american enterprise institute live coverage begins at 11 a.m. eastern on c-span2, she spent now a free mobile video app or online at c-span.org. >> c-span is unfiltered view of government. we are funded by these television companies and more including comcast. >> are you thinking this is just a community center? is when more than that. >> comcast is partnering with 1000 committed centrist tigray wi-fi enabled lift zones so students can get the tools they need to be ready for anything. >> comct supports c-span is a public service along with these other television providers giving you a front row seat to democracy. >> andrew witty testified before the senate finance committee about the impact of recent cyber attack on change healthcare s of city of unitedhealth group that

disrupted the payment and claims process for providers. he apologized for the chaos resulting from the cyber attack. this is about two hours and 15 minutes. >> in 20 [inaudible conversations] [inaudible conversations] >> finance committee will come to order. this morning the finance committee examined the change healthcare hack that nearly brought our country's healthcare system to a standstill six weeks ago. joining the committee is andrew witty, the ceo of unitedhealth group, which owns change healthcare. i'll put things in perspective. last year, uhg generated $324 billion in revenue, making it the 5th largest company in the country. overall, the company touches 152 million individuals across all

lines of business, insurance, physician practice, home health, and pharmacy. with its profits, uhg has purchased dozens of other health care companies and is the largest purchaser of physician practices. this corporation is a health care leviathan. i believe the bigger the company, the bigger the responsibility to protect its systems from hackers. uhg was a big target long before it was hacked. the fbi says that the health care industry is the number one target of ransomware. it's obvious why. change healthcare processes roughly 15 billion health care transactions annually, and a third of americans' patient records pass through its digital doors. change specializes in moving patient data from doctor's office to doctor's office, or to and from your insurance company.

that means medical bills that are chock full of sensitive diagnoses, treatments, and medical histories that reveal everything from to abortions to mental health disorders to diagnosis of cancer to sexually transmitted infections. military personnel are included in this data. leaving this sensitive patient information vulnerable to hackers, whether criminals or a foreign government, is a clear national security threat. i don't think it's a stretch the impact here rivals the 2015 hack of government personnel data from the office of personnel management, which the fbi called a treasure trove of counterintelligence information for foreign intelligence services.

uhg has not revealed how many patients' private medical records were stolen, how many providers went without reimbursement, and how many seniors were unable to pick up their prescriptions as a result of the hack. the failures of ceos like mr. witty, who months in can't figure out how many people have had their data stolen,n, validae the fbi's warning. in the wake of the hack, united essentially disconnected change from the rest of the health care system. it took weeks for change to get back online, leaving health care providers in a state of financial bedlam. doctors and hospitals went weeks delivering services but without getting paid. insurance companies couldn't reimburse providers. even today, key functions supporting plans and providers, including sending receiptss for services that have been paid and the ability to reimburse

patients for their out of pocket costs, are not back up and running. small providers, particularly mental health providers, have been left holding thero bag, stuffing envelopes with paper claims, and unable to get straight answers on how long the outage will last. and patients are bearing the brunt of it. prescriptions went unfilled, patients were stuck at the hospital longer than needed, and americans are still in the dark about how much of their sensitive information was stolen. the credit-monitoring service united offered these patients is cold comfort. the change healthcare hack is considered by many to be the biggest cybersecurity disruption to health care in american history. it is exhibit a for my case that

tough cybersecurity standards are necessary to protect critical infrastructure, and patients, in this country. hhs does not require health care providers, payers or health care clearinghouses like change to meet minimum cybersecurity standards, unlikeet industries regulated by other federal agencies. meeting a baseline of essential cybersecurity standards is a must, but is meaningless without equally strong enforcement. hhs has not conducted a proactive cybersecurity audit in seven years. as it stands, if a company does not comply with existing cybersecurity regulations, the fines amount to nothing more than a slap on the wrist. federal agencies need to fast track new cybersecurity rules p for americans' private medical records and congress needs to watchdog this every day to make sure everything possible is done to protect patient data.

finally, the change hack is a dire warning about the consequences of too big to fail mega-corporations gobbling up larger and larger shares of the health care system. it is long past time to do aa comprehensive scrub of uhg's anti-competitive practices, which likely prolonged the fallout from this hack. for example, change healthcare's exclusive contracts prevented more than one third of providers from switching clearinghouses, even though change's systems were down for weeks. accountability for change healthcare's failure starts at the top. before this hearing, i asked the company which members of its board have cybersecurity expertise. uhg pointed to ncaa president charlie baker, who signed some technology-related legislation into law years ago when he was governor of massachusetts.

mr. baker is certainly an expert on basketball, but uhg needs an actual cybersecurity expert on its board. mr. witty owes americans an explanation for how a company of uhg's size and importance failed to have multi-factor authentication on a server providing open door access to protected health information, why its recovery plans were so woefully inadequate and how long it will take to finally secure all of its systems. i'm hopeful that today's hearing can mark the beginning of the finance committee's work to make meaningful improvements in america's cybersecurity on a bipartisan basis. i encourage all members to focus on the subject at hand. that is because this is so important, so vital there's much to discuss. senator crapo. >> thank you, mr. chairman. appreciate your holding this

hearing today. and thank you, mr. witty, for being here with us. on february 21, 2024, unitedhealth group learned that its subsidiary, change healthcare, was likely the victim of a cyberattack launched by a suspected nation-state associated cyber security threat actor. in response, change, the nation's largest health care clearinghouse, which processes $1.5 trillion in medical claims annually, disconnected all of its systems to prevent the hackers from obtaining additional data. the fallout from this unprecedented attack has affected the entire health care sector. by crippling change's functionality, the hackers left providers unable to verify patients' insurancece coverage, submit claims and receive payments, exchange clinical records, generate cost estimates and bills, or process prior authorization requests. in the immediate aftermath of the attack, many providers had

to rely on reserves to cover the resulting revenue losses. an american hospital association survey found that more than 90% of hospitals were financially impacted by the cyberattack, with more than 70% reporting that the outage had directly affected their ability to care for patients. more than two weeks after the cyberattack was announced, the department of health and human services released a publicc statement and guidance related to the incident. on march 9, the centers for medicare and medicaid services made accelerated and advanceme payments available to impacted medicare providers. the administration's delay exacerbated an already uncertain landscape, leaving providers and patients with reasonable concerns about access toto essential medical services and life-saving drugs. while the february hack on oh change was by far the most disruptive cyberattack on the health care industry to date, it

was certainly not the first. according to a report by the federal bureau of investigation, the health care sector experienced more ransomware attacks than any other critical infrastructure sector in 2023. in addition to the processing and revenue issues experienced by providers, patients' private identification and health care information was obtained by malicious actors during the breach. unfortunately, personal health care data has become d increasingly attractive to cyber criminals, who seek to use that information for blackmail or identity theft. for patients, the emotional and financial effects of leaked private information can have a devastating impact for years. although many of change's functions have now resumed, trust in the security of its platforms needs to bee rebuilt. we owe it to american patientswe and to our frontline health f ce

providers, from health systems to clinicians and community pharmacies, to ensure that this does not, and cannot, happen again. today's hearing offers a valuable opportunity to learn from united's experience so we can better protect against, and quickly react to, future cyberattacks. gaining a deeper understanding of how the hackers infiltrated change will help identify and address gaps in our existing cybersecurity infrastructure. evaluating steps taken by united in response to the attack, from disconnecting its platforms to notifying law enforcement, will offer lessons on how to build a more resilient and collaborative health care system moving forward. we must also assess the response of the federal government, which plays a critical role inca these efforts. hhs has a responsibility to serve as a central hub for coordination, convening insights

from other branches of government and the private sector to deploy timely information about active threats, as well as best practices to deter intrusions and resources should an attack occur. thank you, mr. witty, for being here to discuss building a more secure, resilient and responsive health care system. thank you, mr. chairman. >> thank you, senator crapo. andrew witty as chief executive officer of the unitedhealth group. prior to that he was executive vice president of unitedhealth and ceo of optum. from 2008-2017 he was ceo and director of glaxo smith kline. mr. witty, we appreciate you being here. i believe you're going to take five minutes or so to share your testimony and we've got a lot of member interest and you'll get questions and i'll do everything i can to keep them on this extraordinary important topic. mr. witty. >> thank you and goodbye, chairman wyden wyden, ranking member crapo and members of the

committee. thank you for the o opportunityo testify here today. my name is andrew witty. i service chief executive office of unitedhealth group. our mission is to help people live healthy lives h and help me the health system work better for everyone. we have pursued this missionon o our to make distinct businesses, united healthcare which provides a a full range of benefits, and optum which brings together care delivery, pharmacy services, and technology and data to advance patient-centered care. change healthcare stop part of optum. it enables information claims and payments to flow quickly and accurately between physicians,, pharmacists, health plans and governments. i appreciate the committee's interest in the recent cyber attack on change healthcare. as result of this malicious iccyber attack, patients and providers expensed disruption and people are worried about their private health data. to all those impacted let me be

very clear. i am deeply, deeply sorry. our response to this the fact has been granted inhr three principles. so secure the systems, to ensure patient access to care and medication, and to assist providers with their financial need. we have deployed the full resources of unitedhealth groupu in this effort. i want to assure the american public we will not rest, i will not rest, untilil we fix this. cyber experts continue to investigate the incident, and why we will learn more and understanding may change is what i can share today. cyber criminals entered change healthcare portal, axel traded data and of february 21, deployed ransomware. the portal to access was not protected by multifactor authentication. our response was swift and forceful, tond contain infection we immediately severed connectivity and to prevented

malware from spreading their work. there's no evidence it spread beyond change healthcare. within hours of the ransomware launched we contacted the fbi. we continue to share information with them so that these criminals could be brought to justice. as we've responded to this attack including can do with the demand for ransom, my overarching priority has been to do everything possible to protect peoples personal health information. the decision to pay a ransom was mine. this was one of the hardest decisions i've ever had to make, and i wouldn't wish on anyone. as you know we found files in the axel traded data contained in protecting health information and personally identifiable information which could cover substantial proportion of people in america. so far we have not seen evidence of a true such as doctors charge for full medical histories were axel traded.

