The unprecedented health-care hack that may affect you

Hello, a quick message before we start today's program. We are so grateful to have you as a listener and now we want to learn more about your listening habits and how you think we can be better. We have a new survey we are conducting. for a limited time and we'd love to hear from you, it shouldn't take more than 5 minutes to complete and to do so, go to the washingtonpost.com podcast survey, which is the washingtonpost.com podcast survey. When you're done, you can enter to win. a gift card, some are worth up to $1,000, so if that caught your attention once again, it's the washingtonpost.com podcast survey.

Thank you very much and here is today's program. The finance committee will be put in order this morning. Finance committee examines change in

health

care

. Hack That. Nearly paralyzed our country's

health

care

system 6 weeks ago on Capitol Hill on Wednesday, Senator Ron Wden chatted in a hearing with the head of United Health Group, it is the fourth largest company in the US and in February one of its subsidiaries changed healthcare. was

hack

ed, which is a big problem because Change Healthcare processes more than 40% of medical claims nationwide. Senators like Marsha Blackburn one wanted to know how something like this could happen now that their income is greater than some earl's GDP and how in heaven's name it happened.

You do not have the necessary redundancies to not experience this attack and find yourself so vulnerable. Thanks for the question. It's United Health CEO Andrew Witty. We have deployed the full resources of United Health Group in this effort. I want to assure you. the American public will not rest I will not rest until we fix this the company is still trying to figure out exactly what data was stolen but Woody testified that the personal data of up to a third of Americans could have been compromised my colleague Dan Diamond is a health reporter national for the post and was in this audience.

He says this

unprecedented

hack

is probably just the beginning. This has been the worst cyber attack of its kind so far. There will be worse. It's just inevitable and the fact that healthcare changes. It

affect

ed so many Americans who don't even know it. I'm sure, Martin, that we haven't heard the last of this story which is like a ticking time bomb waiting to go off and in the future there will be a time when a lot of data is leaked, appears and starts to be used for bad things and They will be traced back to this hack in February of the Washington Post newsroom.

This is the publication of reports. I'm Martin Powers, today is Thursday, May 2nd. Dan explains how this attack happened. and what he tells us about the vulnerability of the health care system. So, Dan, I'm going to be honest with you. I'm not a United Healthcare customer, it's not my insurance company, so I remember when the news broke about this hack in February. It was like, oh, that doesn't seem good, but then I moved on and you've been covering this ever since and I think you've been arguing that this cyberattack is a big problem for everyone, can you explain why?

Martine, I think many journalists also overlooked the possible impact, at least initially. I certainly did in part because United Health wasn't trumpeting exactly what happened and it took a few days for more details to come out, but a few days after the Hack the post received a tip from a reader named Marty Baron at Birkar in Massachusetts that people was having the former editor of the Washington that this Marty Baron was in the same uh that was seeing people in his area who were having trouble filling prescriptions. and that helped put the publication in the story in late February or early March, it was clear that large parts of the US healthcare financial system, other operations were paralyzed, the American Hospital Association, others said that It was the worst cyber attack of its kind and when I delved into this.

I spoke to some of the government officials who were trying to coordinate the response and they said they had real fear of a tipping point. The hospital was not getting paid the doctors were not getting paid the largest sector of the American economy Healthcare was going through In a liquidity crisis you could see how it would spread quickly, if all these hospitals, doctors and other providers didn't have money, some would have to close Furlow staff, patients could be turned away, this became a time of financial crisis. A danger to many healthcare organizations and they had a hard time staying open and protecting patients like you like me from knowing how bad it was behind the scenes and Martine.

I want to go back to something you said: United Health Care is not your insurer, nor is it mine, but there is a good chance that your medical data and mine have passed through the United Health Care system, either through insurance processors this subsidiary that was hacked and that processed about half of all medical claims in the United States. or perhaps some other part of the company, the CEO testified before Congress that perhaps a third of Americans could see their private data compromised, so you may have never heard of the subsidiary change. Healthcare, you may not think you are a United Health customer, but there is a good chance that one in three listeners of this podcast has been

affect

ed and thanks to this hack there is sensitive data with their names that could appear on a dark web, which makes a compelling argument as to why I should care about this.

