It was a Bad Day at Boot (Capitol) Hill for UnitedHealth Group’s CEO Andrew Witty. On May Day, he was the Man In The Arena facing two Congressional grillings–the first from the Senate Finance Committee in the morning, and the second in the afternoon from the House Energy and Commerce Committee’s Subcommittee on Oversight and Investigations. The precipitating event was the Optum/Change Healthcare data breach and system hacking by ALPHV/BlackCat, a disruption which is as of today not fully resolved.  Millions of patients may have had data stolen and exposed–a number that has yet to be determined, but an outcome for which UHG, while paying the ransomwaristes, has prepared. Already, the VA has notified 15 million veterans and families of that possibility.

This Editor will be linking below to multiple articles and Mr. Witty’s prepared testimony. Interested Readers can also refer to YouTube for extensive links to video testimony. Highlights:

• Both houses criticized the slow response and amount of financial assistance given to providers after the shutdown of Change’s systems prevented (and still is preventing) timely claims processing and payment. While ‘near normal’ volumes of medical claims and 86% restoration of payment processing sounds good, that leaves a lot of wiggle room on over two months of totally disrupted processing and payment. The billion or so cited sounds impressive but much of this is in loans. Most practices and groups simply do not have the financial cushion or billing skillset to bridge this disruption, to pay back loans, or to bookkeep this.
• Also criticized at this late date was UHG being unable to determine how many individuals had PHI exposed in the breach.
• As to cause, the description of UHG finding that surprise, surprise, Change’s systems were way out of date, stored on physical servers versus the cloud, and used Citrix remote access without multi-factor authentication (MFA) was utterly savaged. According to Mr. Witty, ALPHV after days of knocking around got in on the one server that did not have MFA authentication.

The blunt fact is that UHG had close to two years (January 2021-Oct 2022) before the buy closed. Due diligence consisting of a full audit had to have been done on Change’s IT systems. They processed what UHG wanted to buy. In this Editor’s estimation, Job #1! for UHG should have been ensuring that Change’s systems were hardened, then upgrading to what Mr. Witty called UnitedHealth’s standards. This Editor will go further. A minimum requirement for the sale should have been security hardening. There was time before the closing.

Senator Thom Tillis, R-North Carolina, had the best riposte. He brought a copy of “Hacking for Dummies” to the hearing, highlighting MFA. I doubt he was much moved by UHG now bringing in cybersecurity company Mandiant to both investigate and harden their systems, nor by UHG having to pay ransom, without knowing whose data was compromised.

• Beyond the breach, UHG was called ‘monopolistic’ by both Republican and Democrat Members. There were calls to break up UHG as not ‘too big to fail’. UHG has grown by acquisition and consolidation of services. As this Editor has speculated, this is likely coming to an end with the new, much more stringent Merger Guidelines. This sentiment paints a large, unmissable target on UHG’s back for aiming FTC’s and DOJ’s missiles. (DOJ also has a huge score to settle with UHG dating back to the failure to block the Change sale.)

By the end of the day, Mr. Witty looked quite the worse for wear–tie and collar askew, slightly sweaty, versus the perfect poses of the various Members. Becker’s, FierceHealthcare, Axios, HealthcareDive    Mr. Witty’s Senate testimony statement, House testimony statement

Speaking of data breaches, Kaiser Permanente reported a big one to Health and Human Services (HHS). This relates to ad tracker information shared with third-party advertisers such as Google, Microsoft, and X. Kaiser used it in secured areas of their website and mobile apps. Information disclosed could be name and IP. Kaiser reported it on 12 April but only disclosed on 25 April that 13.4 million records may have been affected. The ad trackers have since been removed. TechCrunch, FierceHealthcare 

Walgreens stock not recovering. April was WBA’s worst month in five years and May is no better, with the stock muddling around $17.50. The month slid around 18%. Their 52-week high was $33. As of now, CEO Tim Wentworth’s actions such as closing locations and writing down VillageMD haven’t convinced Mr. Market of WBA’s worth, but in fairness it’s early in his tenure. In the Insult to Injury Department, it was revealed that the IRS is seeking to claw back $2.7 billion in unpaid 2014-2017 taxes. Crain’s Chicago Business

Cigna is also writing down its interest in VillageMD. Almost forgotten is that in late 2022, Cigna invested $2.5 billion into VillageMD. They have now written down $1.8 billion of that ‘low teens’ ownership. The planned tie was connecting Village Medical into Evernorth, Cigna’s medical services area. It was also supposed to provide Cigna with an annual return on investment, but one assumes it did not. The writeoff threw Cigna’s Q1 into the red with a net loss of almost $300 million versus a prior year profit of $1.3 billion, despite a strong quarter that grew revenue 23% versus prior year to $57.3 billion. Healthcare Dive

Oracle Health has been successful–in shrinking Cerner by close to half. Records of employment at Cerner’s Kansas City-based operation have declined from 11,900 people in 2022 (Kansas City Area Development Council) to a current 6,400 (internal documents). Cerner itself reported 12,778 local full-time-equivalent employees in 2022. Oracle had multiple layoffs of Cerner affecting Kansas City workers and has consolidated multiple office buildings and campuses. Becker’s

In more cheerful news:

Baby monitor Owlet announced a strategic partnership with Wheel for Owlet’s BabySat. BabySat is Owlet’s FDA-cleared prescription vital signs monitor for infants 1-18 months. Wheel clinicians can now prescribe BabySat which enables parents to order BabySat from Owlet and other suppliers. With Wheel, BabySat also integrates with durable medical equipment (DME) suppliers who accept and can bill for the product through many insurance providers for partial or full reimbursement. Wheel is a virtual care platform and physician/nurse-practitioner online network available direct to consumer and to enterprises. Owlet release

And rounding up funding:

MidiHealth closed a $60M Series B funding. This was led by Emerson Collective with participation from Memorial Hermann, SemperVirens, Felicis, Icon Ventures, Black Angel Group, Gingerbread Capital, Able Partners, G9, and Operator Collective for a total of $99 million in funding. Midi provides virtual support for women going through peri- and full menopause. The fresh funding will help them expand national insurance coverage, hire and upskill an additional 150 clinicians by end of year, diversify service lines, and scale to care for 1 million+ women per year by 2029. Release

Trovo Health launched with $15 million in seed funding, led by Oak HC/FT. The NYC-based AI-powered provider task assistance platform will use the funding to build its technology platform, clinical operations, and leadership team. Mobihealthnews 

In the same roundup, NYC-based Alaffia Health scored a $10 million Series A round. This was led by FirstMark Capital with participation from Aperture Venture Capital. Alaffia creates generative AI solutions for payment integrity in health insurance claims operations, with the aim of eliminating insurance fraud, waste, and abuse for health plans, third-party administrators, self-insured employers, stop-loss carriers, and government agencies. Their total raise to date is $17.6 million. Paris-based Klineo also raised €2 million for its oncology clinical trials search platforms, assisted by AI, for the use of doctors and patients. BPIFrance and business angels participated in the round.