it will take several months before enough information will be available to identify and notify impacted customers and individuals partly because the files contained in the data were compromise intertec rather than wait to complete this review where providing free credit monitoring and identity theft protections for two years along with a dedicated staff by clinicians to support services. anyone concerned that the data may have been impacted should visit change cyber support.com for more information. meanwhile, we continue to make substantial progress in restoring change healthcare services. first, the team built a new technology environment in just a matter of weeks. second, we prioritize our restoration effort on services most violent to ensure access to care. pharmacy services, claims and payments to providers. and third, while these efforts

are underway we worked quickly to provide financial assistance to providers who need it. we have advanced more than $6.5 billion inn accelerated payment, and no interest, noel e loans to thousands of providers. most of these funds offer claims for non-uh-60 health plans, and about 34% of the loans have got a safety net hospitals and federally qualified health centers. we will provide businesses and s long as it takes to get providers claims and payments flowing preaccident levels. and it's our providers in your state who need help, please put us inn touch with them. fighting cybercrime is an enormous task, and one thates requires us all, industry, law enforcement, and policymakers to come together. i look for drenching your questions today. >> that you mr. witty. let me begin with this.

this hack it could have been stopped with cybersecurity 101. and i'm talking specifically about multifactor authentication, mfa. when your bank at asks you to enteren a code sent by text or e-mail, that's mfa. it secures your account even if your password is learned. yet, your testimony reveals this first server that was hacked didn't have multifactor authentication. so question one, i would like a yes or no answer to, mr. witty. prior to the hack did you or any of yourr senior management know that uhg was not requiring mfa companywide, yes or no? >> mr. chairman, think of for the question. are policies to to mfa from externally facing systems.

>> so if the answer is yes, then that makes myy point, that on your watch there was a cybersecurity failure. and then that's what caused the harm to patients healthcare sector and your investors. i don't believe there are any excuses for that. so my second question is,ec will you commit within six months at the latest to require multifactor authentication companywide and meet the top mfa standards that are required of the federal agencies? again, a yes or no answer. >> mr. chairman, yes, i'm happy to commit to that. in fact, i can confirm to you that as of today across the whole of uhg all of our external facing systems have got multifactor authentication enabled. >> we will take that as yes. it shouldn't have taken the

worst cyber attack ever in the healthcare sector for an agreement to do this bare minimum. now, second with respect to national security. people claiming to be involved with this hack have asserted publicly if they stolely data on u.s. government employees, including active-duty u.s. military servicemembers. my colleagues remember the 2015 hackck of opm government personl data which i was a pose very serious, intelligence concerns. and i am very concerned as i said in opening statement about the national security implications of this act as well. are you inf h a position this morning to say whether the hackers stole data pertaining to u.s. government employees? >> mr. chairman, thank you for the question. like you i'm extremely concerned about any patient information,, but particularly in the context you just described. so far through the process of

working through the data, what we've been able to identify is indeed a substantial proportion of people across the country data could be implicated here. we do believe there will be members of the armed forces and the veterans association. >> when can you give us in writing the number of military personnel affected and you best assessment of the our? can i have the quickest purpose absolute commitment. top priority. it willmi take longer spirit two weeks? this is a national security. i expected. >> we will absolute prioritize the. >> all right. let's talk about why things are taking so long and particularly how hard providers are being hit. because they are paying the price for the failures that have been made on your watch. how much longer will a provider% endocrine for services delivered in february have to wait in order to be paid? >> mr. chairman, thank you for the question.

our belief at this point is that claims flow across the entire country is essentially back to normal. al from unitedhealth group's perspective we're paying claims as soon as they arrive your we are with that of the companies may not be -- >> providers are telling me it's going to take until june to clear thehe backlog. can you do that early? >> we can move absolutely faster than that, and in the meantime we are providing -- >> when do you expect to have that cleared? >> we believe, , we believe the system is brought it back to normal now. if thero rainy providers instate the you would like refers to we can make sure that they are -- >> practically every provider i bump into is just waiting to be paid. >> those payments from united certainly have been made. we are caught up and we continue to advance significant -- >> will you commit too waving deadline for timely filings and appeals for claims until everything is back in her? >> yes, sir we have already

waited those. >> when you commit to paying meaningful conversation to each provider and plans and business operations are deceptive? >> we're happy to discuss that. >> please send to me in writing how a compensation the system would work. let me mention what other area very quickly. i have been following your various comments, and consistently your views seem to minimize the impact of your involvement. you say united healthcare payment processing accounts for only 6% of payments in the healthcare system. my view is that's basically hiding the ball. 20222 the department of justice said change retains records of least 211 million individuals going back to 2012. so how many people have actually been impacted? where did you find those files? and what medical information was stolen? i did answer to those three questions. how may have been impacted, where did you find the files,

what medical information was told? >> mr. chairman, thanks for thed question. as a set that is very much a top priority for us to get to the bottom of peer where working our way through that. as of this point we've not identified anything like medical records or medical histories. what we have seen is claims -- >> you don't have the logs that would show what data walked out the door because we had been working to get that and we haven't seen it. senator crapo. >> thank you, mr. chairman. mr. witty, the fbi has repeatedly warned that the healthcare sector isca particularly attracted to cyber criminals. as your testimony notes, , unitd of the experiences and attempted cyber intrusion once every 70 seconds. however, nationwide, cybersecurity preparedness response guidelines for healthcare sectors appear to be disjointed. without disclosing proprietary or security-related detail, how

do you intend to revise united cybersecurity protocols to incorporate the lessons that you learned from this experience? >> senator crapo, thank you very much for the question. first and foremost let me reiterate how seriously we take this and how diligently we are working to make this right, both technically r and also to make sure we understand the patient information implications. to your question of how we respond to this come first and foremost let me reiterate we have an air force policy across the organization to multifactor authentication on all of our external systems which is in place. >> can interrupt for just a second? i think part of my question is and you are about to get to that i want to be sure you are respond to do this. is it as simple as six in the multifactor system? >> multilayered. that is one element but its only one element of the defense. making sure, so, for example, we now have permitted into our

additional normal corporate wide scanning technology environment we've not brought external third parties to do double or triple scanning across assistant as a third a protection layer. we have also made the decision to strengthen our oversight of cybersecurity at the company by bringing to our board on and every meeting basis the leading cybersecurity invited to serve in america. they've been extreme helpful in understanding this attack and they have become a board advisor to ensure we have the very best advice of the top of the company. >> would o you agree that this type and maybe even this stronger approach in this type needs to become standard across our healthcare industry, everything from government to the private sector and, frankly, the entire aspect of our healthcare system? >> senator crapo, i would agree with that. what we saw in change healthcare

which was a company which just came into our group a a little over your and half ago was a company which was an older company, had older legacy technology but i think it's very typical of many small to medium-size organizations in our healthcare environment and, entherefore, inevitably there is going to be a lot of work to be done to upgrade those standards. but i do agree with your assertion. >> well, thank you. i would like to move on to restoration and protection of patientt information here your testimony indicates both pharmacy services and medical claims are now point and near normal levels, is that i could? >> as i believe, yes. >> while this is welcome news, the effects of a cyber attack continued from ongoing revenue backlogs too unfolding details about expose nation health and identity information. ..n and wind you expect when of% of change's system to be restored? >> thank you very much for the question.

all of our core systems are now up and fully functional. that means pharmacy processing, claims payments, the systems which are not available are really ancillary support functions, so not not determinative of the main claims activity for the payment which is where the disruption has been >> i'd also just like to emphasize as soon as the attack took place we encouraged providers to divert their volumes to other competitors to change, of which there are several, and many of them continued to operate through those and another way in which normal service was resumed. >> have you heard reservations from provide towers reconnecting to change? if so, how are you working to address those concerns? >> mr. chairman, yes, i think that's a natural and good concern for people to have after a data -- after an attack like this, you want to be reassured that the system is safe to reconnect to. that's why we disconnected so quickly in the beginning and we didn't infect anybody else. the reason why it's taken longer than you might expect to

recover, we literally built this platform back from scratch so we can reassure people there are no levels of attack at the new technology that we've created and sharing those details with clients and customers as they reconnect and i'm please today say that we're reconnecting substantially. >> thank you. and finally, would you share an update on your understanding of the magnitude and the type of patient information that may have been obtained by the hackers and when do you expect to begin the process of contacting impacted individuals? >> thank you for your question. we're working closely with the legrators on that last point of timing, how to and when to communicate. we want to avoid piecemeal communication and get it done as fast as possible. thank you. >> just on multi-factor authentication, we know we

heard from your people that you had a policy and you all weren't carrying it out . that's where we have the problem. ms. blackburn. >> i'm from tennessee and we've been inundated with phone calls and people are trying to get clarity around your statement about a substantial portion of people in america being affected by this because right now it looks likes anybody that is doing business with you. i will tell you this, the reality that hospitals and providers are facing is wildly different from the rosie picture that you have painted. you have made a statement recently that payment processing by change healthcare is at approximately 86% of pre-incident levels. this morning you said that it was back to normal and i will

tell you this, there is a backlog that many of our providers and hospitals have from nine weeks of not being able to get in and make these claims. we have-- and here is a good for instance for you. a small, independent private act hospital in west tennessee and they have diligently submitted all of their claims and they are burdened with the backlog of medicare claims that is equivalent to 30 days of revenue and they're waiting for these things to be transmitted to medicare. and this is all because of the missteps that you all have it. now, every day, they call to get an update, every single day