I want to go back for a second and ask you to explain to me what exactly United Health Group is. United Health Group is a company that has been around for approximately 50 years. It began by focusing on HMOS health maintenance organizations in Minnesota, where they are located. based in the Midwest and have slowly been gobbling up different parts of the healthcare sector. They are the fourth largest company in the United States right now. They are generating $400 billion in annual revenue. They have medical offices. They own the largest health insurance company. They own pharmacies, they own home health agencies, the list goes on and they are so big, Martine, that if you divide them into their two main divisions, United Healthcare, the insurance company and opum, which is everything else, both companies would probably be in the Fortune uh 15 Fortune 20 is one of the 20 largest companies in the United States.

Wow, within United Health there is a healthcare subsidiary that they bought a few years ago and this company operates what is like the information superhighway within the healthcare system when doctors, hospitals are filing claims before they get to the company. of insurance that they would go through, change the health, what would clean up the claim, standardize it digitally and then also when the payment can be returned or when the prescriptions are ordered and filled, it was just this. key intermediary who was operating the practical aspects of the health system, so explain to me what happened with the change of health care and this stunt in February.

I'll explain what we know based on public comments and some things I've heard. In private, first, this hack wasn't some Mission Impossible style hack where spy Tom Cruz was hanging from the ceiling using sophisticated equipment to break into a system or it wasn't equipment with quantum computers or genius hackers, this was like The simplest hack possible: someone's credentials were stolen. It could have been as simple as hackers getting a person's username and password and changing Healthcare, the key subsidiary we're talking about here, the part of United Healthcare that didn't have what's known as multi-actor authentication. . to force an additional security check which is kind of like the text message your email might receive when you try to make an online purchase.

Yeah, that seems like a pretty basic part of online security right now is that they send that to you. send a text or whatever when you log in to a site to make sure it's you, yeah it's a pretty simple thing and the fact that the company that handled 50% of all the medical claims and all the medical information confidentiality that flows through them not Not having that in the system, this is what baffled lawmakers in Wednesday's hearings before arriving at the hearings. I just want to understand a little bit more once these hackers got in, what they did, what they prevented.

First it happened well, they slowly moved data out of the system, moved within the change, Healthcare seemingly undetected for nine days, planted ransomware, nine days after it was hacked. That kicked in, that's when United Health found out about the situation, they shut everything down, they shut this down. network and a few days later it became publicly known that these hackers were demanding that Ransom return what had been stolen or at least not make it public for others to find on the dark web. Some of that has already happened, although some of these patients' information has started to appear in places on the Internet that it shouldn't, so the extent of the hack is still unknown and that was something United Health CEO Andrew Witty said about he was pressed again and again about what was taken.

How many Americans are affected? When will this be firmly behind us? United Health has been reassuring, but there are many providers who say they still don't get paid. There are a lot of patients who probably don't know that their data was taken in this United Health hack, so let's dive into these hearings and talk more about what was really revealed there: the fact that this is the first time that the CEO of United Health testified in front of Congress for more than 15 years. It seemed like a very watched audience. Can you describe a little bit what it was like and the general tone and tenor of the executives of this company having to go before Congress to answer for everything that went wrong?

Yes I want. To put some context around that number, Martin on how long it's been since United Health's CEO testified before Congress. I stopped by the Senate Historian's Office a few weeks ago and they helped me figure it out and confirmed that yes, it's been 15 years since this. The company's leader arrived 15 years ago, it was before the Affordable Care Act was passed, it was before United Health made dozens of acquisitions, the company was a quarter of its size. A lot has happened since then and has seen other major companies being summoned to Capitol Hill. or notable figures who, frankly, were less important than United Health have to come and testify.

Listeners might remember Pharma Martinelli's brother, this investor and owner of a pharmaceutical company who raised the price of a drug and that became the focus of Congress, so it's surprising. When you think that this sprawling United Health operation would avoid some scrutiny during those 15 years, the hearings themselves were pretty intense, partly as a result of there being lawmakers who I think had stifled questions for United Health that went well beyond the hack. and there were also protesters correct that there were protesters, there were about a dozen at the first hearing in the morning wearing t-shirts that were anti-United Healthcare and they were prepared to protest as soon as the hearing was over.

The help can't see, so you hear these protesters singing Andrew. clever You can't hide, we can see your greedy side and it was amazing in the room to see them surround the CEO of United Health while other United Health executives were trying to get up and provide a human barrier uh or talk to these protesters to try. to get them out of the way of the ingenious CEO wow. I've seen a lot of heated hearings and there have certainly been some that have been more combative where people tried to interrupt halfway through, but this felt like a Martine moment of almost responsibility where you have this expanding company and the CEO of their practices under scrutiny in Congress and patients angrily shouting in the CEO's face.

