security fund that absorbs illegals into the country? with the average american agree with $3.2 billion? for advanced gender equity and equality whatever that means? what they agree with $2.5 billion centers for disease control to address the causes of violence in the communities. when he is letting everybody from 160 countries including gang members coming to america. 60 million for gun violence research across the cdc and the nih. when you and when you let everybody come in that has been seen and the crime in this country is skyrocketing and what americans agree with 11 million to preserve stories of cultures

and history across america? >> we will take you live do a house subcommittee hearing on cyber attacks that have affected healthcare systems and we will hear from the ceo of united health group which experienced a cyber attack. >> it will now come to order in the chair recognizes himself for a five-minute opening statement in today's hearing is about what likely is the most consequential cyber attack and healthcare history and how could something like this happen? how did consolidation in a health insurance industry reach such a state that a single ransomware attack on one company crippled the flow of payments and claims for months and it was subject to the cyber security attack and it operates the largest electronic data interchange clearinghouse in the nation with 50% of u.s. medical claims pass-through or touch this making it an essential link between

providers and insurers and a single company having this much medical claims processing market share makes them a large target for bad actors and it's even more astounding when you consider the attack itself occurred using compromised credentials without multifactor authentication and this type is standard defense to prevent cyber attacks and i am concerned about patients who have been effect that in many patients were left having to pay large amounts of money out of pocket for the medications because the pharmacy couldn't process their claims or their co-pay coupons and the family pharmacy in virginia in my district said the biggest effect has been patients not being able to afford the medication without co-pay assistance cards and they said and i quote, "we have people walking away from diabetes medicine, antipsychotics and

adhd medications. in one specific example was a patient having to pay $1100 for medication since the pharmacy was unable to process her co- pay and due to the cyber attack and united is contractually obligated to pay for these medications but patients are still paying premiums and forced to either walk away or pay large sums of money for the medications or even borrow money from friends, family or worse with cash advances off of their credit cards and providers were deeply affected by the cyber attack and they were left in the dark as to why united stopped processing claims and there was deep uncertainty about how to get the claims to flow uninterrupted and the program was minimal and restricted and they brought in many unrecognized expenses for the providers such as switching clearinghouses and manager in prior authorization and it's troublesome because doctors are

worried about keeping practices open and united, by shutting down its clearinghouse and effectively stopping all payments on claims making it more difficult to providing services. one philadelphia physician who runs a $6 million a year prior this was offered $3300 by the emergency loan program from unitedhealth and she may have to sell her practice. how many millions of dollars of interest alone has united made from holding onto money that it would have had to pay to providers or for patients? how many millions of surgeries, treatments and prescriptions were delayed or, worse yet, canceled or they didn't take the medicine. i understand the substantial task united is facing and dealing with the fallout from this cyber attack and they are the bad guys but i do look for an explanation on why united didn't have a backup plan and if they did, it failed

resulting in the federal government having to step in and try to help and additionally we don't know how many patients had their health information breached and they conceded a personal healthcare information and data of a substantial portion of americans has been stolen and at this hearing i hope we get an understanding of how many americans fall within united's definition of substantial proportion. even though united paid the ransom, we now have reports that cyber criminals are releasing patient information, billing records and other personal private health data held by united health group in spite of having paid the ransom. and that is what happens when you deal with these and i am hopeful this will shed light on the issue so we can understand the full picture and i can assure you this will be watching closely and i am

always willing to hold follow- up earrings if needed. that being said i do yield back and recognize the ranking member of the subcommittee for her opening statement. >> thank you. cyber attacks have become an unfortunate part of our daily lives and companies know they need to be prepared and we are so interconnected online and communication and energy grids and online platforms and health claims clearinghouses like change healthcare are all targets and ransomware groups and other threat actors are probing corporate and government systems for vulnerabilities and there are reports of major data breaches almost every week and sometimes due to malfeasance and sometimes by sophisticated cyber hackers. despite all of the cautionary warnings, the largest health

insurance company was caught unprepared and change healthcare, part of the mega health conglomerate unitedhealth didn't have basic cyber security protections in place and because of that it suffered a ransomware attack and unable to recover its systems in a reasonable period of time leading to serious harm to doctors, providers, pharmacies and patients across america. even with the limited information that has been made public, it is clear there were multiple system failures and this is a very basic yet effective security measure that everyday americans have. the department of health and human services has recommended the practice since 2022 through

its publication cyber security practices for medium and large healthcare organizations and specifically it called out the importance of multifactor authentication and a june 2023 newsletter. in that advisory hhs noted that multifactor authentication and other authentication processes are stronger than a single password necessary when an entity provided remote access. united healthcare ignored that advice. second it appears that hackers roam through change healthcare systems without being protected -- detected. they might've been picked up and that apparently didn't happen. third, whatever user credentials the hackers had access to appeared to have allowed them to roam across the entire healthcare system unimpeded. also they were able to deploy

an attack within the network suggesting a lack of adequate controls or user permissions that could've prevented malicious software from holding their system and valuable healthcare data ransom. there also appears to be a lack of any continuity or contingency plan to address this crisis and as your testimony states, lots of time and resources were spent completely rebuilding the network, but it is unclear why there wasn't a reliable backup or continuity plan in place that would've prevented the need for a complete network reconstruction and dramatically reduce the amount of time for transactions to begin moving again. at each of these points, united health group failed, whether it was a failure to properly invest in cyber security or a lack of adequate oversight and accountability within the company, it is an open question. at the bottom line is that

there were multiple opportunities to prevent, detect, and mitigate this attack, and unitedhealth group failed at everyone. in case any other companies or health companies are asleep at the wheel when it comes to cyber security, this is another wake up call and cyber threats are pervasive and worsening. ransomware tax can hold hostage the most sensitive of personal data and profits for paid ransoms only strengthening and encouraging ransomware groups to grow and carry out more attacks. they are no longer exceptional events and they are a constant thing and must be properly prepared for. while there are lessons to be learned, i do want to make clear that this crisis isn't over yet by any means and there are pharmacies and providers that haven't been able to reconnect to change healthcare systems and there is a mass

amount of health information that needs to be accounted for. in addition to the questions you received today, there are numerous questions outstanding from this committee and a bipartisan letter we sent to you on april 15 so we look forward to the answers of those questions. i want to thank the chairman for putting on this important hearing. >> the gentlelady yield >> and we recognize for five minutes. >> thank you for agreeing to testify before us today and i was disappointed your organization declined the original invitation to testify on this cyber attack on change healthcare and one of your subsidiary companies before we had invited you to testify before the health subcommittee but we appreciate your cooperation in being here today and most americans have likely never heard of change healthcare despite how crucial

it's functioning as to making sure they have access to care. it acts as a clearinghouse for 15 billion medical claims each year. it means more than 50% or right at 50% of all claims pass through change which covers everything from routine checkups with primary care physicians to life-saving cancer treatments with specialists. things until recently we took for granted in 2022 and they acquired this as part of the growing creep into every corner of our healthcare system and under the group umbrella resides the health insurance company with more than 40 million covered lives across medicare and medicaid and commercial markets and a pbm that managed $159 billion in drug spending last year, a provider group that owns roughly 1 in every 12 doctors in the united states. a bank that makes payday loans

to providers. that is it just a few of the providers and i do say this to emphasize the massive responsibility that comes with your position and with the family of four crushed by inflation, you would think that they are forking over more than $20,000 per year for their health insurance when a senior citizen sees the brand on your medicare product and when they funnel tens of billions of subsidies to your company, there is a reasonable expectation that they will get a baseline level of value for their hard earned money. i will set the bar higher. you have a responsibility to protect the data of the people who put their trust in you. more bluntly, in this case, you failed. on february 21 of this year, change healthcare announced it was hit with a cyber attack disrupting the healthcare ecosystems for providers, payers and patients and spent

more than two months since this attack and according to your own company's website they have yet to fully restore services. many negative impacts for the healthcare system persist. as your written testimony lays out, criminal hackers gained access to this through compromised credentials so they were remotely accessing the company's portal nine days before your company announced publicly the ransomware attack and this didn't have multifactor authentication enabled which is a relatively basic protection against cyber attacks which allowed them to unlock the door to break into your systems and multifactor authentication would be a basic expectation for a company handling the amount of sensitive information that they do. and it has been reported that your company paid a ransom to

cyber criminals and while i do have grave concerns with the precedent you created by rewarding the criminals, i would understand that it would be a difficult decision to weigh that against protecting the data of americans. here is the problem. it didn't stop the data leak. americans personal and private health information is on the dark web and it is private data you are responsible for protecting. i do suspect this decision will be a case study in crisis mismanagement for decades to come and i would be remiss if i didn't note that small providers and solo practitioners continued to provide uncompensated care as submitted claims can't be processed through payers and it's been reported that some providers are contemplating closing and others forced on

relying on volunteers to care for patients and others have had to furlough staff so employees can apply for unemployment. i do look forward to hearing how this will be fixed as soon as possible. i will note that we are here today to learn more about what happened and in that lead up during the attack and what you, mr. witty, are doing to fix it and prevent it from happening again. the american people, the millions who rely on changes in services and those whose information was leaked deserve answers. >> we recognize the ranking member for his five-minute opening statement. >> thank you. we are here because the cyber attack on this resulted in a prolonged disruption to our healthcare system earlier this year and the cyber attack has caused harm to patients, providers and pharmacies. the platform was clearly involved with one of every three patient records processing 15 billion transactions every year and as