they're calling, and they get the run-around every single day. repeatedly. it is like you all can't figure this out and the absence of medicare electronic remittance is compounding the problem and it's requiring that manual payment processing and, of course, this goes into labor costs. you've got error rates. so, when can tennessee providers and hospitals expect you all to clear the backlog, to catch up, and be back to normal? >> senator, thank you very much for the question and i'm very sorry to hear the status of your hospitals. >> when? >> we'll reach out to find out the names. hospitals and-- >> take every hospital, every provider, we have hospitals

that are pulling on a line of credit. are you going to pay that interest? are you going to reimburse that? >> we are offering interest-free loans to ourselves-- >> i said, no, are you going to pay these interest costs? okay. let me move on with you, because one of the surprises and the chairman just mentioned this, is the lack of redundancies that you all have built into the system. now, your revenues are bigger than some country's gdp and how in heavens name did you not have the necessary redundancies so that you did not experience this attack and find yourself so vulnerable? >> thank you for the question. first and foremost, change healthcare had only recently become part of the united health group. the attack itself had the effect of locking up the

various backup systems which had been developed inside change before it was acquired. that's the root cause of why it's taken so long to bring it back and i emphasize that we have worked to rebuild a brand new technical environment so that we know that it's modern and it's not infected from the attack. >> well, there may be excuses, but was there not a thought process put in place on the front end, as you were going through this, of how you would expect yourself from vulnerabilities? >> so change healthcare came into the organization just about a year and a half ago-- >> i'm fully aware of that. >> we were in the process of upgrading that technology and that's when this attack happened. >> all right, there again, for whatever reason, short-sightedness and not having a plan to incorporate is-- let's move on.

optum, because it's widely acknowledged that the temporary assistance program fails to address the financial setbacks that are caused by this. now, we've got one tennessee provider that disclosed a one-time payment of $8,000, significantly below their usual daily revenue of $20,000, and these providers have resorted to tapping into personal savings, retirement funds, seeking loans from banks, and so are you going to cover all of those costs that they have had to incur in order to keep the doors open because you did not have an appropriate backup plan? >> as important as this question is briefly because we've got a lot of members interested, answer. >> thank you for the question. very happy to engage with those

providers. >> you look forward to the engagement. >> thank you, senator blackburn, senator menendez. >> and the cause of operational disruptions with consequences for providers, pharmacies and patients across the nation. for weeks hospitals and providers had to deal with low loan offers and onerous terms, and your company is the largest private health insurer and largest physician employer in the country, earning billions in profits every quarter. it's unacceptable that it took so long to help providers during a crisis of your creating. now i'm concerned about what's going to happen on the back end. so, do you commit to not exploiting the destabilized provider markets that you created to further acquire other subsidiaries?

a simple yes or no would be great? >> senator, absolutely, we will not take advantage of that and we have notment i'd like to reassure you that we understand that in the effort to go quickly in terms of setting up our loan program, we didn't get all of the terms and conditions right. we fixed that very early and now we've been able to advance six and a half billion dollars. >> let's talk about that. united health care as you've just said, claims distributed six and a half billion to providers and you're estimated easily over $14 billion, with some estimates putting the total impacted services at many multiples of that. in other words, your accelerated or advanced payments were a tiny fraction of the total amount of services affected. it's my understanding that united health care and its subsidiaries know to the penny what the average provider bills in an average day, week or month is, yet, providers in my state and across the country

were struggling to keep their doors open as they waited for these payments. what reasonable explanation could you have for taking so long to get these accelerated payments out the door? >> senator, thank you again for the question. unfortunately united doesn't know the flow to folks other than united which is why it was not as effective as we'd like it to have been. we put the mechanism for the vast majority of providers give them information on interest-free loans within hours of application and remains available for providers. >> it seems to me almost incredible that you do not know a company that's so long established and, you don't know the flow of what a daily, weekly, monthly amount is to a certain provider. that's hard to believe. >> so, sir, we understand the flow when we are the payer, but

oftentimes we're not the payer and those will be the situation, i'm sure you have been aware we've been making loans to underwrite cash flow for others other than-- >> well, it seems you wasted time trying to pull a fast one by trying to put onerous loans. can you put on no loan repayment until the backlog is cleared? >> we've streamlined our conditions and yes, already told providers there's no need to pay the interest-free loans until 45 days after concluded they're back to normal. do any of the loan terms prohibit any of the loan providers from the competitors? >> no. >> you offered to do breach by hospital entis and providers groups that are dealing severe and daily disruptions. this should not be provided by

the burden of requiring hipaa notifications, but no group can rely on vague promises, and providers currently face mounting concerns about their own regulatory exposure should united not fulfill these promises. further, as more patients become aware of the possible disclosures of their sensitive information, they will turn to their providers for information and assurances, neither of which can currently be provided. so, when can providers expect concrete details on breach notifications in writing from united health group? >> sir, this is our top priority and we want to get this done as fast as possible. we're working with regulators to assure that we get that regulation as quickly as possible. >> can you give us a time frame, a week, a month. i think in the next several weeks. >> what kind of documents will agreements include information

about limitation or waiver of liability? >> that's something we're working through the regulators so we can be very clear. >> i'd like you to respond to the committee when you get to that conclusion. >> thank you senator menendez, senator grassley is next. >> welcome to the committee, last month i wrote to health and human services becerra regarding protecting critical infrastructure within the health care sector. in that letter, i highlighted the need for a strong relationship between punl and private partners to ensure the safety of u.s. critical systems. and i also inquired about the legacy systems, cyber attacks on our systems not only have severe impact on our economy, but put lives at risk. so my first question is, what's united health group's relationship with hhs and other

government agencies as relates to cyber security of the health care industry? how have hhs and cyber security and information secured agency worked with your company in the aftermath of a cyber security failure? >> senator grassley. thank you for the question. we've had a close engagement, i would say daily engagement with particularly cms and supported particularly in terms of how we've worked to support providers and to prioritize recovery of the system and the fbi has been our prime partner in terms of law enforcement and response to the attack itself. >> does united health group use legacy i.d. systems that need to be updated? if so, what's been done to

update? >> so change healthcare is a good example of a company that came in with technologies and 40-year-old company with technology generations within it. as we always do with new companies like that, we drive to upgrade them to the united health group which i believe are consistently higher than the companies that we've brought into the organization. >> i think you touched on it, but let me ask specifically, has united health group taken every available action to immediately remove members safety risk in its i.t. and sophomore? >> could you just repeat that, please? i couldn't hear the second part of the question. >> (inaudible) >> no, he said he couldn't understand. >> oh. well. >> he just asked you to repeat the question. has united health group taken

every available action to immediately remove members safety risks in its i.t. and sophomore? >> i'm not sure i completely understand the question around memory safety risk. >> okay. >> i can assure you-- why don't you do this, answer that question in writing. >> absolutely, happy to do so. >> my understanding is that change healthcare touches one in three medical records in the united states. i'd like to better understand how change healthcare stores manage data. how cost health care store and manage data. where is it stored? is it stored by third processing by what process coding and data sent overseas? >> so change healthcare store

data both on premises on a data center and to a limited extent in the cloud. as we've rebuilt the technology environment, we have moved much more into the cloud, which we believe creates a much more secure future environment. >> according to the fbi, there were 249 ransomware attacks against the health care industry in 2023. has united health group experienced another cyber attack since 2021? >> i'd have to come back to you on that. we are under attack consistently. i'd like to make sure i'm accurate in how i respond to that question and i'll be happy to come back to you then. >> in writing. >> okay. do you feel like your company is prepared for another cyber attack? and this will be my last question. >> senator, thank you for that

question. we're doing everything we can to be as prepared as possible, but we recognize the pressure of the attacks that come in. i believe that we are taking every sensible precaution and we've brought in multiple third party expert organizations to supplement our own teams. where i hope we can also look for ways in which we can start to reduce the attack pressure on the systems that we're all trying to manage. >> thank you, senator grassley. senator cassidy is next. >> mr. witty, thanks for being here and thanks for the conversation you and i have had prior to this. first, let me acknowledge as i spoke to doctors back home, the kind of worst case has passed and many have said that it's resolved. so, let me credit you for the hard work you've done. that does kind of present a different set of questions, please. one, you mentioned that united is waving prior authorization

essentially, but change handles lots of claims for other insurers and as we know, sometimes prior is denied retrospectively, retroactively. so, surgery will be approved and then at a later point it's unapproved and the dollars are clawed back. some of the docs say we don't know whether the shoe will drop, and whether it will be cigna that has a problem, et cetera. to what degree has united worked with other insurancers regarding prior authorization and what degree would united hold harmless to doctors, penalized, if you will, because of the damage done to the prior system from another insurer? >> senator cassidy, thank you very much for the question and appreciate the time you spent with the questions with me and followed up after the last conversations on some of these. >> from a united health care

perspective i'd like to confirm that when somebody applies for prior authorization and it's granted, we never go back to contradicting, we never go back in time to change. if they've already acquired that. to your broader point, we are very, very supportive of efforts to modernize and enchance prior authorization in ways that can be much less burdensome on the system and much more effective in terms of ensuring patients get access to safe-- yes, regards other insurers in this particular process, if change was an intermediary with cigna, i keep using them because they come to mind and there's an issue of prior, how would that be handled? >> if that situation, that would be a cigna responsibility. >> so has united reached out to cigna to move over in that period of change that provides at that function brought down? >> thank you, i'm clear with

the question now. let me reassure you that we've made clear that where people have acted in good faith during any outage, so, for example, a pharmaceutical was dispensed by pharmacists without authorization and thought it was okay, and no system to check. we will cover that. >> even through cigna. >> we will cover that. this is a broader question and something for this committee to consider. in our conversations and i gather on an earnings call, you pointed out that when asked about the breach, the cyber attack was paradoxically a validation of the size and scope of united's business practice. i've been told, washington post article, that 5% flows of gdp flows through every day. >> yes, but if you read something by nicholas talib that it's so big and presents a

