William Simpson
Hackers breached the computer system of a UnitedHealth Group subsidiary and released ransomware after stealing someone’s password, CEO Andrew Witty testified Wednesday on Capitol Hill. Cybercriminals entered through a portal that did not have multi-factor authentication (MFA) enabled.
During an hour-long congressional hearing, Witty told lawmakers that the company has not yet determined how many patients and healthcare professionals were affected by the cyberattack on Change Healthcare in February. The hearing focused on how hackers were able to gain access to Change Healthcare, a separate division of UnitedHealth that the company acquired in October 2022. Members of the House Energy and Commerce Committee asked Witty why the nation’s largest health insurer did not have basic cybersecurity safeguards in place before the attack.
“Change Healthcare was a relatively older company with older technologies that we had been working to update since the acquisition,” Witty said. “But for some reason, which we continue to investigate, this particular server did not have MFA.”
Multi-factor authentication adds a second layer of security to password-protected accounts by having users enter an automatically generated code sent to their phone or email. A common feature in applications, protection is used to protect customer accounts from hackers who obtain or guess passwords. Witty said all Change Healthcare logins now have multi-factor authentication enabled.
The cyber attack came from Russia ALPHV or BlackCat ransomware gang. The group itself claimed responsibility for the attack, claiming it stole more than six terabytes of data, including “sensitive” medical records. The attack triggered a disruption in payment and claims processing across the country, overwhelming medical practices and healthcare systems by interfering with their ability to file claims and receive payments.
Witty confirmed Wednesday that UnitedHealth paid a $22 million ransom in the form of bitcoin to BlackCat, a decision he made on his own, according to testimony prepared before the hearing. Despite the ransom payment, lawmakers said Wednesday that some of the patients’ confidential records were still posted by hackers on the dark web.
Paying the ransom “was one of the hardest decisions I’ve ever had to make and I wouldn’t wish it on anyone,” Witty said.
The scale of the attack – Change Healthcare processes 15 billion transactions per year, according to to the American Hospital Association – meant that even patients who were not UnitedHealth customers were potentially affected. The company said earlier this month that personal information that could cover a “substantial portion of people in America” may have been obtained in the attack.
The violation already cost UnitedHealth Group nearly $900 millioncompany officials said when reporting first-quarter earnings last week, not including the ransom paid.
Ransomware attacks, which involve disabling a target’s computer systems, have become increasingly common in the healthcare sector. The annual number of ransomware attacks against hospitals and other healthcare providers doubled from 2016 to 2021, according to a 2022 study published in the JAMA Health Forum.