a result of this attack healthcare providers have suffered tremendous delays in reimbursement and patience have been forced to front out-of- pocket expenses for medicine for treatment because pharmacies have been unable to process claims. now some were taken off-line and very 21 and they failed to provide clarity as to when it's systems would be online again and in fact the status updates repeated the same language for over a week that the disruption was expected to last at least through the day and this frustrated the ability of providers and pharmacies to conduct their day-to-day operations and decide whether to use alternative systems and in the meantime now over two months later it's not back to where it was and there is a backlog of claims that need to be submitted and processed and the delayed restoration and lack of communication from united health group is unacceptable and we wouldn't

accept a bank or internet service being off-line for weeks or off line without a clear end in sight and it's wrong that providers and pharmacists and patients continue to bear the brunt of the failure by a corporation that earned $371 billion last year to prevent or quick we remedy this. i am sure we will hear from mr. witty about the things unitedhealth has done since the cyber attack but the bottom line is the status security practices were woefully inadequate and the company didn't have a plan in place to quickly recover from such an attack or minimize the damage to impact. while it is true the largest company in the country has dedicated resources to clean this mess up, it feels like too little too late for all those harmed and to make matters worse we still don't know the full extent of the damage of

this attack and even if all the providers and pharmacies and patients were made whole in the system returns to normal, huge volumes of protected information appear to be in the hands of hackers as they announced this could affect the privacy of a substantial portion of people in america. as part of the work in the federal consumer data privacy and consumer legislation they have held numerous hearings highlighting the importance of companies adopting strong privacy protections. so it is extremely frustrating to have one of the largest companies in the world failing to meet obligations under existing law to adequately protect some of the most sensitive personal information and talking about sensitive information like healthcare status or medications that we take or medical services provided. this never should have happened and shouldn't happen again and they must do the hard work of adopting strong data security practices that include protections against such attacks and adopting plans that minimize this and it will take

a lot of work to untangle this mess and the department of health and human services and the centers for medicare medicaid services have worked hard throughout this crisis to minimize the damage and the office of civil rights has a lot of work ahead as it examines what went wrong and potential release of that data. the bottom line is, as we learn more about what went wrong, this committee should examine whether additional guardrails such as establishing cyber security requirements and medicare contractors with the need to be in place to prevent this from happening and this is a good start and i want to thank the chair for holding this and i do look forward to working with my colleagues on issues here and importantly hearing about how to make sure this doesn't happen again. thank you. i do yield back. >> that includes the statements

and the chair reminds members that pursuant to rules all opening statements will be made part of the record but we do ask that you provide those opening statements to the clerk promptly at a want to think our witness for being here today and taking the time to testify before this subcommittee and also acknowledge that you are wise in choosing to first product this with the practice squad on the senate side today and i know you must be tired but welcome to the etsy here in this subcommittee of energy and commerce and you will have an opening statement followed by questions from the members and our witness today is the chief executive officer of united health group, andrew witty. we appreciate your being here and i look forward to hearing from you. you are aware that they are holding an oversight hearing and doing so we have the practice of taking testimony under oath or affirmation and you have any objection to that? >> no i don't. >> seeing no objection and hearing one we will proceed and i advise you do you advise to

be -- object to being advised? >> no. >> please rise and raise your right hand. do you promise or firm to tell the truth, so help you god? >> i do. >> the witness has responded in the affirmative and as he has done so you are now sworn in and under oath subject to penalties set forth in section 1001 of the united states code and with that we will recognize him for five minutes for an opening statement. >> thank you and good afternoon . thank you for the opportunity to testify here today and my name is andrew witty and serve as executive officer of unitedhealth and our mission is to help people live healthier lives and help make it work better and we do pursue this through are two distinct businesses, united healthcare, which provides a full range of

health benefits and also one that brings together care delivery, pharmacy services and technology and data to advanced patient centered care and change is part of it enabling information claims and payments to flow quickly and accurately between physicians, pharmacists, health plans and governments. i do appreciate the interest in the committee in the recent cyber attack and as a result of this malicious attack, patients and providers of experienced disruptions and people are worried about their private health data and all of those impacted, let me be clear. i am deeply deeply sorry. our response to this attack has been grounded in three principles and to assist providers with financial needs and we have deployed the full resources of united health group in this effort and i do

want to assure the american public that we won't rest and i won't rest until we fix this. cyber experts continue to investigate the incident and while we do learn more in our understanding may change, here is what i can share. cyber criminals entered the change healthcare portal and exfiltrated data and on for very 21 deployed ransomware. it wasn't protected by multifactor authentication. our response was swift and forceful and two and -- contain infection we severed connection and secured the perimeter to prevent malware from spreading. it did work and there has been no evidence of spread and within hours of the ransomware launch we contacted the fbi and we continue to share information with them so these criminals could be brought to justice. as we have responded to this attack including dealing with

the demand for ransom, our priority has been to do everything possible to protect people's personal health information. the decision to pay ransom was mine and this was one of the hardest decisions i have ever had to make. i would not wish it on anyone. as you know, we found files in the exfiltrated data containing protected health information and personally identifiable information which could a substantial proportion of people in america. so far, we haven't seen evidence or material such as doctors charts or full medical histories that were infiltrated. it will take several months before and if information would be available to identify or notify customers or individuals partly because the files contained were compromised in the attack and rather than waiting to complete this review, we are providing free

credit monitoring and identity theft protections for two years along with a dedicated call center staffed by clinicians to provide support services and anybody concerned that their data was impacted should visit change cyber support for more information. meanwhile, we continue to make substantial progress in restoring the services and first the team built the new technology environment and then second we prioritize the restoration effort on services most vital to ensuring access to care and pharmacy services, claims and payments to providers and then third while these were underway we did work quickly to provide financial assistance to providers who needed it and we have advanced more than $6.5 billion in accelerated payments and no interest and no fee loans to thousands of providers. most of these are for claims for non-united healthcare plans

and about 34% of loans have gone to safety net hospitals and federally qualified health centers. we will provide this assistance for as long as it takes to give them claims and payments at preincident levels. if there are providers in your district who need help, put us in touch with them. fighting cybercrime is an enormous task and one that requires us all industry, law enforcement and policymakers to come together. i look forward to answering your questions today. >> thank you for your testimony and we move into questions and i will begin and recognize myself for five minutes. substantial proportion of the american population and how much are we talking? 20%, 50%, 70? tell us. >> we do continue to investigate the amount of data involved and we do think it will be substantial.

because we haven't completed the process, i am hesitant to be overly precise and be wrong in the future and i don't want to mislead anybody. >> i wouldn't want you to do that either but when you say substantially, at least give me a range and you can be on the bottom of that and i don't mind but every talking to 20% or 50%? >> i think maybe one third or somewhere of that level. >> okay. all right. i appreciate your letting us know that is a suspect number because the worst thing you could do is coming in here and telling us something that sounds like a fact and having it be different. your company is contractually obligated to pay for the services and medicines and you are still collecting premium dollars and collecting interest on that money and you heard me say in my opening i am concerned about the flow issues but particularly while i am concerned about that i am concerned about the report of the lady who had to spend $1100

out-of-pocket and so you understand in my district and i don't know anything about this lady circumstances because it is private information. but the average take-home pay in my district is $50,037 and $1100 is a lot of money and even people who make more than that usually don't keep that money laying around. so what would you do trying to make those people whole? >> thank you for that question. on the first part of that question is concerned of the ongoing payment versus premiums we collect and i do want to assure you we have lifted all claim holds. and for weeks we have been paying claims as soon as they arrive in the company. we are passing through payments in accelerated format and we know not everybody is doing that but we are and as far as the situation for the lady you described, let me say how sorry i am to hear of the situation. i am aware there are clearly people who have had these

situations. >> probably thousands we don't know about. and in these situations i want to reassure you of. first of all the systems are now back online so in terms of those coupons and systems they are back online and we have and will continue to honor any prescription fulfillment where somebody was out-of-pocket in good faith. we will absolutely honor that out-of-pocket cost if for some reason the lack of service provision led to the out-of- pocket cost. if there is anything further we can do for that individual or if your office would like to connect us up, we would be happy to help. >> they would have to help and contact us to fill out the proper privacy forms because we don't want to be guilty of keeping secrets. but will they have to fill out a lot of forms? a lot of folks, but particularly if you give them a lot of paperwork to do they

will say, forget it. or more choice words. >> no. and again, thank you for the follow-up question. this is trying to be administratively easy as possible and as pharmacists are concerned a lot of times this lands with the pharmacist having made the decision to fulfill the decision that it would be reimbursed and we are honoring those in good faith without any further -- second do look forward to working with you because we want to solve that for all americans and i look forward to working with you but i do have another question that i want to get to and it is one of those things that maybe an unexpended -- unintended consequence. it is medical practices. what we hear is a lot of practices, particularly rural or urban areas and underserved areas anyway that your company is willing to buy the practice which i think is good on its face but as you heard

chairwoman roger say one in 12 physicians or doctors currently works for one of your subsidiaries are ready. this has given you a leg up on buying other practices and how many other clinics do you think were hurt by the cyber attack have you acquired and how many are you looking at acquiring? >> thank you very much for the question, mr. chairman. maybe i could make a few comments. first of all, we employ around under 10,000 physicians in our practices across the country and i do not often times people talk about a much larger number and that includes those who choose to contract and affiliate so i want to make sure that is clear. secondly, since the attack has taken place, we have indeed concluded the acquisition of one practice in oregon and i want to assure you in that

situation it was a transaction negotiated before. >> time is running out and any other practices you are going to acquire? >> no. not at all. >> that is what i needed to know. my time is up and i recognize the ranking member of the subcommittee for her five minutes of questions. >> one of the most concerning aspects of the cyber attack is how unprepared unitedhealth has been prior to february. your testimony states you are perpetually bombarded with attempted intrusions roughly one per minute and change healthcare may 2022 annual filing contains extensive disclosures about the risks of a cyber attack and all the processes it has in place to mitigate the risk and that filing specifically stated as employees and business partners

work from home and access their system remotely, we may be subject to heightened security or privacy risks including those of cyber attacks and privacy incidents. you were clearly on notice that your company's networks were a regular target for attacks and remote access in particular was potentially vulnerable. with that being the case, why is it that one of your remote access applications didn't have some thing as basic as multifactor authentication enabled and is it the case that it was never enabled or just not enabled at the time of the cyber attack. >> thank you for the question. we continue to investigate exact way as to why nfa wasn't on that service and it clearly wasn't. i am as frustrated as you are about having discovered that and as we have gone back and figured out how that occurred, change healthcare came in 2022

after the timing of the declarations you just described. change healthcare was a relatively older company with older technologies which we had been working to upgrade since the acquisition and for some reason, which we continue to investigate, this particular server didn't have that on it. >> it isn't clear today but when will you be under standing -- understanding on why it wasn't activated? >> i hope it won't be too much longer and those investigations have been going on over the last several weeks and it's part of trying to figure out exact the what happened and if we learned lessons and if there is anything that should have been done when it wasn't. >> who is responsible for that? and who was responsible whether multifactor authentication was activated or not?