special vulnerability and you have the deep pockets to address at that, but the fact that you're so big means it had a wide-ranging ripple effect that was outsized. i think for us, we would have to ask, is the dominant role of united too dominant that it's too big and messing up united is messing up everybody? >> thank you for the question. i think it's important to be clear that the change footprint and activity was exactly on the same it was attacked as before it was acquired. it didn't change because of united health care. >> if we try-- i don't want to limit our imagination to just change. at 5% of our nation's gdp goes through united every day, then is there something else that could be incurred upon united that would have even farther reaching effects? >> so, as we look across the whole of united we continue to be as always, focused on how we defend and protect the

organization. we look to how we can upgrade-- >> that's not my point. the point is has the size of united become-- it's almost a too big to fail insurer because if it fails, it's going to bring down far more than it ordinary will i -- ordinarily would? >> we do not own hospitals in america, or drug manufacturer-- >> don't you own a percentage of physician practices. >> we employ less than 10,000 physicians. hospitals across america employ 400,000 physicians. we contract and affiliate with a further 80,000 physicians who choose to work alongside our awesome colleagues, and we are proud of those who work with us, but sometimes affiliated and contract physicians we employ less than 1% of doctors

in america. >> i'm out of time, thank you. >> senator cassidy this is an extraordinary important position, this is classic too big to fail. and i've said a while back the bigger the health care company, the bigger the protection from hackers. and there are going to be senators on both sides of the aisle, and i look forward to working with you. the next person in order of appearance would be senator warren. >> okay, mr. chairman. so, mr. witty in 2023 united health raked in a whopping $22 billion in profit, making you the most profitable health care company in the country. in fact, by revenue, united health is the 11th largest company in the entire world. now, mr. witty, united health group owns the country's largest insurer, the country's largest claims processor,

country's third largest pharmacy benefit manager, a huge pharmacy chain. it is the largest employer of physicians nationwide or controller with at least 90,000 physicians, as you just testified. that's about one out of every 10 doctors in the country. is that correct about your size? >> so just -- thank you, senator. as far as the physicians are concerned, we employ just under 10,000. >> as i said, i think you have control over about 90,000. >> i would say not control. they choose to work with us. >> okay. because united health has bought up every link in the health care chain, you're now in a position to jack up prices, squeeze competitors, hide revenues, and pressure doctors to put profits ahead of patients.

united health is a monopoly on steroids. the opportunities for price gouging is everywhere, united health is the biggest participant in medicare advantage, that manages medicare benefits. with the subsidiaries, they're in a position to rake in more upcoding, and noting that a patient has a cane and adding diagnosis to of vascular disease to the medical chart, no treatment plan. according to a 2019 investigation by the hhs inspector general, united health was far and away the most aggressive abuser of upcoding practices. do you know how much, according to the inspector general, united health cheated taxpayers

out of in 2017? >> senator, thank you for the question. i'm not familiar with that particular. >> the number 3.7 billion dollars and that's in just a single year and that's from only two upcoding practices. you know, that was five years ago. now, as we speak, is united health under investigation from the doj for, among other things, your billing practices? >> senator, thank you for your question. we have a longstanding practice of not commenting on matters such as that or things like-- >> oh, i understand why you might not want to comment on it, public reporting from the wall street journal confirms it is, although your company has not disclosed this investigation. in fact, yesterday, i sent the sec a letter raising concerns about over $100 million in stock sales that united health

investigation revealed and i'd like that part. >> and it boosts itself with among other things illegal billing tactics and takes me to the data breach. after the largest attack on the health care industry in american history quote, put hundreds of thousands of health care providers at risk of collapse, united health is now using the prices to expand its monopoly even further. for example, in oregon tried to purchase a local physician practice and faced enormous public opposition. after the data breach, the doctors could nt get reimbursed for their services and pushes

them to the breach. and what did united health do, imagine with regulators to acquire the doctor's practice on an expedited basis. mr. witty will this acquisition make united health even bigger? >> senator, thanks for your question. i'd just like to also put on the record that we-- >> i had a very simple question. will it make united health, this giant, this 11th largest company in the entire world, even bigger? >> as the organizations join us, the organization, i hope, becomes better, as new physicians-- >> the question is not better. we've already talked about your business practices. the question is bigger. will it make united health bigger? >> as we grow we become larger. >> yeah, okay. so united health is using its own data breach to snap up doctor's practices that have been driven to the edge of bankruptcy by that same data breach. it's no wonder that united

health told its shareholders that that data breach would have, quote, no material impact on the company's finances. united health will stop at nothing to grow bigger, bigger and bigger as we speak. united health is trying to pick the bones of stuart health care in my home state of massachusetts which was ruined by private equity and corporate greed. it's time for regulators to say no to these efforts to get bigger and to suck even more health dollars away from patients and providers who need it for the sake of our patients, our doctors, nurses and the american taxpayer. it's time to break out of the united health monopoly. >> the time for my colleague has expired. next in order of appearance, senator johnson. >> thank you, now, mr. chairman. for a different perspective, the largest financial entity in the world is the united states federal government who will spend close to $7 trillion this

year and kind of view the 535 members of congress as the board of directors. this board of directors allowed the largest national entity to incur 35 trillion dollars worth of debt. the largest financial entity in the world gets halved all the time. we according to last year, gao, we had $236 billion of improper payments through the government programs run by the largest entity in the world. i want to put a little balance here and state the obvious, united health, you're the victim of a crime, correct? >> that's correct, sir. >> i'm actually sympathetic for victims of crime. i don't think you sought out to be hacked. what i was hoping to hear more about, was to utilize your experience to figure out what went wrong so that all the people watching this can try and correct it. as we sat down yesterday, i

appreciate you taking the time meeting with me, talking about change healthcare. there was one server that didn't have dual authentication. that was the source of the breach. and again, the cyber attackers are very sophisticated and they exploit those weaknesses and this is a weakness that's well-known. the most hacks occur because of those types of security breaches that, again, in large entity it's hard to police all that. can you describe the history of change healthcare, how it builds, why you bought it, what it's supposed to function? >> senator, thank you for the question. so, change healthcare grew over about 40 years through a series of its own acquisitions and organic growth to become a connector across the health care system, probably one of four or five kind of companies that do the same kind of thing. >> and the same kind of thing is processes payments. send claims from providers to

payers and then send payment back, exactly. >> reasonably complex thing to do. >> with medicare rules and insurance rules, it's a complex thing to do. >> exactly. and importantly, it's a software and network business not a pipeline business in a physical sense. so when it's attacked, the vulnerability is that the softwear is impacted or encrypted and that freezes the whole system which is why this has been a debtor space and impact. >> and you purchased it and it been built up over years for private equity. there was one group and describe exactly where the vulnerability was. >> we were in the process of upgrading the technology that we'd acquired, but within there was a server which i'm incredibly frustrated to tell you was not protected by msa. that was the server through which the cyber criminals were able to get into change and then they led off a ransomware

attack, if you will, at that froze a large part of the system. >> and you found out. i mean, you found a very-- when your people were aware of the breach you were notified immediately and contacted the fbi within hours? >> all on the same day. as of february 21 i was told-- they came and told me on february 21 and we called the fbi the same day. you had probably been breached how soon before that? >> we think in hindsight we didn't know at the time. as we'd gone back and done the forensics, we believe they probably entered nine days before. >> and my previous work on homeland security, it averages a couple hundred days, the hackers are inside the system exploring vulnerabilities before they're made known. again, these are sophisticated actors here. what was your response then? i mean, what did you do? >> the minute we knew about it, in fact, before i'd been

briefed, our team had followed the rights and disconnected change from all over connections, because it was critical to prevent the infection affected, any other provider or network in the country. and that worked, we know that did not happen, but we contained the blast radius to just change, and then-- so you shut down the system? >> we shut down the whole thing. >> obviously denying your customers' payment which and you've admitted, you could have handled that better. >> yes. >> again, this is -- you're dealing with difficult things to do here, but then you established this industry loan program in general. a percentage of your customers, how many are satisfied with your response to this versus the ones that are pretty upset with you. >> first of all, you're right we didn't get it right in the first week or so, we quickly change $that and since then, extraordinary uptake across the country and certainly from the correspondence i get from small

providers in particular, how grateful not only for the loan, but the ease provided usually in hours or overnight and they've been able to be supportive and we issue those loans today even though he we believe the overall system is back to normal. we no that some have not been paid yet. >> thank you for your testimony and yourself to be subjected to this, thank you. >> thank you. >> i'm going to go to the senator from nevada in just a second, but i want to also make sure, because you've been all over the map with respect to personal accountability, and you have consistently downplayed your role in this and your head of cyber security told us last week, you know, about this and we still need to know whether you knew that you didn't have msa. did now that? >> on this change? >> yes. >> absolutely not. >> why not?

