to act more quickly.

“Ten weeks is way too long for millions of Americans to not know that their records may be available to criminals on the dark web,” said Sen. Maggie Hassan, D-N.H. Witty said UnitedHealth Group is offering two years of free credit monitoring to potentially impacted patients.

Continued backlogs

While Witty said claims processing is mostly back to normal, that assertion was challenged by senators who said they are still getting complaints from providers in their states.

“There is a backlog that many of our providers and hospitals have from nine weeks of not being able to get in and make these claims,” said Sen. Marsha Blackburn, R-Tenn.

Witty said that while UnitedHealth is processing payments instantly, other insurers may not pay until 30 days after a claim has been received.

“That would explain why you’re continuing to see that delay,” Witty said, noting providers can still apply for interest-free loans from UnitedHealth that don’t need to be paid back until their cash flows are back to normal.

The attack — considered the largest to hit the U.S. health care industry — has spurred calls for Congress and the Biden administration to implement tougher cybersecurity requirements. 

Wyden has said Congress needs to pass minimum cybersecurity requirements for the health care sector. Wyden also said federal agencies need to fast-track new cybersecurity rules for Americans’ private medical records.

“We’re making a huge mistake by not having federal rules of the road on data privacy and data breaches and how these enterprises have to mitigate these things,” Tillis said. “We really got to work on it because now we’ve got a patchwork of over a dozen states that are doing it differently.”

On Wednesday afternoon, the Energy and Commerce Oversight and Investigations Subcommittee covered similar ground but focused particularly on UnitedHealth Group’s large footprint in the health care sector due to decades of acquisitions. 

Members questioned whether UnitedHealth Group was taking advantage of the attack’s negative financial impacts on providers to acquire more practices. 

Witty replied that the company has only acquired one practice in Oregon — an acquisition that was initiated before the attack. 

Still, Rep. Earl L. “Buddy” Carter, R-Ga., railed against the company’s use of vertical integration, in which it has acquired physician practices, pharmacy benefit managers and other players in the health care system.

“Let me assure you that I’m going to continue to work to bust this up,” Carter said. “This vertical integration that exists in health care in general has got to end.” 

Several members also took the opportunity to chide United Healthcare’s use of prior authorization, which Witty said resumed for its Medicare Advantage plans April 15. 

The company should “carefully review how that prior authorization” has affected patient outcomes, said Rep. John Joyce, R-Pa.