>> company policy is to have multifactor authentication and externally facing systems and in certain situations where you may have, for example, older technologies which have been upgraded or you may have security controls around those systems as a compensatory factor, that whole framework is clearly something we ascribed to. >> who in the organization is responsible for whether or not that was activated. >> that will be part of our information security structure within our technology organization. >> is that ultimately your responsibility? >> yes. >> the most recent report said it has systems and procedures in place to detect and contain incidents of cyber security and unitedhealth regularly tested updates continuity and resiliency plan to contain and remediate potential disruptions or cyber events and unitedhealth

systems for detecting and containing cyber security incidents apparently didn't work between february 12 when the hackers gained access to change healthcare through for very 21 when they carried out a ransomware attack and did they ever test its infrastructure or protocol for a scenario like what happened in february quit's >> again, thank you for the question and we test those systems and i can't describe to you whether or not change healthcare tested those prior to having them come into the organization in that period is a focus of also whether or not there was a failure of the system or for some reason why the systems didn't pick up what was going on. >> and what continuity or contingency plans were in place prior to the attack and where the intended to account for disruptions on the scale we have seen? >> significant contingency and

backup plans are in place but in this attack and partly because of the age of the technology within change healthcare, which has been built up over many decades, the way in which the encryption ransomware was essentially detonated within the system affected not just the prime systems but the backup systems as well where they weren't there and some of the systems and key systems warned in the cloud. where they were in the cloud we were able to bring them up rapidly and some of her services were backup within a day or so but for the ones we saw the most disruption, what we saw there was an impact across both backups and the prime systems, which, really, was a consequence of all the technologies which, as i said, we were working to upgrade with the process not being completed. >> i am out of time. i yield back. >> we recognize the chairwoman of the full committee, ms.

rogers. >> we are all disturbed about the impact of this since the very 21 as a result of this ransomware attack and you stated nine days before the february 21 ransomware attack occurred, criminals used compromise credentials to remotely access one of the portals and what you mean by compromised credentials, and how did that happen? >> that refers to people stealing passwords and you may be aware of people's passwords been stolen and sold on the dark weapon that kind of thing and we believe through that kind of pathway they originally got credentials which allowed them to access into the system and then use the server that we are talking about to prosecute the attack. >> okay. switching gears. i have long said i am skeptical of arrangements where the

insured not trying to pay for care of the patient maintains ownership of the doctor supposedly adopting it in united's poster child for such arrangements as the single largest owner of doctors in the nation and i do have a fundamental problem with that and i believe the increasing cost of reducing the quality of care and again, united is the poster child for this. you don't seem to agree with that, however and you recently said, "we are a comparatively small part of the 5 trillion u.s. healthcare system and now the company has found files containing the protected health information or personal identifiable information that could cover a substantial portion of people in america." if unitedhealth were comparatively small, how would it have the phi in the substantial portion of americans. >> madam chair woman, thank you very much for the question.

i do think the distinction i would draw between those two things is that change healthcare was processed in about 40% of claims flowing to the system on behalf of all payers and not just united but on behalf of everybody in the system and other companies do similar work, but that was change activity and change itself was a relatively small company and had an important role. if i do look at united health group, we have a number of people in the marketplaces and they are rarely the market leader and we are rarely number one in the situations but we compete in the key areas. similarly across the states, we have developed what we believe is an improved way of ensuring high quality care by aligning incentives between physicians and parent -- payments. >> i will move on and you said numerous times that the size of

your company has allowed it to recover more quickly than otherwise it would have but i think you are implying the consolidation is good and the reality is the american people don't want to be told that less competition and more competition is good and they want to get the best healthcare in the world from a system that is clear and understandable and affordable. i do strongly recommend you put your efforts toward creating that system. moving back to cyber security, if the change healthcare portal that they infiltrated has allowed users to remotely access your systems, the ranking member asked about why you didn't have the multifactor authentication. does the portal have it now? does the portal today have it? >> all active external facing systems across unitedhealth have that and we have third- party testing to make sure they

are operative. as far as i am aware today and i would say because technology is a rapidly evolving space, we have to be relentlessly checking on that almost every day because there is always a new application or something new happening but policy is very clear. >> i will move on. how are they communicating with unitedhealth to get the ransom? did you communicate ever directly with the hackers?'s >> i didn't. >> how much did you pay in ransom and how is it paid? was it dollars or bitcoin or other cryptocurrency? >> it was 22 million in bitcoin. >> what was the date you paid? >> i don't have that to mind but i can get back. >> can you affirmatively say that the hackers you paid didn't make copies of protected or personal data and at the later date upholding on the internet or dark web?

>> i can't affirmatively say that, no. >> thank you. i yield back. >> the ranking member gets five minutes of questioning. >> thank you. when unitedhealth acquired in 2022 it touted the essential data into changes into an echo system and a press release from unitedhealth the time stated the acquisition would ensure physicians get paid more quickly, accurately and reliably and yet the exact opposite has happened. i don't understand how your company, one of the largest in the country allowed a disruption to the services to persist for so long and i know that you said, unless i misunderstood, i think you said a few times that you acquired all systems, all technology that needed to be fixed but you had a year and a half from when you acquired it until this

cyber attack. i don't understand why you couldn't correct it and why you didn't have an adequate backup. you had a year and a half and why didn't you correct that and why didn't you have a backup in place? >> thank you very much for the question. certainly, as soon as we were able to clear the transaction for change healthcare, we began the process of upgrading the systems, both in terms of the cyber defense as well as its core technology but as you might expect, in a business that had been around for 40 years and with the first layers of act two hippity, it was a very complex technology environment which does take time to upgrade. >> my point is obviously it would take more than a year and a half. but knowing that, shouldn't there have been some kind of a backup plan in place? >> very unfortunately, in the way this attack took place, it

implicated both the prime and back up environments for many of the systems and that particular ransomware attack made those backups and operable and that is one of the lessons we learn from this in terms of how we build true isolation backups and maybe just emphasize the point of emphasizing those services in the cloud versus on older premises or data centers which is the case in the legacy change environment. >> a lot has been said by my colleagues about providers and pharmacies that were particularly hard and i know we had workarounds like manually typing claims and these types of things and, i mean, i am told these want realistic and i

wonder whether you believe these workouts for small pharmacies and providers did the trick and word there are a lot of problems with their ability to do that? do those still persist? >> i think the most important work around was to encourage providers to divert to other clearinghouses and a very large fraction of providers did that. i do acknowledge and recognize and particularly for small providers who maybe didn't have the ability to make that quick switch it was definitely challenging and that is why we put in place the funding program to support small providers and recognizing they had the longest disruption in charge of their support and i believe the majority and certainly a large fraction of these loans we issued have gone to small providers. >> let me issue again about these small providers. even though you are getting a

system back online, they need to reconnect to your system. what is your company doing to meet the change healthcare users? are their needs that may not have the same resources as large hospitals to reconnect the systems? will you commit to continue to provide the assistance to them so they can reconnect? >> thank you, sir. yes. absolutely. we are reaching out to providers actively as each system comes online to help them make sure they have the technical capability to reconnect and if any member in the districts have people who are struggling with that or if you could let us know, we would absolutely prioritize making sure we get connections and key for us is knowing who has a problem. as soon as we know, we will do that. >> i appreciate the offer you made earlier because we do have some that continue to have problems and i do intend to get

back to you through the chair and identify those for you. thank you, mr. chairman. >> the gentleman yields back and recognizes the gentleman from texas for five minutes. >> thank you. is there generally an available website or telephone number that a practice can call right now if they are having a problem? >> yes. thank you very much for the question. change support.com is the best website for anybody to access whether it is a provider or an individual, but i would also very much like to note the one 800 number available for individuals to call if there are any questions about data or anything like that so it is 1- 866-262-5342 and that service line is available and is the process if anybody wants things like credit protection or identity theft protection and

those are available through a phone call. >> are providers still contacting you as was mentioned and are people still reaching out and telling you they are having trouble? >> erratically -- sporadically. but i encourage any member who has knowledge of folks who has problems continuing to send them our way and we will get them technically reconnected or make sure they have a robust offer of cash flow support so they are carried through but what is left. >> so a practice to upload data to the website and it gets hacked and the information appears on the dark web. who is liable if a patient finds their information has been compromised? obviously, they will go to their doctor and say how did

this happen and who has liability for that? >> thank you very much for that question. first and foremost, we are offering to take full responsibility of all notification obligations for everybody involved. we are working with the regulatory offices to manage that process. ideally, we would like to take over so the physicians don't have to worry about those situations and we do have to make sure that the regulatory oversight takes that support but that is very much how we want to step in and take that responsibility. >> can we help you with that and who are the agencies that would need to understand the importance of this? >> we are working with ocr within hhs and those conversations are ongoing and i do appreciate the offer and if it is acceptable to you i will come back to you in the future if necessary, today those conversations are engaged in,

and i hope we can get to a simple solution which takes any of the anxiety of notification off of everybody else's shoulders and we want to do that. >> that is beyond the scope of this committee but you did mention the bitcoin ransom and are you working with the department of justice? i want to see somebody arrested and marched into the center of town and shot for doing this. are you helping law enforcement track these people down?'s >> absolutely. in the first hour as we reached out to fbi i want to acknowledge the fantastic engagement we had from fbi from this period through today and we have every step of the way been with fbi and continually will provide them with information with what they need or help them hopefully track down and catch these folks. i am completely aligned with you and i want to see these people brought to justice.