>> well, so as the company had only recently, relatively recently come into the group, it was in the process of being upgraded. >> why wasn't it the first they think you would do? >> so my understanding is that when change came into the organization, there was extensive amount of modernization required and unfortunately, and very frustratingly, this had not had msa deployed on it prior to the attack. >> but you coming in would say, we've got to deal with this. i mean, this is the first server, this is not an abstract issue. senator from nevada. >> thank you, mr. witty, let me follow up on some of the line of questioning here. you've paid a ransomware, correct to the hackers? >> that's correct. >> how much. >> $22 million. and the information that the hackers obtained, was that identifiable patient information? >> we believe, yes, they

exfiltrated phi and pii. >> that's the most personal information that patients would provide to you. >> yes. >> don't you have an obligation to protect that information? >> we do and we take that seriously and of course, we're incredibly frustrated by this attack. >> and by law you're required, actually, to protect that information, both state law and federal law, correct? >> that's correct and we take that obligation very seriously. >> under that same law, you're also required to notify those affected partners and patients, that their data, their personal data has been compromised, correct? >> yes, senator. >> you haven't done that yet? >> no, we're wait-- how long will that take you? >> we think that will take several weeks to finish the data analysis to understand what is there. >> and you've been saving several more week since what, this attack was how long ago, 69 days ago? >> yes, and thank you for the question. we only were able to start this process a month after the

attack, when we got the data set back and we're able to deal with and start today interrogate it. it's a very complex process and we're trying-- >> is it complex because you have so much patient data that it's hard to actually identify all of it? >> no, it's more a complexity of the data structure, and make suring sure that we get it right and notifying. >> an as we sit here, there are many patients that don't know that player health information is compromised so they can't put in place against identity theft. >> we have not notified and-- >> let me jump to something i'm hearing in my state. nevada health center is federal ly health care center and rely on data for real-time patient identification. i'm hearing despite the portals being online that critical information is often missing or

mismatched with nearly 50% of payer information being inaccurate. health center seeks clarity on when these systems will be corrected, but have struggled to get a reliable answer from united health care group. so, i'm hoping you can provide that clarity. when will the real-time eligibility and benefits verification functions of the change healthcare network be up-to-date and accurate? >> thank you for that question. if i may, i will come back to you today with that information. i do not have at that with me right now. >> okay, so, i hope you do, not just my health care centers, many across the country are asking at that question. providers must be timely filing deadlines, set for companies, if they miss the deadlines, insurers may delay pavement leading to increased provider agreement. the recent health change act

dhajs challenges for providersing. will you permit extended filing deadlines for claims of health care hack and systems outage. >> yes, absolutely. >> will you agree to extend the filing deadlines filed before the february 21st cyber attack, considering the appeals processes for the claims have been disrupted by united health group systems outage? >> again, we're happy to do whatever is necessary to make this impact as minimal as possible for the provider. >> that would be a yes, thank you. and let me also address this. i'm concerned about the lasting effects of the united health group failure on the sector. providers i've heard from are having dropped revenue and delayed payments in nevada one report spending $12,000 every week on overtime for staff who are dealing with the billing

and eligibility issues caused by this change healthcare outage from many small providers in my state, missing just two payments could force their foreclosure. so, my question to you is what steps will united health group take to compensate providers for the administrative costs they're incurring due to this cyber attack? >> thank you very much for the question. first of all, we continue to make available the interest-free loans and secondly, more than willing to engaining with providers on their circumstances as we provide. >> interest-free loans will address the issues or are there conditions upon the interest-free loans they have to-- >> there are no -- sorry, there are no conditions on the interest-free loans other than that they would be repaid 45 days after the provider has concern that they are back to normal. >> thank you, mr. witty. mr. chair, thank you. >> thank you to my colleague,

mr. tillis is next. >> thank you, mr. chair. thank you for being here. mr. witty, when trying to get-- i know people have asked questions about your redundancy plan and multi-back drop. can you give me sense whether or not internal or external have identified this as an audit risk in the past? >> for the the-- i've got to believe that anybody, any qualified internal or external auditor on system controls would have identified multi-factor authentication not being in use as a major risk factor. do you know if there's a record out there that management would have been made aware of. >> of this particular server? >> yes. >> not that i'm aware of. >> okay, it would be interesting for the record if we can find information from either your internal audit or external audit if that was identified as an actionable matter. tell me a little about

redundancy, too. i used to work in redundancy, building redundant systems, cutover systems. it doesn't sound like that's a smooth cutover. how did that make it through a system audit? >> thank you for the question. i agree with you that it's very frustrating there wasn't a quick redundancy switchover. >> you are an information technology provider at a large scale. >> that's right. so, with it-- within change healthcare, which again was a company that only recently connell into our organization and in the process of being upgraded, the attack itself implicated both the prime and the backup environments. and that was partly due to the age of the technology and the fact that large amounts were not in the clouds. the elements which were in the cloud we were able to bring back amount immediately. and the elements in the older data centers and had multi-led

legacy technologies was the challenge on the restart. >> i use today bring those, too, on the senate armed services, and i had to give that up to get on finance, but i brought this book in when we had cyber ahacks, it's called hacking for dummies, the fifth edition and this is some basic stuff that was missed so shame on internal audit, external audit and your systems both tasked with redundancy, they're not doing their job, as a result, we have a data breach where i've said in judiciary committees, the first meeting we've had talking about data privacy, data breach since i've been on finance. i believe it's your problem to fix ap the damage to the consumers data is that you've got to keep them whole. that enterprise that-- your entire enterprise is based on the movement, data movement and exchange the data.

my health records, the records of people that are moving. when you have a breach it's got to be your problem, not my problem. so everything that you do to keep those folks' information, those folks whole for any damage in the breach, i think is just a function of doing business, do you agree with that. >> i do, sir and we've forward responsibility on notification and we're waiting for the notification and we've already stood up credit protection, and identity theft protection for anybody who can-- and they can reach us through a 1-800 number or through our cyber-- >> it raises interesting challenges about timelines, et cetera, but we'll submit some questions for the record about just how long you're willing to make that commitment and how easy it is. i for one do not want-- i've got a notice on possibly being involved in a data breach and it was kind of interesting, say, we will help you with your problem and i'm thinking, no, i will help you with your

problem. but you're not going to make this difficult for consumers. and i'm talking to those folks. i'm taking at face value, you're going to do it right. this is not the problem of the person who now may have to deal with the consequences of the use of their data. it's got to be your problem to fix. but, mr. chairman, i just want to bring up, i hope that we can get back, if you remember about three or four years ago, after europe passed the gdpr. data privacy, data breach. everybody was talking how congress needed to act on that and congress has done nothing in part because it's a multi-jurisdictional issue that wades into commerce, wades into judiciary, i think there's a third committee as well. we're making a huge mistake by not having federal rules of the road on data privacy, data breach and how the enterprises have to mitigate things and we've really got to work on it because now we've got a patch

work of a dozen states that are doing it differently. i think it's a distraction and cause for businesses that take them away from actually protecting our data. so, hopefully, we can work on this and it's a very critical subject and i'm bull making sure people whose data has been captured are kept whole. thank you. >> senator tillis, a couple of very important points you make, the last one in terms of bringing together the various committees, is essential. i don't want to leave though, the other important point that you make, multi-factor authentication is vital for prevention. but redundancy, which you touched on, basically helps the company get back on its feet. this company forms both. >> i agree, mr. chair. >> senator lankford. >> chairman, thanks. mr. witty thank you for being here and a lot of conversation around the dias and i appreciate the phone call we had in greater depth.

i do want to tell awe story getting started that i'm going to combine several people together, just to be able to tell you a story for an oklahoman that lives in a rural area, she's in her mid 70's, several years ago she used to go to her local physician, but that local physician practice has closed down because of just the administrative burden they couldn't keep it going so now she drives to a hospital 30 minutes away to be able to meet with a doctor there. that the hospital and that physician is on her insurance. she has medicare advantage. by the time she actual scheduled an appointment and lined up the appointment and found out, no, they switched off no longer on medicare advantage. but they were when she originally scheduled. when she originally signed up for the plan. then when she finally goes to the doctor on that she gets there, and the doctor needs to run some tests, but she can't get the tests done that day because they have to do a prior authorization with the insurance company so she has to

drive home when it's a test that she needs they could do that day and they can't do that day because we're waiting on prior authorization to be able to go through. the hard part is two years later that hospital has stop taking medicare advantage at all as we've had several of our hospitals do in oklahoma saying that just the realized reimbursement is 20% less than medicare and they just can't keep up with medicare advantage because all the prior authorizations and because all the denial of service so we've stopped taking medicare advantage for her really puts hear in a difficult spots. she goes to the local pharmacist she's done to for years and finds out there's pretty remarkable pressure on them and they're going to have a hard time not sure they're going to stay open, but her insurance company company tells her, we want you to do mail-in pharmaceuticals and she has a complicated process and she wants somebody to talk to. i wish this was a story that wasn't true, but it is and it's

complications. now, you've been engaged and united engaged in the areas, pbm's and it's not just on united, and rural areas, two million people live in the urban area and two million in the rural area. it's folks that live in the rural area the challenges that i laid out. not asking you to answer those, i'm saying those so you have you'll hear it because it's a reality of what's happening on the ground every day in rural oklahoma and they just want to get health care, and just want access to that. i do want to clarify something you and i talked about, it is when hospitals and pharmacies will be made whole after all of the issues that are reimbursements and everything is done. when it that target time when everyone will be made completely whole? >> senator, think very much. on your first comment, if i

may. i'm 100% aligned with that in terms of how to help modernize the system and not for one company, that's a government state company obligation and we do need to reverse burnedout physicians and easier for women like you described in oklahoma to navigate the same and need to provide the help and help the folks to get access as quickly as possible. that's what drives every person at united that tries and we're very open to ideas and suggestions how we can improve. that's why, for example, within the last year we've eliminated 20% of the prior authorization codes which existed a year ago. i just want to reassure you of our commitment and sentiment to to exactly what you're 0 looking to help streamline. >> that would be very helpful and i know as we've talked about off line as well. there are families that they do sign up with a specific plan

because they know the physician and hospital is in that plan and sign up in october or november and when they make their appointment in january or february, suddenly find out. no, it switched over in january, so they signed up for it in october. they need to know that if they sign up for a physician, that physician is actually going to be there. >> i certainly agree with you, sir, and providing direction directory is one of those we determine to be better at. in terms of the loan, remains available through this and we'll work with other individual providers with issues they're concerned about. >> when do you think that everyone will be made whole? >> the next month or six weeks. >> that would be helpful for providers, you and i can talk later. but any specific ideas the fbi can-- i serve on the homeland security committee as well as fps and i'm dealing with both