Wow, so how did Andrew ingeniously respond to all of this, the protesters, the accusations from legislators and other things that his business? He had really dropped the ball on all of this before the hearing. United Health had been very proud of his response in talking about how the fact that they owned this company that was hacked was better for the US healthcare system because they had so much money they could help. bail out the healthcare system in front of Congress he was much more remorseful apologizing repeatedly. I am very sorry to hear about the situation of the patient who was waiting for his insulin in individual patients when members of Congress were raising the cases of people who may have struggled to get access to health care or doctors who were not paid Senator, thank you very much for the question and let me tell you how sorry I am to hear the kind ofpressure that you just described, it was almost five hours of apologies to everyone. those affected, let me be very clear, I am deeply sorry and the idea also that the United Health subsidiary changed Healthcare did not have this basic multi-actor authentication protection, this email or text message or whatever to verify before logging in .

Senators made a lot of that, uh, Tom Tillis, a Republican from North Carolina, put up a book on hacking for dummies, so it's called hacking for dummies. This 5th edition doesn't include the nature of the offense that you all develop, but these are some basic things that she missed, she is trying to make it clear that you could be a fool and access the system without much of a trick, so that's a shame for AIT internal, external and your system systems. Task F with redundancy, they are not doing their job and Andrew didn't do it. I have a lot of response to that, he mainly blamed it on we bought this company a few years ago, it was their old technology and we're just trying to fix it and how United Health Group responded to this attack and how they did it. witty talk about the steps they took to try to control this after the attack occurred in late February.

United Health began offering financial support to some affected hospitals and doctors. There were significant complaints that this financial support was not sufficient. There were suppliers who needed hundreds of thousands or millions of dollars in invoices to pay. United was offering ,000. $3,000 just wasn't enough to help make ends meet, especially for these medical practices, and then there were also strings attached to some of those funds while, behind the scenes, United Health was negotiating. With these hackers and CEO Andrew Witty said he made the decision to pay a $22 million ransom to the hackers in hopes of trying to resolve these issues as we have responded to this attack, including handling of the ransom demand, my overall priority has been to do everything I can to protect people's personal health information, the decision to pay a ransom was my own, this was one of the most difficult decisions I have ever had to make and not I wish it on no one, since they know that we found files in the exfiltrated archive. data containing protected health information and personally identifiable information that may cover a substantial proportion of individuals in the United States.

What we have seen in the coming weeks of March is that when it comes to hackers who may not fix everything, there is still the threat that despite paying the hackers, some of your data may find a way out and Tell me a little more about the criticisms that lawmakers made about how United Health had responded to all of this, some of it was about how they had provided financial support or not enough. They said Sen. Maggie Hassen, the senator from New Hampshire, had pressured United to make its loans more favorable to these vendors who did not receive payments in the weeks after the February cyberattack on their subsidiary company.

I've heard of New Hampshire hospitals that saw almost all of their revenue disappear overnight. Subsequently, you and I had a number of discussions about the need for United Health to provide financial assistance to hospitals on fair terms, and that also came up a lot at the hearing: What was United Health going to do for the doctors who had to do it? Take personal loans to keep operations running. About half of the doctors had said they dipped into their personal savings. What was United Health going to do for all the patients who were affected by this and had their data stolen and still don't know it?

United Health has said they will offer free credit monitoring, but Senator Ron Weiden said that just like with mass shootings and thoughts and prayers, because I think Mr. Ingenious credit monitoring is the thoughts and prayers of violations of data, this is absolutely inefficient, it is cold comfort. wasn't enough, so those were some of the things around the hack that were focused on and then there was a lot more beyond the hack, just about the broader consolidation of United Health that also came under fire after the hiatus. I asked Dan what can be done to prevent future attacks.

So, we'll be right back for Dan to tell me more about how these Capitol hearings opened the floodgates for other criticism of this company that has so much control over our healthcare system. I think Martin brought the cyber attack. Up to this point United Health hadn't been on the hill in 15 years, these hearings wouldn't have happened if Change Healthcare hadn't been hacked, but it opened the door to a lot of important questions about United Health and how it bills patients. and if you deny too much attention to how you bill the federal government and if you inflate those bills, how you're buying up other parts of the health care system and if that creates conflicts of interest and there were some lawmakers who really focused on that Senator Elizabeth Warren, uh , the Massachusetts Democrat, other lawmakers also had the question: United, are you too big for the security of our country and what would you like to see changed if you think this company is maybe a monopoly?