i hope we are the last people they ever attack. >> of course one of the problems -- and this is not the first time the committee has dealt with this but for years there have been several problems historic the which is these are actors from outside of the united states and it's hard to get foreign states to hold them accountable. i hope we are willing to engage with that in a more global sense and this is a problem that won't go away and i can remember dealing with this same set of circumstances in 2015 and we just can't keep doing the same things over and over again and let me ask you because there was mentioned in your testimony earlier that there are loans to practices having difficulties with this and they are low interest loans? >> yes they are interest free

and no fee. so far we issued advanced payments of about $6.5 billion to about 142,010 so tax id numbers all interest free and no need to repay until the provider is back in normal cash flow. >> yes. i think that is wonderful but are you relying on self attestation by the provider to say we are back up to normal value? >> essentially, yes. we work with providers and so far we didn't ask anybody to repay him providers have begun to do that and they have begun to come back and say we are back to normal and we want to start to repay and just beginning, but i do think it is a good sign but there are others who are drawing down some of these interest free loan so others who continue to need help and we are working with both ends of that spectrum and we will continue to do

that. >> thank you and i yield back. >> the gentleman yields back and recognize the gentlelady from colorado for five minutes. >> thank you. in the wake of the cyber attack on change healthcare you said, "i think it is important for the country that we own change healthcare because otherwise we would have left it extremely challenged to come back." i guess i think it may be true that the resources of unitedhealth have allowed change healthcare to survive and recover, and that is good, but i also think it is important that they be used to ensure the stability of the broader system and i understand it is a being restored on a rolling basis and, good news, i heard from providers in my state of colorado that they are largely back on track and submitting claims although there are some difficulties that we will be sure to call you when we hear about. but i do think we need to do

more work to get everybody reconnected. i do have a few questions. united healthcare group had just over $370 billion in revenues in 2023, correct? >> correct. >> the premiums on risk-based products make up 80% of united healthcare revenue? >> yes. >> the amount of that was over $290 billion in 2023? >> yes. >> that translate -- translates to those premiums every month? >> right. >> i dewpoint that out because while change was down and united healthcare wasn't paying down claims it would have received through the clearinghouse, providers around the country didn't stop their work and you did reference that they were spending money purchasing supplies and paying

salaries, keeping the lights on, but in many cases, unfortunately, payments want coming in, but at the same time that happened, united healthcare didn't stop taking in premiums while it was down and claims were unable to be processed through change healthcare? >> we did but perhaps i could just explain that we continue to be paid premiums but we also continued to pay on claims and united healthcare was a relatively small user of change healthcare. so united healthcare continued to be able to fulfill the vast majority of its claims during the month. >> okay. but all the payment to providers wasn't happening at that time, correct? >> for a very small fraction for united healthcare but for other payers there was more disruption. >> right.

okay. now, in the weeks after the attack, united health group through its financial arm began making loans to providers who used this so as of march 27 as recorded in the media, united health group paid out advances of $3.3 billion to providers affected. i do now understand even more has been paid out and it was originally structured requiring repayment within five days of receiving notice and allowed financial services to take back funds without advanced communication. do you think those terms were fair, and are those those -- terms you would use? >> they were at the very beginning of the loan program. immediately, we realized they weren't appropriate and we did get some good feedback from providers, which is why we eliminated all of those terms,

and, essentially, the program in place and has been for several weeks now and represents the bulk of the payments, has none of those terms associated. i do fully accept that was a misstep in terms of how we design that. >> would you say your terms now are fair or treating providers fairly and aren't necessarily auditing or denying providers claims? >> i do believe that. as we have in place today interest free no fee loans and essentially based on the providers declaration of the impact they have suffered so not dependent on our assessment, they define what they need. we advance those loans. they only need to repay those loans 45 business days after they have confirmed they are back to cash flow normal. >> those are clearly more favorable toward these entities. and i do appreciate your

changing that. i will reserve the right to ask additional questions if i do hear otherwise from the providers and i yield back. >> of course, thank you. >> we recognize mr. guthrie for his five minutes of questioning. >> thank you. according to the united healthcare update your systems are functioning at 86% preincident doubles and your eligibility criteria systems are functioning at 80% and when you expect these core functions to be fully restored, and what do these delays getting them fully restored mean in practice what >> thank you for question. we have made progress in bring in most of the core functionality back to very high restoration. for example, main claims, eligibility and the like. change healthcare has several different clearinghouses. the residual part of some of

that restoration is associated with remediated or restoring the last of those, in fact, the oldest piece of technology within the change network, that is why that 86 is not 100. >> what, in practice, does this mean for payers, receivers? >> for those folks who were on those very old systems, if they have been able to connect to a different system, right now, we are able to connect them into platforms that are brought back online already or a competitor of change so they can get running in a very small number , a very small number of folks who cannot do any of those options then we provide, continue to provide the loan guarantee service until we get that fixed over the next few weeks. >> i have a similar question, it was created over time and

has older technology. i assume there is not another portal that could be exploited. >> the uhc policy is mfa protection at the external interfaces. that is something we have been very rigorous about. i feel very good about where we are. >> there is not another legacy, there is not of the legacy equipment? >> we are relentlessly trying to extinguish that possibility. we use third parties to make sure that occurs. i would also say reconstruction of change, one of the reasons it has taken longer than you may expect to bring back change is because we are building much of this platform from scratch with brand-new technologies that are cloud-based, much greater built-in security capabilities than anything that preexisted the attack. both in terms of diligence around protection to that question but also we are redesigning and constructing

platforms, that is also building in greater strength. at the same time, we continue to be under enormous attack, just like everybody else in health care. >> thank you. in december 23 through, the fbi, hhc and infrastructure security agency issued a joint security alert of a sophisticated russian hacker black cat in critical infrastructure, especially, as you just mentioned, healthcare systems, including where mitigation has created breaches. the change was adopted for the mitigation recommendations and which of these are already in place x >> across the uht, we certainly have those sorts of protections in place. unfortunately, in this particular case, there was a server within change, which were a reason was trying to investigate why did not have

that protection in place. is this the first breach since united healthcare acquired change healthcare? if not, i will go ahead and asked my second question to that. if not, what steps were previously taken? >> every time, sorry, sir. every time we have had either a breach, we go back and look at lessons learned and how we can strengthen sequentially to continuous raising our standards, potential levels, new approaches. we are also

dealing with a threat and a series of threat actors that continuously change their targets and approach of the way they do it. every time we go back and do root cause analysis and then figure out how to solve for that, of course, we are doing that right now. we are expediting it because of this change situation. we already brought in a new series, actual levels of screening for the company. we brought in a third party, third party leaders inside cybersecurity to actively permanently work inside her own security organization so we have more organizations screening everything as an example. >> thank you for i don't have enough time for the second question so i will yield back i second . >> now i will recognize the gentle lady of illinois for her five minutes of questioning. >> thank you, mr. chairman. i have three questions. i will last them all because i want to make sure i get them all asked. i think they are very simple. i want to tell you about a constituent, peggy. she is from my district. she spent an entire weekend without her medications. she had to drive 40 miles to get a doctor's certification that she can get her prescriptions and some patients, because of,

you know, the situations you have had, have had to pay even thousands of dollars. i wanted to know, for my first question, how you are, as united, is planning to compensate these constituents and these people? i think that question was asked but i would like to hear it again. i have another constituent, my second question, beth is, runs a mental health clinic that addresses pregnant mothers. because of the cyberattack, chic, um, is now in a very serious situation, in terms of making her program work at all.

she is in desperate need right now. so question two was, what is united doing to address the problems that these providers are experiencing right now? and last, there is this question. um, you, um , let's see. i am trying to find it. um, okay, that is it. okay. i am sorry. um, let me check the time here. i've got it. um, what is the first one? okay. um, yeah , change healthcare,

of course, suffered from this very bad, what is it? actually, the data breach that i wanted to talk to about. here we go. united had promised earlier that it would have absolutely robust security. so the final question is, why should we feel confident right now that there are not going to be those kinds of data breaches and, also, i wanted to ask, if any united employees have gotten their hands on any of the data from consumers? >> thank you very much for the

questions. let me say how sorry i am to hear about peggy, your constituent in the first example you gave. i am aware of a number of patients who had similar inconveniences and difficulties getting their medicines. several things we are trying to do. first of all, we are making sure the pharmacies are held harmless if they have dispensed a medicine without knowing if it would be of benefit or not so the patient would not be exposed to that. if there's anything we can do to help when it comes to this particular patient, we will be happy to help. >> i am going to let you know. >> absolutely. the mental health installment, that would be very much qualified for our interest-free loans to help manage, to help cover their cash flow needs until they resume. again, we can help very directly. >> these are loans?