sides of this ransomware attack, and things fbi could have done better and helpful. anyone in your company wants to put together a list and work on that side as well we'd be happy. >> time of my friend expired. as reluctant as i'm going to break this up, senator brown you're next and senator casey, but if we break this up. senator brown. >> thank you, mr. chairman. mr. witty, welcome, glad you're here. in addition to being a large insurance company, uhd owns and hospitals pbm, as you know off rx tells you a lot about problems going on in our health care system. i hear from so many independent pharmacy owners in ohio forced to make impossible decisions, including considering dropping out of medicare part d and having to close their doors. and a couple who runs five

pharmacies came to me and shut down because of pbm the same story dropping out because of practices, direct remuneration and on pharmacies. were you aware on a national community pharmacies survey of independent managers and owners over one third are considering closing due to financial constraints. are you aware of it. >> i'm aware of similar research, thank you. >> to acknowledge the pbm played a significant role in many so of those closures? >> so, thank you for the question. from a-- from our pbm, rx. we do not have the fees-- >> do you agree that pbm played a significant role in many sof the closures? >> i don't necessarily believe that to be the case. i think that pbm provide a service in variety of reports

and decline-- story to cut you off. i have only five minutes. it's clear that the dir fees contribute to local pharmacy closures as i said, i just met with two ohio pharmacists forced to close their stores and they are in rural areas, five pharmacies and five different communities where those community. people's communities will have to drive at least five or 10 miles and they had record sales and pbm practices, it's clear that pbm, your company owns is making massive amounts of money. you know that. and you've probably bragged about that. last year, pbm reported revenues of $116 billion so it's clear that you could lower or eliminate those fees and make plenty of money. will you commit today in front of chairman widen and his committee to serve those in ohio and across the country? . we have already eliminated

drc's and-- >> will you help the industry for your colleagues to do the same. >> to the extent we're allowed to do that we'll certainly encourage that. >> it's clearly that a number of pbm's are not going to reform on their own. that's why we urgently need to pass this legislation, mr. chairman, to rein in the corporate middle men and pass in this congress. moving on to something mr. lankford was talking about, this put a financial burden on pharmacies and health systems in ohio due to disrupted payments and kickly community health centers are facing the dire consequences in this attack and you know how important that is in pennsylvania, iowa, idaho and oregon. think operate on slim margins. there's a pharmacy in mansfield, ohio, 600,000 a week to 200,000 a week due to this attack, unacceptable of course.

health systems can't continue to operate like this without certainty that they'll be compensated for these kind of losses. what is united's plan to compensate providers and health systems that are bearing additional financial burdens because of this breach? >> thank you for the question, sir. in the context of the family health you described in mansfield. in that situation we have our interest-free loan program and over $2 billion have gone to family health centers like the ones you describe and we'd be very happy to reach out to your office and if that particular provider has not taken advantage of that program, it's still available and it would bridge the gap in the cash flow that you describe. >> and those loans, though, they will be required to pay back? >> only when they are fully back to normal and all backlogs have been cleared and they, not me, but they confirm that their cash flow is normalized. >> they will make the determination of back to normal.

>> correct, and then they will have 45 business days to then start the repayment. >> at low interest loans precisely means what? >> no interest-- no interest. >> no interest, no fee. >> thank you. >> senator, thank you. >> mr. chairman, thanks very much, mr. witty, to be with you. in public statements, united health care claims the vast majority of services has been restored to pre-cyber attack levels, you've spoke about the company making the providers whole. i continue to hear from providers waiting for that. dr. christine meyer who owns a practice in pennsylvania, southeastern part of our state, initially looked into taking out had a home equity loan to keep her practice afloat. ... participate in your loan probably only offered 4000 a

month is months later she is receiving or from the received more generous loan from optima but is worried about repayment. she said the term dark here and read she will have to pay she's worried she'll have to pay back these loans before her practice is fully up and running. would you commit to supporting providers like dr. meyer by delaying the deadline for the loan repayment until the backlog of claims has been cleared regardless of the time. >> thank you for the question. let me apologize to doctor myers for the delay in getting the right level of loan capacity. in efforts too move quickly here we recognize we didn't get it right always at the very beginning of this process. we've improved that dramatically and that's why i'm sure she is able to get the full loan she has. i would like to absolutely

confirm to you and doctor myers that we had no intention of asking for loan repayment until after she determines our business is back to normal. and even then we would not look for repayment until 45 business days, 60 calendar dayst after that and they will be no interest in no fee associated. >> so a a determination she m? >> that's absolutely right. >> secondly i wanted to ask about the risk especially in the context of children and seniors when the obvious risk when healthcare or financial information is breached. in the context of a child, a child's date is still a kabir blank slate for cyber criminals and he can take years if not longer to repair the damage. for seniors for older adults whose rates of victimization from scams has been skyrocketing in recent years, a data breach

means even more of information is available to scammers to use against them in the future. united healthcare still hasn't notified any victims of the cyber attack. it's been more than two months but according to the companies website, it will t take quote several months unquote to identify and notify impacted consumers or customers i should say and individuals. i think it's clear if united has stronger defenses like multifactor authentication, then this could gone very differently. at the same time united is a growing and expanding, it's lacking protected cybersecurity infrastructure to secure peoples most private information. i would ask you this, to questions. one is in the context of parents who worry about their child's personal and private health information being out there on the world for the rest of the life. what would you say to those

parents? >> first off i'm very sorry that the situation hash happened and there has been a data theft. when working incredibly hard to get that information and work with regulators to get those notifications back as fast as possible. we've also been everything we can to try and minimize the possibility of that data in fact, leaking out at all. i want to reassure any paired any individual already today prior to navigation, anybody in america to call is for come onto our cybersecurity website for change. already there are services available to provide to your credit profession, , protection, it's as simple as making the call to 1-866-262-5342. if you bring that number within the first few seconds of that folks will offer the services in a very straightforward thing to do available to anybody. >> thanks. i'm out of time to submit one

question for the record. >> senator casey before you leave, i justt appreciate your standing up for families. we are going to have more discussion of this because i happen to think, mr. witty, credit monitoring is a a thous and prayers of data breaches. this is absolutely inefficient and it will ask more for al questions you shortly. senator hassan. >> thank you very much, mr. chairman, and ranking member crapo for this hearing and thank you, mr. witty, for being here today. following the cyber attack on your seceder company i heard from the hip hospitals that is saw all of their revenue to spill blood. you and i subsequent had a series of discussions about the need for unitedhealth to provide financial assistance to hospitals under fair terms. while the shouldn't have been necessary in first place i appreciated your work to change the terms of united health assistance program to provide fair believe options to these hospitals during what was an unprecedented crisis.

though there is a a long road ahead to return to normal operations. i have a couple of questions and i'm hoping we can get through them. let me start by following up on a question that senator cortez masto asked. in unitedhealth april 22 s release the company stated personal information for quote a substantial portion of people in america close quote, millions of families. with likely obtained by cyber criminals in the attack on yourc subsidiary companies. under hipaa covered entities who stated has been breached are required to notify individualsui and the hhs secretary within 60 days of when health information is known or reasonably believed and of emphasizing those words, reasonably believed, to be exposed in a hack. in other words, when in doubt you have to notify people who may have been affected by the breach. however, you have testified unitedhealth has not yet notified individuals or the hhs

secretary that sensitive health information was compromised. two-meter hipaa obligations you need to at least send preliminary notifications to individuals so they can take protective actions like monitoring their bank account, changing passwords and enrolling in the credit monitor system that united healthcare set up. when specifically we unitedhealth send this initial notification to all possibly affected people? will this information include information, will the nose include information about the credit monitoring your offering? >> senator, thank you for the question. could also think of it what you advocated for the hospitals and help us understand we need to and proper appreciate that. in regards to question this is a top priority to processes again to understand this. of course we'll try to get here is to make sure the information and the people we communicate with his right first and foremost.

when working with regulators to understand how best to do that. we were held up in the process because it took time to get the original data set back. will he got hold that in mid-march. where working on that. we're working with regulators on how to do exactly as you discussed. >> let me just, i'm going to push you all a bit on this because the attack happened third with 21st. hipaa deadline forel reporting o the agency and individuals was april 21. april 21. it's now may 1. ten weeks is way too long for millions of americans did not know that the records may be amenable to criminals on the dark web. i really urge you to meet the notify any family that could've been affected so that they can take proactive steps. i also urge you to use unitedhealth substantial resources to do more for patients who were exposed to this hack, including by offering comprehensive identity protections to individuals, the beyond two years of credit monitoring your offering now. second question, in

cybersecurity a single point of failure refers to a piece of the i.t. infrastructure that if it fails can lead to the breakdown of an entire medical system such as payments to health care providers. healthcare providers want to have contingency plans to be better prepared or system failures. some enhancer toby they are no longer comfortable with the risk of relying on a single system for processing or payment. yet unitedhealth group includes exclusivity terms and at least some of its change healthcare contracts. these terms prohibit providers from working with other companies to process healthcare payments. is it true your contracts include exclusivity clauses? >> so the legacy, some of the legacy change healthcare did we are releasing those so people can't indeed adopt redundant pathways. >> okay. i think it's important you make sure that future contracts do

not have these exclusivity terms because they can effectively great single points of failure. i guess the next piece of this, i think you've answered. are you agreeing right now you will not use exclusivity clauses in future contract? >> thatcherite. we agree with you that having business redundancy is an important backup technological risk. >> thank you much. thank you, mr. chairman. >> thank you, senator hassan. i noted in the discussion in preparing for this hearing that you are one of the first to kind of blow the whistle on some of these major issues and i commend you and look forward to working with you. this committee is going to be actively involved and we're going to make a bipartisan effort which is been a forte of my colleague from new hampshire and a look forward to working with her and all of our colleagues. senator warner. >> thank you, mr. chairman. appreciate you and ranking member holding this hearing. as you know november 22, we put out a white paper on the need to

at some level of overview, people in charge in terms of cyber and healthcare. i would love to cement for the record -- >> without objection your statement is in the record. >> this chart which indicates frankly cyber and healthcare is dealt with by four separate sectors and about 12 different entities. and i think this lack of clarity is one of the challenges. i feel very strong and appreciate that chairman has already i think alluded to this and want to hear from you, mr. witty. i know we discussed this morning that individually, is no industry likes minimum standards but just as we put in energy and in finance, minimum cybersecurity standards, i think we need those minimum standards and healthcare as well.