You know, I went for a walk with Senator Warren. a couple of weeks ago and focused on United's acquisition of doctors. Do you feel United has an unusual influence? Unusually strong operation. That helps protect them. They're strong because they're so damn big. One in 10 doctors in the United States has been. sucked into the optim system uh, most patients probably don't know that their doctors are working for a giant corporation bent on maximizing profits instead of working for themselves or a local practice they own as contract affiliates with about 990,000 or 100,000 doctors, this is insurance. company and the question is if the insurance company also owns and operates the doctors is that it creates a conflict of interest where, as Senator Warren maintains, doctors may have more time rationed, patients do not get the experience they would have If there was an independent doctor working with them, United Health suffers from conflicts of interest that harm patient care and some of these legislators want the company to dissolve.

I don't think Congress necessarily has that power, but they certainly could push legislation that would do that. It is much more difficult for United Health to own and operate different parts of the health system as they do. Given all of this, what do these questions and criticisms mean for the future of United Health and the future of all of us whose health information U or uh whose? health information intersects with this company or who is affected by this, it's worth noting, Martine, that even as Congress was grilling the CEO of United Health, regulators in other parts of the federal government are also looking at United Health, the justice department is currently testing whether United Health is filing an antitrust concern, so there could be other shoes to fall in DC that would make it harder for United Health to be the expanding Goliath that it is, but I think going into the future it was an open question for me whether the hearings were the end or the beginning. and what I mean by that is that at the end of two months of anger building up to these hearings where lawmakers can vent on United Health or it's the start of more oversight, it's much easier to have a hearing where lawmakers can yell at a CEO, then it's doing the work of drafting the legislation, getting your colleagues on board, and getting it passed in a divided Congress while lobbyists try to kill your bill.

Lawmakers say they are committed to more oversight here. Kathy McMorris Rogers, who runs the chamber. committee that oversaw yesterday's hearing she told me this is the beginning of our process, we will do more, but if there is really an appetite to do that and time to do it in an election year, I don't think we know yet, interesting um One question more before we finish and I want to go back to where we started, which is thinking about the threats of these types of attacks happening in the future. How concerned should we be at work as consumers? um, concerned about the healthcare industry's cybersecurity risks.

Healthcare has been repeatedly attacked by hackers in recent years, up around 300% in terms of attacks in recent years and that's because, first of all, these are organizations that have a lot of tempting targets, they have the data they have. our personal information or financial information, things that if hackers steal it they can use it for all kinds of nefarious acts. There's also the fact that some of these organizations, like in the case of the change, healthcare might not be as well protected, they're not the banks. that have spikes all over the outside protecting the data on the inside, there is the system like the change Healthcare that has the underbelly that hackers are looking for just to find their way in, hopefully there won't be many more and hopefully this episode is putting out a red flag about the problem of hackers finding these doors open and breaking in, but will continue Dan, thank you so much for explaining all of this Martine, thank you for inviting me to help solve it Dan Diamond is a national health reporter for the Post Before Vaya, you've heard us cover the latest on the numerous anti-war protests on college campuses and today we have more updates from across the country.

Law enforcement is stepping up its response today, just before Dawn at UCLA, police raided the pro-Palestinian camp there. They pushed over barricades, appeared to deploy stun grenades and leveled tents, which came after police stopped a protester who had been occupying a campus building in Columbia on Tuesday and in Dartmouth on Wednesday. 90 protesters were arrested. The protest violated University rules prohibiting camping. Dartmouth's president issued a statement today regarding those arrests. He said that, quoting last night, people felt so strongly about their beliefs that they were willing to face discipline and arrest, while there is bravery in that part of choosing to participate in the journey is not only recognizing but accepting that actions have consequences that's all to post reports thank you so much for listening and again don't forget to take our listener survey which you can find on Washington post.com SLP Podcast Survey Today's show was produced by Alana Gordon and was mixed by Shan Carter and edited by Lucy Perkins thank you also Steven Smith.

I'm Martin Powers. We'll be back tomorrow with more stories from the Washington Post.