at what rate? >> excuse me? >> is there a rate? >> no. it is free at no cost. they don't have to pay until business is back to normal under therein -- therein. in terms of reassurance, many things we have done, maybe the most important thing to share with you is bringing in of the lead in cybersecurity external operations at overseas this security environment to make sure -- >> have any employees ever gotten hold of that data? >> i am sorry, i am not sure i know what you mean, got hold of the data. >> well, if we are talking about these kind of data breaches, wondering, that no employees, they didn't get any

of that information. >> i am not aware of any employees getting the information. we have retrieved the information, which allows us now to investigate it to notify people. employees are looking at it from that point of view under the process of notification. >> thank you. >> now i recognize the chair. mr. duncan of south carolina. >> it has been a long day with but chair, thank you for holding this important hearing for your leadership on oversight matters. mr. witty, i represent a rural district of south carolina that allows your services, whether that is community pharmacist, community faith leaders, there are services. constituents in the third district of south carolina rely on these providers to improve or maintain their quality of life. providers need to know they can trust or rely on your services without delay. and to process their healthcare transactions. during the first two weeks following the attack, if

smaller providers in financial need wanted to communicate with change healthcare, how did they do so? >> during the first couple of weeks through their service representative would probably have been the best approach. one of the challenges, i think, we have realized through all of this, many small providers did not have a direct relationship with change or even united front would operate through an intermediary company. >> they could cut this might not call you directly or email you? >> we made sure, as soon as we understood what was happening here in the destruction was going to be more than very brief, we set up weekly and oftentimes more than once a week briefing calls for participants in the marketplace and also made available various website sources of information. >> was every provider that reached out to change healthcare after february 21st responded to? >> i hope so. i would hope that would be the

case, but -- >> so no provider was left in the dark when they reached out? >> we, our goal was to try to be as responsive as we could to every provider that reached out to us. i know at the beginning there were some providers who were frustrated, for example, the terms and conditions of the loan program and i will just repeat again that is why we changed those terms and conditions. i know for some providers they reached in and did not like what they heard, they were disappointed by that and i am sorry about that. that is why we changed those programs completely to eliminate those restrictive terms and conditions. >> were you able to testify on the february 21st incident that it is as good as today as it

was two weeks after the incident? >> i think we have continued to try to improve at every stage how we communicate. in their early days, i am sure there are lessons we can learn to do better. i think one of the challenges, which we had with that in this attack, our customer database with change healthcare was encrypted in the attack. we were somewhat blinded to our ability to communicate with people. we continue to reach out. we have sent out hundreds of thousands of emails, we used our jik three healthcare bulletin to communicate, we reached out to other associations we asked them to reach out. as i said, we have run a number of actual calls to get the word out where service was, for example, the loan program to make sure providers knew about it. i accept that is a risk people don't need. y'all push a lot of information out being very receptive. mr. chama, i ask you now.

united health grapples with communications during 2024. >> we will take that up with the list. also, i had a patient trying to get life-saving medication, they struggled and i reference that recently. >> mr. witty, i.e. appreciate y'all being willing to push the information out. a lot of people were left in the dark and had no access to get their questions answered. i would recommend some sort of call center in some sort of communication. these folks know they have payments and process, they could have provided all information you are unable to get through your own system that was compromised and locked out. the customers know with they have in process. they know they have business with you guys and it would've been very helpful. going for it, setting up a system where those folks can

communicate with you directly versus just pushing information out, check marks on a computer screen and an x, these things have not been done, that might be a little better. i appreciate you being here. this is very informative. i yield back, mr. chair. >> the gentlemen yields back. i recognize dr. lin ruiz from california for his five minutes of questioning. >> thank you, mr. chairman. i will take advantage of prior authorization here. prior authorization requirements can provide care earlier in the outage, providers expressed concerns that insurers were not appropriately modifying the prior authorization practices to help providers who could not process prior authorization during the outage. i am pleased that united healthcare waived or suspended certain prior authorization requirements for some medicare advantage plans and services

during the construction, prior authorization remained in effect for non-medicare advantage plans and some outpatient services. so, why, mr. witty, why did united health groups only suspend prior authorization for its medicare advantage plans and not all of its plans affected by the outage? >> mr. congressman, thank you for the question. you are absolutely correct. we did suspend temporarily our authorizations for medicare. that is really the one group, the one part of our business where we essentially had the ability to make that decision very quickly. >> why did you decide it to do it for medicare advantage and not all of your plans? >> we did it for all of the medicare advantage plans. medicaid is a decision for the states. the states needed to make those decisions and for the commercial marketplace, that is an employer-based decision. >> okay.

march 27th, 2024 press release stated even with medicare advantage plans prior authorization would be in effect for medical equipment, medical procedures and part b step therapies. given the size of the disruption, why did united health group not way prior authorization for all of those affected by the outage? >> those are really where there are safety concerns and making sure appropriateness within the prior authorization programs, making sure that people have safe access to the appropriate care was important. we believe that by making their steps and i think cms felt good about what we were doing within that set of decisions we were making, we were making the maximum contribution we could to lift in prior authorizations. >> the same press release read that united healthcare would resume prior authorization on march 31st but as we know, some

change healthcare systems remained off-line beyond the 31st. is your company still offering prior authorization suspensions or waivers for users who systems are still off-line? >> thank you, sir. we actually did not bring them back on march 31st. we brought them back on april 15th, when the major systems were back. >> providers who took advantage of these flexibilities are understandably concerned they could be subject to commerce and audits and united healthcare could second-guess some of the decisions users had to make while you had your system there. this put a strain on time and resources, pitching only for small providers who already experienced tremendous hardships from the change disruption. can you provide any assurances your groups will not clawback services performed while prior authorization was waived for certain plans? >> i can certainly give you those assurances. speak back thank you, mr. witty. that is very important. very important. we will keep a close eye on the recovery process to make sure

all providers are able to resume operations and patients can be confident they have access to the care they need. with that, i yield back. >> the gentlemen yields back. mr. palmer of alabama, you are recognized for your questions . >> thank you, mr. chairman. mr. witty, based on the data sampling today, your company found files containing protected health information and protected information that could cover a substantial portion, what did you find those files, on the internet, the dark web? >> thank you very much for the question. um -- several weeks after the attack the chicks i just asked you. did you find it on the internet or the dark web? >> that is the data we were able to retrieve. we were able to retrieve a copy of the data that was within that investigation. >> you said it is likely to take several months. there is enough information to identify customers and individuals impacted. are you telling us that the fallout from your cyber hack

included persons? >> i think the operational impact we are talking about just now will practically be back to normal chicks i understand. i have a different point. i think my colleagues on both sides of the aisle have done a really good job addressing the customer impact and healthcare provider but there is another issue i am concerned about because for thousands of government employees, including many federal employees who have very high level security clearances, who are customers of united, or any of the government employees' healthcare records, who are federal government employees, part of the data files that were accessed by the hackers? >> so we continue to investigate those files.

we have not completed the process. >> well, you should know by now whether or not federal employees' files were accessed. >> so, what i would expect is that within the data, what we are seeing within the data is that it represents -- >> mr. witty, i understand you are trying to avoid a direct answer to a direct question. were there federal employees' records hacked ? it is important because if federal employees with national security clearances, high level security clearances, have their personal identifiable information, persists -- tickly their personal health records, do you understand the problems that can create from a national security perspective? >> absolutely, sir. i fully understand that. what i am asking you is to make it a priority to find those individuals and notify them. i think it is extremely important we do that, mr. chairman. can we get an assurance from

you that you will make that a top priority? particularly for people who work in top level positions in our national security? >> absolutely, sir. it is a priority, we are going as fast as we possibly can and we will get that information communicated as fast as we can. >> as i was saying, it raises serious concerns for me and the possible breach of national security if some of this information is handed over to adversarial nations. it is very likely it will be. i think this should be a top priority. i'm not just discounting the need to make sure your customers' records are protected, that there healthcare bills are paid for and their providers are compensated, but there is this next level that i think should

raise concern from every member of this committee. mr. chairman, i yield back. >> i 100% agree with you, sir. rest assured this is a top priority for us to deal with. >> also, you may want to get that information to our community as to what you are doing to make sure those folks know if there is a risk they might be looking at, blackmail or something else from an adversary. with that, the gentlemen yields back. >> thank you, mr. chair. first, let's take a moment to recognize that this breach has greatly impacted a lot of critical institutions, providers and patients in our communities. personally, i have heard directly from providers, hospitals, pharmacists, homecare providers and so many others of new york's 20th district. i want to make sure that everyone knows this is unacceptable, that we need to make sure there is accountability and oversight to ensure nothing like this happens again. with united health's announcement last week there was access to protected health

information for substantial portion of people in america and some of my worst fears are coming true. the sensitive health data of tens of millions of americans are at risk. that is why hip is so important. it establishes data security standards for covered entities like united help who can defend breaches against sensitive data. there are some flexibilities in determining how best to secure health information. it does require that companies, and i quote, protect any reasonably anticipated threats. your testimony points out an attack like this was. is it your position that united health group and change healthcare were fully compliant with the security rule? was that not being used or was there accessing your systems and they failed to detect and

prevent the attack? >> mr. congressman, thank you for the question. compliance with hipaa is a top priority for us as an organization. i believe across the organization we take it incredibly seriously. unfortunate, situation with the server did not have fha and that penetrated into change healthcare, which was a platform that had only recently become part of the company and was in the process of being upgraded. >> thank you. did unitedhealth group conduct any audits or other tests to ensure that change healthcare systems were fully compliant with hipaa security roles and in line with industry best practices? >> so, because change healthcare was a public company prior to acquisition, we were prohibited from doing any preacquisition at that time. before we acquired the company, we began to go through the process of understanding it. given the complexity, that

takes some time to do. was under way when this attack happened. >> thank you. hipaa also requires a risk analysis be conducted. that is part of your company's security management process to identify and address potential risk or protected health information. did change healthcare conduct such an analysis after being acquired by unitedhealth group? if so, when you change how that risk analysis is conducted going for to account for what went wrong? >> thank you very much for the question. certainly, we are reviewing full management of those types of risks to make sure we are not leaving any residual risks in that context, yes. >> hipaa require notification be filed with hhs office of civil rights, within 60 days, i believe, of any breach of

health information. more than two months after the attack, you still have not filed that mandatory notification. why have you not yet filed the breach in a vacation with hhs, even though you have been aware of a data breach for over 60 days and what do you intend to do to bring united health group into compliance? >> thank you very much for the question. at the beginning of this, which slowed us down is getting access to the data to understand what data and we did not have that until the middle of march. we have been working diligently with external third parties to understand that data. we are working with regulatory authorities. >> i appreciate that. we are still trying to grasp the full consequences of the cyberattack and the data that was compromised in the process. as a result, the health data that was stolen, harms to individual patients may continue far into the future.