i think you tend to agree but if we're to put those minimum standards in place, i would want to make sure particularly whether we're talking a change for talking about big united, sab transparency. can you speak to the subjects? >> senator warner think very much. yes, certainly i do think i was supportive of that which moves towards minimum standards. i think today there is a blend of guidance some standards and others. i think there needs to be clarity with the net. as you rightly say there are a mix of different overset agencies. as you think about smaller and medium-size organizations across healthcare, oftentimes difficult to navigate some of those things. i do think a refreshed view of all that i think minimum standards do make sense. would be very, very happy to engage on any lessons learned from this with you on this. >> one of the things we need is people wouldn't be surprised if

individual provider or the united parent being this huge entity. but my understanding of change, in fact, they were the rails that folks didn't understand, allowed the doctor or insurer or provided to communicate better. we think that thesebe minimal standards, it has to be all the way up and down the food chain. you can't just check a box and say as the provider uncovered. we've got to go trace back to that whole supply chain in a way that again quite honestly i'm not sure with enough transparency in the system overall. i also believe and this was a mfa problem, because of the biggest in the business and the fact that i know you acquired

change. you were three years into the acquisition and you still have not put the type of standards that united corporate what aubry have in place in the change. why was it taking so long? >> senator, thank you for the question. that is very much still what, why the server had not been protected by multifactor identification. i mistrusted as anybody about that fact, and we are working to try and understand exactly why it was not covered at the time. >> mr. chairman, this is one of the areas we don't have increase against. i got providers that have not only gone through literally weeks of not being able to payments made and lost such faith in change that they're not talking about getting a new provider. that as more and more weeks. in the meantime, patients, providers and others are not getting the payments made.

i think we need to look not only at a minimum standard system but also how we build resilience into the system. i think the whole business model here, if any entity that is providing an effect the connections from a telecom cut as used to become those connection between doctors, providers, chores, there's got to be backup system in place. whether that means within a single provider like change/united would you i cannd you would have akamai or have is a a pawlenty change soever you sign up you have a backup and reserve. because without that he got the kind of crisis the system is prevented here. he said you're going to try to change that. >> senator, certainly agree with that sentiment, which is we would encourage people to a backup systems. those providers that two alternatives were able to sail

across to the backups are able to carry on without interruption essentially. some did not have those backups. we need to work with those providers to make it possible and help them to be able to have that second pipeline if you will for that second round which would allow them to have sailed across the technology value. >> unable to take on this issue and afford to work with you. i think this is a time that's what overdue. we were just waiting for crisis this would happen. we knew would happen.pe that we need to ask. i think those points are well taken, senator warner, i think there's an opportunity to link up the number of these issues as understand, your proposal is essentially a medicare related kind of effort. we have begun working finance committee staff which is there a course to all of the members because we have jurisdiction over the hipaa security role s well which gives us a chance to look at some of these issues relating to enforcement,

standards and accountability. i think your point as a relates to resiliency allows us and we started this morning to kind of walk-through how all of this actually works. you can't walk into a coffee shop in most of american talk about multifactor authentication. everybody which is kind of look at you kind of what planet have you dissented from? that's all about prevention. senator tillis came in and gave us a chance to make a link between prevention and get anybody up and running again quickly, which is what the redundancy effort is all about. if we link of these issues and work in a bipartisan way is lots to do i look for to working with mymy colleague. all right. next we would have senator barrasso. >> thanks, mr. chairman. thanks for being with us today. the cyber attack of of her fm hospital blood all across wyoming. country for from people all across the country.

shared in the more hospital, shared environment, showing how the attack has impacted them and their patients. so it took 26 days for the claim processing to be restored at shared memorial, like thousands of other hospitals of the experience financial hits that e take a month from which to recover. over 26 days they were delayed in filing 17,000 claims resulted about $20 million in unpaid services. world hospitals all across wyoming in the u.s. provide access to essential health services. they represent the most financially vulnerable hospitals and one hospital closes at usually a rural hospital. so 50% of rural hospital already operate right now in the red. this breach mason some of it into a financial spiral for which they can't come back and those communities are often rural frontier areas, not another hospital nearby. how are you prioritizing the processing of claims?

>> senator, thank you very much for the question. let me say how sorry i am to hear the kind of pressure you just described. please be assured we are working everything we can to make sure we are as responsible not just for claim click but to make sure there is programs available particularly for rural hospitals. about a third of the $6.5 billion was issued go to the sets of workstations. if there are specific hospitals within wyoming who have not yet connected with us i would encourage them to do so. claims processing is probably back to normal, so we believe most of the backlog on claims processing is mostly back. i cannot say 100% but broadly. where we are still, where still have lagged his payment on those claims. so, for example, if a a claims submitted to united healthcare, our insured company for payment we will be instantly. but not all payers are paid

instantly. some may be paying at normal 30 day receipt, that would explain why you continue to see that delay. we are committed to maintaining that loan, industry lung capacity for folks into the got to this cash flow challenge. >> we want to make sure you're specifically prioritizing these rural and financially vulnerable hospitals because they need to keep the doors open. there's been a lot of discussion about two factor verification. today with a small humored hospital, they have helfrich tried again to, 2500. 2023 they spent nearly $1 million on cybersecurity. it's evident from how much hospitals like he can hospital spin, take cybersecurity very seriously. change healthcare commit due to cybersecurity is not as clear.

we found everything just about every person here asked those questions. i've heard the responses you had to me seems like an excuse. they have this multifactor authentication, operating in the red and change healthcare was established in 2007. this was a hospital a hospital established in 1961 and this is a system that is been already updated. i'm just not sure why you haven't had this place yet. >> thanks for the question. like you i'm very disappointed and frustrated this is did not have enough install. change healthcare came at a group of them over your and a half ago per we been upgrading their technology since we acquired it. you're right they were stops in 2007 but some of the legacy system and the company go back 40 years. we've been working to improve those and, unfortunately, we

have discovered the server was not covered by mfa and as result was exploited. >> have you implement the requirements since the? >> oh, absolutely. we have external services. we're using external support to ensure with all those in place. we run continuous penetration test to make sure they are active. but in this particular, this is a very frustrating situation which we continue to try to investigate and understand why. >> i practice orthopedics surgery for 25 your. >> what a smoker five to six positions in the small group practice that can hit as well in addition to the larger practices. give any plan to change policy to ensure providers are not financial unhooking the future? >> we certainly, so i think important we are providing really unlimited loan support for folks to get to this cash

flow situation, and, of course, were always going to talk to provide on a case-by-case basis if there are other issues. >> thank you, mr. chairman. >> senator barrasso, before you go to associate myself with your remarks because this is sont important as relates to the small families. we been added for about two hours and i think you touch on what i i regard as one of they areas and we just heard excuse after excuse this morning from mr. witty. thee fact is that first server that was hacked did not have multifactor authentication. and mr. witty edit cybersecurity knew about it. so we've got to get to the bottom of it. this'll be completely bipartisan effort we haven't had any senator saying let's get a democratic bill or republican bill, were going to do this together. i much appreciate the important issue here. >> thank you, mr. chairman. >> senator bennet. >> thank you, mr.s chairman. thank thank you, mr. witty,g

here today. similar issues i want to talk about in terms of colorado here and very grateful the chairman and the ranking member has held this. mr. witty, i appreciate the initial efforts that uhg has been to accelerate payments to offer some financial assistance. this is obviously affecting cash flows all across the state. we have patience in colorado that are continuing to need care. since the hacked my office has been working with offices all over the state. they are still two or three months away from the normal cash flow and they are already as you know operating on on a shoesg as this is. some top of what they're dealing with gnome reimbursement trust the seas have yet to come back online. one critical access hospital in colorado had $1.5 million in outstanding payments that are

receivable, half of the total monthly revenue. there builds greater doctors and nurses and other staff is at risk as result of this so the operation risk is not just hospitals. arma sees in loveland colorado haven't forced to pass on a cash piece of medication payments to patients come some of which cost over $1000 for over 30 days. some coloradans understandably can't afford the expense and they haven't gotten their medicine. they have been left into hand as result of that. they are unable to pay the bills. they can't pay online. some auto payments have stopped. the single attack and a know you for this today but one more, one more state come single attack is kicked off a cascading series of crises, unmasking deep vulnerabilities in the core of our healthcare system. colorado practices and hospitals

been left to pick up the pieces covering the costs of someone else's cybersecurity failures. i wonder what you could say, maybe in addition to what senator barrasso asked you about, what caused do you think you might be responsible for here and how you are thinking about those challenges. >> senator, thank you very much for the question. also share in the situation in colorado. i'm very sorry for the disruption. we are working very hard to fix those technical solutions assesses possible. let me reassure you are financing capacity remains in place so, forci example, in hospital still has $1.4 $1n i think you said issue, we will reach out to your office to connect with those folks to ensure that they have the support to bridge them through into the back to normal. we are more than willing to keep that support in place if that's a a month or two months for three months. that would be interest-free,

no-cost loans for the hospital. >> i appreciate that, mr. witty. we will take up on that. something to do with cost going forward basis to deal with -- i mean, how are we going to avoid having this happen again in the future? >> so that's a very good question. i think we all have to say where clearly trying to take our responsibility, responsible in this attack. also trying to learn from it. we want to make sure we should all of those learnings, want to be as open as it can be on the things were learning. we will continue do that as her investigations continue to pursue any other understandings here. but the attacks are assisting. the attacks are becoming more and more sophisticated. the levels of technology that we're going to need to protect against those attacks will continue to be elevated and

that's good toel be a challengei for many to keep up with the pressure which is why i think it's also important we focus on how we reduce the attack rate and making sure the numbers of attacks which come into the health system and were brought into the country began to drop. it is simply escalating, and i think the probability of other breaches in and other parts f healthcare environment must be high given the pressure the system is under. >> thank you. thank you, mr. chairman. >> next is senator young of late and then senator carper. >> thank thank you, chairma. mr. witty, good to see you. thank you for make yourself available to me in my office and the backend of these attacks. healthcare entities and devices are increasingly connected to the internet as other health care facility networks, increase

efficiency, or improve the ability of healthcare providers to treat patients. can be used weekly and securely to reduce risk and vulnerabilities providers. there are still some unanswered questions and blessings to be learned we acknowledge that. one of the workarounds for providers we discussed was to move to a different clearinghouse including healthcare competitors how long transition to be fully up and running? >> i think back to be within a few days and more educated. >> that gives me a rough estimate.

