Lawmakers on Capitol Hill continue to investigate the February cyberattack on Change Healthcare, a subsidiary of UnitedHealth Group Inc., and its impact on patients and providers. The House Energy and Commerce Subcommittee on Health convened a hearing on April 16 focused on health care cybersecurity in the wake of the Change Healthcare attack. During the hearing, panel members heard testimony from Dr. Adam Bruggeman, an orthopedic spine surgeon, who shared his firsthand experience with the cyberattack and the effects it had on his and colleagues' practices. Panel members also heard testimony from the Healthcare Sector Coordinating Council, the American Hospital Association, the College of Healthcare Information Management Executives, and CrowdStrike, a cybersecurity technology company. Much of the discussion focused on how to appropriately strengthen cybersecurity across the health care sector, and the risks posed by growing consolidation in the health care market.

The bipartisan leaders of Energy and Commerce also sent a letter to UnitedHealth Group seeking further information about the attack. “The health care system is rapidly consolidating at virtually every level, creating fewer redundancies and more vulnerability to the entire system if an entity with significant market share at any level of the system is compromised,” the committee leaders wrote. “In order to understand better the steps UnitedHealth has taken to address this situation, we request information about the impact of the cyberattack, the actions the company is taking to secure its systems, and the outreach to the health care community in the aftermath.”

On May 1, UnitedHealth’s CEO Andrew Witty testified before both the Senate Finance Committee and the Energy and Commerce Subcommittee on Oversight and Investigations to discuss the cyberattack and how it impacts patients and providers. He provided information on how they are improving cybersecurity, but he indicated that the scope of the records affected is still not fully determined. He acknowledged delays in helping affected providers but stated that they were committed to providing interest-free loans to affected providers moving forward. In advance of the congressional hearings, the Congressional Research Service, a public policy research institute of the U.S. Congress, released a report detailing background on the attack and the federal government’s response, and outlining policy issues for lawmakers to consider.