rather than wait to find the findings of ongoing investigations by unitedhealth and hhs so there can be meaningful accountability and lessons across the industry. with that, mr. chair, i yield back. >> the gentlemen yields back. i recognize the lady from arizona , she is also the vice chair, thank you, ma'am. >> thank you very much. thank you for being here. i guess you have had a long day. i have, too. but you are on the hot seat, i guess. i have a couple questions. the first one, does united healthcare and change healthcare have its own cybersecurity employees? >> yes. yes. they do. yes, madam vice chair, yes. >> what vendors, if any, did you use when this breach happened? >> in terms of the response to the breach, number of different vendors, but most notably, i would say mandiant, palo alto systems, a company called

bishop falls but many others included. the significant technology company but from an advisory capacity and testing capacity, those groups. i might add, also, we have now asked mandiant to become a permanent advisor to the company and the board of directors to make sure we have the very, the most elite cybersecurity advice available. >> were they working when the breach happened? were they one of your vendors when it happened? >> those of the vendors who were brought in after the attack. >> i am just curious. i was just curious if there were vendors who were supposed to be cybersecurity for the company so that people would know if they are doing a good job or not. do you know who the vendors were? >> i am afraid i don't. i can get those names for you later though. >> that sounds great.

i think you said you have reviewed decisions on cybersecurity. have you come up with any analysis of how you will change things? besides using mandiant? >> thank you for the question. first of all, we have brought into the organization supplemental screening capabilities with third-party organizations, making sure that we have secondary and tertiary levels going on in the organization, in addition to her own capabilities. we are also reviewing, through our investigations, any lessons learned from this attack, which will obviously be implemented across united but we will share with other partners in the system. >> and did your insurance cover the cost of the ransomware x >> we are self-assured -- self in short in this situation. >> i have a switching of subjects a bed. does, i have gotten letters on

this, this is why i am asking it. does aarp get a paid percentage on your trained to united healthcare medicare advantage plan? do they get a cut of it? >> i do not have the details of that arrangement. it is a very long-standing, old arrangement. there is an economic relationship but i am afraid i do not have the details and i don't want to give you anything incorrect. >> can you make sure the committee has it. i'm getting all kinds of letters about it. and there last, it is not a question, it is just a comment, this was a few years ago but when i was helping my mother sign up for medicare, she, it was very difficult, all right? she ended up using the trained to united healthcare, medicare advantage plan.

but i have to say the listings of the insurance companies for the doctors is not very accurate. like who was covered. for instance, i remember, it was listed, a doctor was listed as a primary care doctor but when i called them to make sure they were still taking patients, they were a cancer specialist or something. i would encourage, not just your insurance company but all the insurance companies that it is extremely confusing for me, let alone my mother, my mother would not be able to to do it, i don't think, at all. if there is any way you guys could fix that, i would greatly appreciate it. >> i very much appreciate the observation and i agree with you. provider directories to make sure a patient, when they walk into the reception at the facility know they will be accepted is super important and

that is not good enough. we would love to see that improve. we are working our selves hard and we would like to work with policymakers on this, as well. it is really a national challenge. >> i appreciate you coming here. i know this is a problem but it is not just your company that has been breached. i probably get a letter, maybe every three months saying something has been hacked into my information. we will only give you a year's worth of credit monitoring. that will not help me very much but okay. it is not just your problem, it is a problem nationwide, worldwide. i don't know how we are going to address it but we've got to. thank you. >> the general lady yields back. you recognize the gentleman from california. >> this disruption has underscored the need for the healthcare system to invest in and maintain cybersecurity practices. in 2021, we saw this near my

home in san diego when there was a cyberattack and compromised patient data and loss more than $100 million in revenue. i reflect that we are in an economy of private actors and in many cases they are performing public functions. a public health care system, i don't advocate that but i do think we have to look out for the people in that healthcare system. much as when equifax had the breach in the lending area, we have to pay attention to that and now we are paying attention to how people get their news or if that is distorted distorted, tiktok, instagram or facebook, this is an important hearing. i know you were in the middle, still in the middle of your investigation but i hope at the end, i don't know, i would not intend to drag you back for another day of this fund but i would like to have the information to help us with

national standards we might use, other health systems, to make sure all the people are getting healthcare throughout the country and are protected from this kind of thing in the future. i hope you will commit to do that for us. >> mr. congressman, thank you very much for your comment and request. of course, i am very happy to share with you, appropriately, lessons learned in this. i would also like to reassure you the scale of our commitment in investing in security protection. that is not technology, that is cybersecurity. the groups which, i would really encourage some of the focus, as you described, policy reflection, some of the smaller and midsized organizations across the country just don't have that kind of investment in technology. i totally agree with your observation and you could help us, we would appreciate it. >> we appreciate your competition but this is a lessons learned. when this happens to one organization, i think it can affect the whole healthcare

system so it is critical pharmacies, providers, clinics, everyone able to quickly recover from breaches and keep health information safe from outside threats. again, recognizing you are in the middle of this, do you now know specific improvements that unitedhealth group will make to his protocol for cybersecurity to prevent other cyberattacks, specifically, what additional systems that require authentication, what different protections are now in place? what specifics do you know today? >> thank you very much for the question. may be just a couple of examples. certainly, enforcing enforcement of our policies to have multifactorial authentication and all of our external services and also enhanced screening capability to make sure they are constantly on and operational. that is number one. number two, as we rebuild the environment, we partition those

environments in ways we never envisioned in the last 15 years. in the way in which we design our systems, that will make them much less easy to navigate and we are focused on how we screen to make sure compliance with the policy we have, in addition to that, we brought in third-party screening organizations to give those a double check on making sure that any abnormal activity we spot as quickly as possible. >> when do you think you will have this solved? how you get your customers to be confident again? >> thank you very much for the question. that is very much a focus and why we decided to rebuild change essentially in a new environment and not try to resuscitate the old system.

it would've been very difficult, nearly impossible, to persuade people to reconnect to a system attacked with malware because of the risk of contagion or something like that. so we have endeavored to build new platforms. we have had those platforms tested by all the best cybersecurity companies in the country, including aggressive penetration testing to make sure they can withstand the highest levels of assault. we share that information with the key partners in the system that need to connect with us. >> the last question. what lessons you have for us on what hhs can take away from this with working with healthcare systems to support them and make sure they don't go through this again? >> first of all -- >> sorry, health and human services. >> we have a regular and ongoing relationship, but gently during this crisis. they were extraordinary supportive and forward leaning. we will work together on things like communication to providers and the question that came up earlier, i think that is an area where we could work

together to figure out how to communicate more rapidly through the system and i think making sure, well, let me say that would probably be my top recommendations. i recognize my time's up. >> my time's up. thank you, mr. chairman. the gentleman yields back. the congressman from indiana has five minutes of questioning. >> some of my comments will be tainted by that. you could not investigate change healthcare before you purchase them to find out if they had an insufficient cyber program and they were not in compliance with federal recommendations that mr. guthrie recommended? could not find that out? >> sorry, during the acquisition phase, and as you may know, that was a long process, that would be regarded in terms of an engagement. you really have to kind of a

closed wall between the two companies until after the transaction. >> if you buy a house you want to know if the sewer line is bad before you buy it, right? i firmly believe the consolidation of healthcare is not a good thing, okay? it has led to increased costs, you know that, even though everybody says it, it does not, we know that. increase bureaucratic problems, um, there's a very common and ultimately, in my view, less quality care. it doesn't matter the industry. doesn't matter the industry, less competition does not encourage better quality service or products. it just doesn't. in healthcare, it is on steroids right now across the country. my understanding is that most plants have deadlines, something like 60 or 90 days for providers to file claims for reimbursement, is that correct? >> yes, that is typically correct.