is it helping with these transitions? >> we've recommended diverted too many alternative competitors as possible and we will continue to encourage back system. at least they were in the system. >> i know this has already been covered a bit. to confirm, there is reporting of passivity process rockwell any exclusivity clauses be enforced and partial providers be aware of that they transition to a new provider? >> exclusivity we waive and do not to force the because we want to make sure they have backup abilities in place. >> family healthcare community health center in the southern

part of my state, it is unable to switch to time sensitive process in the department which has two people in the new system could put cyber liability insurance at risk the paper submission lames by mail and current expense of significant postage costs personal healthcare center to provide the most they can for patients. the attack from the national news, do you have a notification process in place? >> that's a very good question and that is one area to figure out how to communicate not just

companies but the same thing in covid providers across the system and customer files compromised difficult. i was at the situation described would love to reach out to the office and financial support. >> you did mention the mechanisms to provide financial bridge. i am encouraged by that. how are you disseminating information to providers? ...

you did mention the mechanisms you created provide that financial branch. i am encouraged by that. particularly, the small safety net health centers. >> again, thank you for the question. we have used everything which goes to our million physicians across the country. we have used social media, something like 700,000 e-mails to a variety of different provider addresses. we try to use every channel. working with the key medical associations to get the word out to providers and others. we have been running regular national telephone calls for technology across all of the organizations. for example, the encouragement to spread the word. i do think that communication to

providers whether repeatedly comes up is an area of opportunity. >> thank you for answering my questions. i guess the only other thing that i would ask is, you know, you will have all manner of lessons learned including that there may be limitations under existing law to be able to respond to these sorts of attacks and serve your clients optimally to extend those lessons are learned isu communicate that information to my office and to this committee so we may consider changing the law. thank you. mr. chairman. i am really struck by how little we know about the data that could involve our service personnel. look forward to working with

them. >> mr. chairman, to our ranking member. thank you for putting this together today. thank you for the time to talk. thank you for your testimony today. among the things that i shared with you, some of the principles that guide me in this role another that i've been privileged to serve. one of my guiding principles is everything i do, i know i can do better. everything i do, i know i can do better. i think that that is true for us driving in our profession. another one of my guiding principles is treat other people the way i want to be treated. i tried to put myself in other people's shoes whether you happen to be a constituent, a patient, a practitioner or provider. put myself in their share -- shoes and help guide me. this is a shared responsibility.

the idea of shared responsibility. you and your colleagues have this spirit there is a role for that. one of the things that i mentioned yesterday quoting abraham lincoln. what is the role of government. he said the role of government is to do for the people what they cannot do for themselves. local government. probably that role for all of us to play. about a million people of delaware. 50 miles from east to west. something that i love to do and it is easy. people that have been, you know, disadvantaged, but potentially put in harm's way.

we have heard from practitioners and providers. on the phone and in person. so for us, this is very real. in terms of the role of government, the role of government here. it may be one or two. >> thank you very much. thank you for the comment. maybe two areas that i would suggest. helping the healthcare system through what the minimum standards, the right level of system protection and redundancy for the impacts of future attacks. to see what further can be done to reduce the attack velocity that is coming up the u.s. healthcare system from cyber criminals. i know the possible act may be

suggesting those two areas. >> thanks. this attack was as i understand maybe the worst of its kind against our healthcare system with people that depend on that system. the ramifications remain widespread. it is clear that they change healthcare's to prepare for this attack. i don't know if it's possible to actually be prepared. but you shared with me yesterday that the attacks were outgoing. they are not stupid. they are not getting any dumber, unfortunately. it is clear to change healthcare when prepared for this attack the lack of basic cyber security measures left them vulnerable to disruptions and care. and sensitive data and personal information being stolen. like my colleagues i heard from from families and individuals throughout our stay. directly impacted from this

attack. unable to receive her description for seven days because a specific pharmacy delays and that is not acceptable for any of us. why do you think it took so long for your systems to get back up and running. why are many pharmacies still out there today? >> thank you for the question. hearing the situation of the patient waiting for their incident. we have tried to make clear any prescriptions filled. what the personal status was. i also emphasized the challenges of communicating across such a wide group of providers. the speed of recovery was really determined by the way the attack encrypted large parts of the environment and to ensure that the system when it was brought back online garnered the confidence in the environment

that it was safe to reconnect to remember the change healthcare is a big connecting system. we really built the environment from scratch. we did not resuscitate large parts of the old environment which could have brought with it the risks and suspicion of infection and would have led to i think reconnecting at all. we spent a lot of time rebuilding from scratch. the third party organizations, test and penetrating to make sure it was super robust before they came back. consequence the way it impacted the first system and then the commitment to bring back the clean system was the explanation >> i think my colleague. just a few additional questions i am not clear on. the apropos of the patient's, the real victims, in my view,

through negligence, the people who have their information stolen sent the individuals $5. how are you going to go about compensating when they have stolen data. do they think that that is right >> we are working hard to understand he was potentially impacted. in the meantime, we have not stood by to wait for that. we have already put in place services, call centers to help people understand the situation if they need advice and also to make sure and for anybody, whether that is in this or not. everybody in america can access theft protection for the next few years. >> identity theft and protect against it is something that i

am very supportive of. i am also very hawkish on protecting people's private medical data. when i saw equifax giving people $5 and this happened very recently, i wanted to know from you all whether you thought that that was reasonable. how are you going to go about it can you envision sending this out to? >> this time i do not. i feel as if the important thing here is to reinsure people they are doing everything they can to ensure the data does not in fact leak. that we would make sure that the situation is protected through the services that we have already made available. >> let's also get on the record, one of the questions that senator menendez touched on. for a lot of us representing

small communities in our states that much of oregon, senator brosseau talking about that, you know, our physicians are very much at risk. they owe you for these loans. i am concerned that these will give you value financial information and based on the company's history will be used to gobble up lots of other small providers across the country. asking you about what was going on in oregon. this is not a hypothetical question for your company. buying these people up to hand over fist. i would like to see at a minimum a firewall established so as you cannot use the data from the doctors from the loan process to go out and buy more doctors.

that is the last thing that we need in america. >> first of all, i do support that. i think that is a good idea and a good recommendation. reassuring you. guided by the providers confirmation that their cash flow is back to normal. it is under their guidance. the suggestion is a good suggestion. i am very comforted. to be absolutely clear. >> we have been at it for more than two hours now. there is a lot that we don't know. a lot the american people don't know.

i am not convinced that we will find that out anytime soon. we may never find it out. this data as i said several hours ago can reveal abortions, sexually-transmitted infections and more. i just want to see evidence is willing because this company is i think that a lot of americans today don't buy that, and i think that your company, under your watch, let the country down. millions of people on both the prevention side, what two-factor authentication multifactor authentication is all about, and on dating us back and going. still questions by getting it back and going. that's redundancy. there's a lot of heavy lifting to do. i want you to know this is there

and try to concentrate on in the years, over the years in public service. i was director of the senior citizens group, this is one of those important issues i've taken on because the intersection of health policy, economics and national security is now front and center. i'm all in on this. this is one of the most important fights i've taken on because what worries me, all these people for professionals in the field say shoot, this is an example to the bad guys of accomplish.er you are going to be much more active, much more forthcoming in of the kind of specific issues that we talked about today if going to turn this around. with that, the finance committee iss adjourned. [inaudible conversations] [shouting]

[shouting] [shouting] [shouting] [inaudible conversations] [inaudible conversations]

>> shame on you. >> shame. >> today congressman brad one-stroke lead to the panel discussion on ways to combat threats posed by artificial intelligence and bile security. hosted by the american enterprise institute live coverage begins at 11 a.m. eastern on c-span2, c-span now our free video app or online at c-span.org. >> the house is back at noon east members will consi several bills including legislation response to defense secretary president biden and nify congrel leaders for being hospitaliz that bill would establish a 24 hour notice requirement if the nasa's ger councilmember which includes the defense defee secretaryes medically incapacitated. also near bret timken will sworn in replacing democrat the buffalo area seat ined on

uary. the senate returns tomorrow at . senators will vote on the confirmation of next u.s. ambassador to the southeastern asian country. workbook ihe lislation to reauthorize at the a programs for five years. current programs areo watch live coverage of the u.s. house on c-span, the scent on c-sp i remind y can watch all of our congressional coverage with our free video app c-span now or online at c-span.org. >> c-span is your ability of government. we are funded by the salvage companies and more including charter communications. >> charter is proud to be recognized as one of the best internet providers and we're just getting started building 100,000 miles of new frtructure to reach those who need it most. >> charter communications supports c-s