Skip to content
    Thomas JankowskiThomas Jankowski — home
    Back to writing
    March 15, 2025 · updated May 8, 2026 · 2 min read

    Witty testified. The policy window opened. Nobody filed the receipt.

    Witty testified. The policy window opened. Nobody filed the receipt — by Thomas Jankowski, aided by AI
    Window opened, no receipt filed— TJ x AI

    A UHG investor-relations VP opens the Q1 2025 earnings draft on a Tuesday morning. The cyberattack-effects line item absorbs another $300M+ this quarter, the fifth consecutive quarter of similar absorption. The Witty testimony from May 2024 is no longer a current-cycle narrative — it's a footnote on the litigation reserve. Outside the building, the federal rule that should have followed the testimony has not shipped. Inside the building, the litigation environment has done the work the regulator did not.

    That gap is the operating story.

    Andrew Witty testified before Senate Finance and House Energy & Commerce on May 1, 2024, on the Change Healthcare breach. The hearings were televised. Senator Wyden's framing — "this hack could have been stopped with cybersecurity 101" — became the political reading. The trade press wrote it up as the moment the policy class engaged seriously with healthcare-cybersecurity infrastructure.

    Ten months later, the durable read is sharper. The policy window opened. Nobody filed the receipt.

    What that means, operationally: the political and regulatory infrastructure had a window in mid-to-late 2024 to ship a federal rule on healthcare-data-clearinghouse cybersecurity, on payor-system-of-record consolidation, on the structural fragility that made one company's breach a national-healthcare-payments outage. Through 2024 the breach metastasized into class actions, state-AG investigations (Nebraska survived motion-to-dismiss; others are pending), and routine quarterly UHG earnings absorption of $0.3B+ in unfavorable cyberattack effects per quarter. Through early 2025 no federal rule shipped on the question.

    The policy class engaged with the testimony. The regulatory class did not act on it. The expectation, after the testimony, was that the federal frame would tighten on healthcare-clearinghouse concentration, on cybersecurity standards for systems-of-record at scale, on disclosure requirements for breach-impact at the patient-affected-count level. Some of those expectations were aspirational. Some were procedural. None of them resulted in a federal rule by Q1 2025.

    What did happen: HHS issued voluntary cybersecurity guidance. CMS updated some technical-standards documents. State legislatures (Texas, California, New York) introduced state-level bills, most of which haven't passed. The litigation environment generated case law that incrementally tightened breach-notification standards. The structural concentration question — is it operating-good for one clearinghouse to handle ~94% of U.S. healthcare claims — got asked by Wyden in May, raised in trade-press think pieces through fall, and then mostly dropped from federal-policy attention by year-end.

    What the operator-class category looks like in early 2025 is functionally identical to the pre-breach frame. The Witty hearings produced political theater and no operational change in the rules the operators have to comply with. What the litigation environment produced is the cybersecurity-standard upgrades that the federal rule would have driven. The mechanism is private-sector-litigation-pressure rather than federal-rulemaking. The cost is paid by the operator's litigation reserve rather than by the operator's compliance budget. Both are the same money in the end.

    What remains unaddressed is the structural concentration question. The clearinghouse market is still concentrated at the same level it was pre-breach. The operating-fragility that produced the 2024 outage has not been structurally remediated. The next outage of similar shape is, in operating terms, a matter of when rather than if. The policy class will engage with it again. Whether the next engagement produces a federal rule depends on the same political-regulatory dynamics that produced the no-rule outcome on this one.

    The read that survives is that Witty testified, the political class engaged, the regulatory class did not act, and the operator-grade category exited the window roughly where it entered. The receipt nobody filed is, in retrospect, the rule that should have followed the testimony. The rule did not follow. The window closed. The operator category continues operating on the pre-breach regulatory frame. The next breach, when it arrives, will reopen the question. By then the original window's lessons will be a footnote.

    —TJ