>> if i have a small clinic, claims through change, since the attack, claims are filed manually, obviously takes a lot longer. they didn't feel like they had the ability to change clearinghouses. my understanding is that these clinics might have a filing deadline suspended or at least extended from whatever their standard is. i realize trained to is part of united healthcare but in your case, have you communicated with any providers who expressed similar concerns and do you intend to extend the time of filing deadlines for unitedhealth claims? >> yes, sir. we have extended deadlines, yes. >> to me, it would be reasonable to extend them to six months or something but waving them, i understand. you may or may not want to comment on this but should other health plans extend, those that participate in change healthcare, extend their deadlines until we can be completely confident this is fixed? >> thank you very much for the

question. it would be appropriate -- it would not be appropriate for me to talk about what other health insurance should or should not do. we try to offer every support and service and lift administrative complexities and that is what we have been doing. >> my recommendation to all health plans affected by this is to extend your deadlines because when you start denying claims for that, whoever does that is probably going to be sitting in your chair answering why. i am just recommending that to everyone out there listening to this. providers that have financially existed because of the breach, then they file their claims late, i can see a circumstance where than there will be a call back. what you have described, that won't happen from united healthcare but it will happen on some level in congress where

we will have a hearing on this. i highly recommend people seriously consider giving people more time to file their claims if they have been impacted by this. also, somebody brought this up earlier. you know, i have heard from providers that provider assisted options from united to leave they give information beyond what is necessary. they say the terms of the agreement, united can simply change the terms and conditions simply by providing notice. that, to me, sounds like potentially an entity that wants to buy out clinics. your already answered that question, it has not happened. i would highly recommend that anyone out there that is thinking about buying out clinics, based on they can't file their claims through

change may reconsider. again, they may be sitting in a congressional hearing to explain why they are doing that. so, have you read the oig report, the hhs-oig report on medicare advantage plans that work published in the less your two? do you know or are you aware of that? >> i don't know if i know the specific one you are going to refer to. >> the one that said claims were being denied 14% of the time by plans that would pay for traditional medicare. if your team has not read the oig report that talks about claim denials compared to traditional medicare, i suggest you do. you have providers out there, the number one name that comes up happens to be your company. we need to fix that. i have worked on prior authorization, i know dr. ruiz has talked about this. your indulgence, mr. chairman, couple more seconds. cs dealt with some of this but didn't go far enough. ma plans and it is very disturbing practice. i would recommend the team familiarize themselves with the hhs inspector general report as

it relates to this. i yield back. the gentleman yields back. i recognized the gentlewoman from d.c. >> thank you, mr. chairman and thank you, mr. witty and ranking member castor, who let me take her sea. first, let me just think dr. bucshon for his comments. we are on the same wavelength and hearing the same stories. you have been through a long day of questioning and i want to get right to the point. this change healthcare attack has been devastating. i'm extremely concerned we are just seeing the start of the impact of this cyber attack. not only have providers and hospitals been shortchanged reimbursement claims, not only have data been late, possibly sold to a foreign adversary, not only were patients at least temporarily unable to access her medications, i even read

some reports from utilities in my district they are unable to build and process payments because change was also there clearing house. so the effects of this hack are really far-reaching and, really, the consequence of unitedhealth group and the merger of change healthcare in 2022, the department of justice tried to block it because it would give change control over half of americans' health insurance claims. i think we all sympathize with this hack and what you have been through. i appreciate the efforts you have taken to help get through this. the reality is this massive, far-reaching attack has disproportionately impacted small and independent practices that were already struggling to stay afloat. united's advance payments have been appreciated, but insufficient. other providers have done nothing to help.

i will give you an example. balance physical therapy is a private practice in washington. the change attack has devastated them to the point where the owners had to mortgage their home in order to pay rent and make payroll. now that money has run out. mr. witty, your company reported $371 billion in revenue last year. do you want to hazard a guess as to how much balance physical therapy was paid in the first round? >> no. i yield to a. >> probably a good idea. $70. 70. you know, this, this is after your kind of revenues, seems like you have enough information to know when a

prior year you should be able to to do better than that and i know you said you won't rest until you get this ready. i guess one question for you, to make this right, it would be great to help repay that mortgage. when you help with things like that to make these companies hold? >> congresswoman, absolutely. let me hazard, i think what happened here, in fact, we don't have the ability of knowing how united healthcare flows and in the very early stages of this, because we were trying to help quickly, we tried to make some estimates. we undershot, in this case, we very much undershot. that physiotherapy clinic you are talking about, i am sure would be eligible for very substantial loan, which would cover the kind of challenges they had. that would be available interest-free at no cost, not

needing to be repaid until well after they are back to normal. >> thank you for saying that. i want to jump right to the part about loans. because another thing i am hearing in my district is that some of the loan conditions were very suspect. many people, many clinics, even hospitals, decided not to take these loans because there were clauses in there saying you cannot use any of your competitors, you would be asked to pay off the loan immediately. this could actually be used to, in a predatory way, almost, to put these clinics out of business. you know, united has a reputation for buying up clinics in trouble. i just want to hear if you will guarantee you will not damage these practices by not reimbursing them sufficiently and putting these unfair terms on them and this buying of the practice.

>> i can assure you, those terms you are referring to, were unfortunately included in the very start of this process. we realize very quickly that was mistaken we got rid of all the stars. all those terms are gone now. it is an incredibly simple process. there was also, to your second point, absolutely. we would never, we would never want to act opportunistically from this. where we have had agreements to acquire clinics, pre-existing cash flows before the attacks so a very good suggestion came up from the senate finance committee, which we will institute, to put a firewall between everybody who knows and has the ability or visibility to these loans to potentially work with clinics who want to join the organization to make sure that the risk you identify does not happen. >> thank you. i appreciate that. i will tell the clinics.

i yield back. >> i now recognize the gentleman from pennsylvania . you have five minutes of questioning. >> thank you for allowing me and thank you to our witness for peer. the change healthcare attack caused massive disruptions in patient care and resulted in severe problems for providers, pharmacies and hospitals trying to deal with the full impact of the hack on their daily operations. as we see increased consolidation in healthcare, i worry that incidences such as this will become increasingly more common. we have already seen consolidation drive up prices and decreased access to patient care. now, patients and physicians are encountering yet another cost. i might add, very significant cost, through the fallout from this cyber activity. mr. witty, side from your data business that is our main topic of the conversation today, your company is the largest for profit domestic health insurance company.

you also employ nearly 100,000 physicians in the u. s., making you the largest employer of positions in the country. to better understand your reach into my home state of pennsylvania, do you have the total number of employed physician in the commonwealth of pennsylvania? >> i am sarc my do not have that number. >> would you provide that to me and get back to us? >> yes. smith knowing the scope of united healthcare and what it has become, what impacted the attack have on other united entities and subsidiaries, aside from change? >> thank you very much for the question. there was no direct contagion of the attack or the change environment because of the way we shut down the connectivity which meant there was no threat to any part of united or any other organization that was working with change before the

attack. special most of the impact was, as i mentioned, on physicians, hospitals and patients. are you able to provide a breakdown on the total number of patients, doctors, pharmacies and hospitals that are pad a transaction impacted by the hack either today or follow up in writing? >> i think in the future we ought to be able to estimate that for you. >> thank you, we look forward to receiving that. what are the largest impact united healthcare has on every day care, prior authorization. in light of this cyber attack for which services do united healthcare suspend prior authorization requirements? please explain the rationale for suspending that prior authorization for some but not for of the services. >> thank you very much for the question. really in line with suggestions and recommendations from cms, we suspended medicare advantage prior authorization during the period of the acute phase of

this. they were restored on the 15th of april. >> so you did not suspend prior authorization requirements for employer clients? >> no. those are for the employees to make the decision. similarly, states to make the decision to medicate. >> it is my understanding the prior authorization requirements have now resumed, is that correct? >> on the 15th of april, correct. >> do you intend to pursue reimbursement for services provided during that suspension that would have normally required prior authorization it may have been janai? >> no. we will not. >> you will not? >> sorry, we will reimburse. we will not deny. >> in other words, with retroactive prior authorization reviews having completely waived medicare advantage claims? >> we have wait for that period. i think we have realized some

of the questions you have answer today do provide information that is so important moving forward, but the utilization has been suspended needs to be carefully review because prior authorization with the medicare advantage or an employer contract has impact, it delays care, it delays the ability for patients to seek that out. i think we could ask you to also follow up and carefully review how that prior authorization, how that has affected patient outcomes. i think that is something you from your perch at united, should be able to provide for us. >> mr. congressman, i would be happy to do that review. let me go further and say we are certainly willing to work with yourself and others on ideas on how we can further improve ensuring both best quality and safest care is delivered alongside eliminating

waste, which is really the historic origin a prior authorization, as you know. >> i think that was brought into the conversation. i think that is what i really want that direct answer to, to see how that prior authorization, since it has been suspended, to see that impact on patient care. i think many physicians serve on energy and commerce, like myself, there are many healthcare providers, i am sitting between two of them today, those are answers we would all like to say. again, mr. chairman, thank you. i yield back. smith the gentleman yields back. the gentle lady from iowa has five minutes of questioning. >> thank you very much, mr. chairman. thank you, mr. witty for testifying today. according to data for the american medical association, 80% of practices lost money from unpaid claims and had to use additional staff time. we already have that burden on small businesses as a small

practitioner coming to congress, neither doctors nor their nonphysician staff will receive any additional compensation for the time spent mitigating the attack. just like we are not compensated for the hours of prior authorization claims we have to to file do you find to be valid. this is the financial burden that americans, physicians and healthcare workers are already experiencing. in iowa, doctors are very hesitant to take advance payment dollars without confirmation their claims submissions will be paid at the rate submitted and are concerned they will be required to pay back more than what ultimately will be approved for payment once the backlog processing is completed. the survey also found that 55% of doctors said they had to use personal funds to cover practice expenses.

notably, the overall effects of the change attack have been most acutely felt by practices with 10 or fewer physicians. what is the advance payment program among small physician practices and what you plan to do to offer a more robust advance payments were put particular focus on small providers? >> madam congresswoman, thank you very much for the question. first of all, let me reassure you, we remain extremely focused on ensuring those smaller providers. we know the ones who oftentimes have the more technical challenge or limits to technical switching and the like to do that, which is why we made every effort we can to have the loan program and simplify the loan program and eliminate the unhelpful terms and conditions at the beginning. i can tell you about 142,000 tax id numbers have taken advantage of the loan program. i can't tell you how many providers are underneath that tent. they vary and move. 142,000, that is about one third of all the providers tims that were associated with change healthcare before the attacks.

