Senator Mike Crapo | Official U.S. Senate headshot
Senator Mike Crapo | Official U.S. Senate headshot
U.S. Senate Finance Committee Ranking Member Mike Crapo (R-Idaho) delivered remarks at a hearing titled “Hacking America’s Health Care: Assessing the Change Healthcare Cyber Attack and What’s Next.” Crapo addressed the February 21, 2024 cyberattack on UnitedHealth Group's subsidiary, Change Healthcare, which he described as launched by "a suspected nation-state associated cybersecurity threat actor."
In response to the attack, Change Healthcare, the nation's largest health care clearinghouse processing $1.5 trillion in medical claims annually, disconnected all of its systems to prevent further data breach. The fallout from this unprecedented attack affected the entire health care sector, leaving providers unable to verify patients' insurance coverage or process various administrative tasks.
Crapo noted that many providers had to rely on reserves to cover revenue losses resulting from the attack. A survey by the American Hospital Association found that over 90 percent of hospitals were financially impacted by the cyberattack, with more than 70 percent reporting that it directly affected their ability to care for patients.
The Department of Health and Human Services (HHS) released a public statement and guidance related to the incident more than two weeks after it was announced. On March 9, accelerated and advance payments were made available to impacted Medicare providers by the Centers for Medicare and Medicaid Services.
Crapo criticized the administration's delay in response, stating it exacerbated an already uncertain landscape and left providers and patients with reasonable concerns about access to essential medical services.
According to a report by the Federal Bureau of Investigation cited by Crapo, ransomware attacks were more prevalent in the health care sector than any other critical infrastructure sector in 2023. The senator emphasized that personal health care data has become increasingly attractive to cyber criminals seeking information for blackmail or identity theft.
While many of Change Healthcare's functions have resumed since the attack, Crapo stressed that trust in its security needs rebuilding. He concluded his remarks by stating the need for a deeper understanding of how the hackers infiltrated Change Healthcare to help identify and address gaps in existing cybersecurity infrastructure.
Crapo also called for an evaluation of steps taken by UnitedHealth Group in response to the attack, and an assessment of the federal government's response. He emphasized that HHS has a responsibility to serve as a central hub for coordination, convening insights from other branches of government and the private sector to deploy timely information about active threats.