i'd like to reiterate that program remains open, we are still issuing loans to folks who need it. although we are navigating to see some sub riders -- providers choose to pay us back. but it is still open. >> there only two platforms in the market and this committee has been concerned about consolidation in the healthcare marketplace. change in relay, they're both owned by fortune top 10 companies. in short, dig -- big data is big business. we have an interest in avoiding one or two points of failure in the healthcare system. how does united change help our

country compass that goal? >> i would make the point to actually change, and its business, was no different in terms of its footprint the day before the attack compared to the date before we acquire them. so change, this risk preexisted the acquisition of united. what was different was that united has the financial capacity to resolve this issue. and i believe, to rebuild change into a much more modern and safer platform. i do believe the issue of risk actually existed when it was quite a small independent business more public company, but small public company. it came into the organization and very unfortunately this attack occurred in the early days. >> i'm going to take a different tact, this is a problem i had in state government as a state senator, as a physician provider in a role committee and that many people explain to me.

what pbm's, when it comes to step therapy, switching of medications in which patients are compliant and do well, this is especially true for different providers, and the ultimate risk and cost to the healthcare system in trying to save a medication, having to revert back to a less expensive medication when you finally have compliance on the medication in a patient leading to increased hospitalization, er visits and back to the same medication that an insurance company changed, the pbm changed when a doctor had already prescribed a medication for which they are successful. will you work with us what you're doing on step therapy, changing and formularies, which is a tremendous problem and great cost to the healthcare system being made, by insurance executives rather than providers? >> yes, within our pbm we rely on a independent midi to advise but i also recognize the sort of situations you described

occur and i am happy to commit to us working for ways in which we can improve that. we ought to be able to do that. >> now recognize gentle lady from florida. >> leave it to a gator to beat a dog. sorry that is college football stuff. thank you, mr. chairman for holding this important hearing. think you mr., is it mr. witty , for appearing before us. april 3, 2024 wall street journal article my colleague submitted for the record submitted stated some who have taken loans from the company, unitedhealth, to help with shortfalls felt they have been having to make up the public statements about the support. do you know if anyone at unitedhealth, optima or change

healthcare communicated to smaller providers seeking financial assistance that they should make positive or upbeat public statements about the company? >> my understanding is that people from the company spoke to folks who had received loans and asked them if they would help spread the word because we were very keen to get other small providers aware of the program. we knew that was an issue. i understand that newspaper article, folks listened to whatever was there, the information associated and i am not convinced that accurately represent of the situation. >> specifically to what you were saying, that there had been some sort of encouragement going on, you know specifically who or what department would communicate that? >> i do not, i'm afraid. >> could you find out and submit back for the record?

>> i'm sure we can find out. >> are you aware if unitedhealth made receiving a financial unconditional and a provider making a positive public statement about unitedhealth? >> i've never heard anything like that? that should not happen and i would be very disappointed if that ever happened. as far as i'm aware it is not of any approval criteria. >> is there any formal investigation or looking into the you will do to ensure that that is not in fact the case? >> i will absolutely undertake to double check that. >> can you give us a timeline of when you'll be able to report back to us on that particular issue? >> i will double check that in the next week. >> okay. did you know or authorize anyone to encourage smaller providers to seek, seeking loan assistance to making positive statement about the company? talking about the smaller ones? >> nothing really additional to what i have already said. >> i was trying to gauge the bigger guys versus little guys. and, let me see, can you confirm if this public reporting is true, speaking about you didn't think it was

accurate, talking about that particular article, that another cyber criminal group splintered off from black cat and is threatening to release patient data from the february 21 incident, is that true? >> so, i am aware of a splinter group like that which was making statements, i would say, up until the last couple of weeks. but i am not aware of them still making statements. >> okay. and aside from black cat, has there been any other cyber criminal that has threatened unitedhealth or asked you to pay a ransom related to the data from the february 1 -- 21st attack? >> not further than what i just said. >> all right. with that, mr. chairman, i have no further questions. i appreciate your testimony and i yield. >> now recognizing the gentleman from george's. mr. carter, five minutes of questioning. >> thank you, mr. chairman.

i practiced dependent retail pharmacy for over 40 years, my own business for 32 years. one of the main focuses have set as my goal is a member of congress when i started 10 years ago was to address the vertical integration that exists in healthcare, specifically in drug pricing, or the insurance company owns the pbm, owns the group interesting, owns the pharmacy that owns the doctor, and in your case you are the largest for-profit domestic health insurance company in the country as has been pointed out with 10,000 physicians and owning your own pharmacy and one of the largest pbm in the country. can you explain how your company can justify these clear conflicts of interest? >> first of all, thank you for the question and the challenge. i appreciate that. we operate our organization with very clear firewalls

between the organization. we are guided around a mission of trying to align incentives in the system to try to eliminate waste and abuse and to try to deliver value-based care to individuals. we know that when that happens, clinical outcomes improve and we believe the cost goes down for people involved in that process. that is what we focus on through the organization. and as we look at the components of unitedhealth group, we have a presence in many different areas as you rightly say, we are also not present in many other areas. we have the hospitals. >> how do you define anticompetitive practices? you consider any of these to be anticompetitive? >> no, i do not. >> so when a pbm owns a pharmacy, that is not anti- competitive? do you actually, you have plans to incentivize or require patients to use your pharmacy or to -- over and independent pharmacy? >> not to incentivizing.

we offer alternatives. for example, mail order pharmacy. >> are you aware that there over 300 pharmacies that went out of business last year? are you aware also, and i'm sure you won't be, earlier this afternoon i had a call with a pharmacist from pennsylvania who told me that 70 pharmacies have closed in the first four months of this year in pennsylvania alone. 70 independent pharmacies. is the reimbursement the same for an independent retail pharmacy as it is for your pharmacy? for your mail order pharmacy? >> yes or no. >> i think they are very different structures. >> is the reimbursement the same? >> they are very different structures. i don't think i can give you a direct answer today. i can certainly go back -- >> if you would get me that information i would appreciate it. are you aware, and i am sure

you are, the federal trade commission after asking them, since the time i got appear to look at the conflict of interest that they have launched an inquiry into the egregious practices of the largest six abms and the impact they are having on independent retail pharmacies? >> i believe the pbms -- >> are you aware of the study? >> i am aware of the study. >> have you been cooperating? have you responded and complied with the ftc request for information? >> is better practice, we don't comment our engagement with those sorts of programs. >> but you will comply? and you will cooperate? >> we always aim to comply with any appropriate government body. >> let me ask you something, the cyber attack, and certainly this is have an impact, i believe there was a member of your team who was at the doctors caucus a couple weeks ago, and made the comment that they responded quickly to the pharmacies and got them back up

and running. and i asked them to define quickly and that was two weeks. two weeks for a patient without medicine is a long time. i think we would all agree with that. look, everyone, you, me, democrats, republicans, independents, we all want the same thing. we want accessible, affordable, quality healthcare. and accessibility is being impacted by the vertical integration that exists in the drug pricing changing in healthcare in general. you can see with this chart right here. you are the largest of all of them. and that's fine, i get it, i know this capitalistic society. this to me is a direct conflict of interest. i want to ask you one other thing, since the start of the cyber attack how many medical practices and pharmacies have you acquired? >> we have acquired just one medical practice in oregon. >> just one since the start of the cyber attack? >> correct. the transaction was agreed before the attack.

>> okay, if we look at the records, we are going to find out what you're saying is you haven't acquired any during the time of the cyber attack. >> we have acquired one in oregon and added two ipas tour network. as far as i'm aware those are the only additions that have occurred. i just want to reassure you that any valuations or assessments of those businesses are based on the economics before the attack took place. we would never try to take advantage of this. >> i hope, and have no other reason to believe but you're telling me the truth, but at the same time, obviously, i'm passionate about this. and passionate about healthcare in general. i did practice for 40 years. i want to make sure patients have accessibility. and pharmacists are the most accessible healthcare professionals in america. and we are going out of business. >> perhaps, so please let me offer, and i would generally, i worked along side pharmacists my whole career, i very much

want to make the offer to work with you and how we can work together to strengthen retail pharmacy, particularly in the smaller pharmacists. and it's an area where often we are trying to do more investment to support the small pharmacies -- >> i appreciate your offer, but let me assure you i'm going to continue to work the bus this up. this vertical integration that exists in healthcare in general has got to end. thank you, mr. chairman, i yield back. >> thank you, i appreciate you yielding back. we would love continue discussion on pbms but that was not today's hearing. we appreciate your openness on that. seeing there are no further members wishing to ask questions, i would like to think our witness again for being here today. unanimous consent to insert the records on the list which the ranking member and i have gone over. without objection that will be the order. pursuant to the rules and provide members 10 business days to submit additional questions for the record and

ask witnesses, the witness to submit his response within 10 business days upon receipt of those questions. without objection, the subcommittee is adjourned.

on thursday interior secretary testified on the president's budget request for her agency. before the senate energy resources committee. watch the hearing, live, at 10:00 eastern on c-span three. c-span, mobile video app or online. c-span.org. >> friday night watch c-span 2024 campaign trail. weekly roundup of campaign coverage providing a one-stop shop to discover with the candidates across the country sent to voters. along with firsthand accounts from political reporters, updated poll numbers and fundraising data in campaign ads. watch c-span 2024 campaign trail friday night at 7:30 pm eastern. online, or download as a podcast

on c-span now, or every get your podcasts. c-span, your unfiltered view of politics. >> do you solemnly swear that in the testimony you're about to give it will be the truth, the whole truth? -- >> congress investigates as we explore major investigations in our country's history. each week the stories will be told, historic footage and we will examine the impact and legacy of key congressional hearings. this week the 1975 senate committee hearings led by senator frank church examining alleged abuses with the u.s. intelligence committee. watch congress investigates on c-span too.