Following the cyberattack on Change Healthcare, UnitedHealth Group CEO Andrew Witty told senators on Wednesday that all its internet-exposed systems now use multi-factor authentication (MFA).
Cybercriminals exploited the lack of MFA in Change Healthcare's ransomware assault earlier this year, affecting pharmacies, hospitals, and doctors' offices worldwide. Even with compromised credentials, MFA requires a second code to prevent unwanted access.
Witty said hackers breached a Change Healthcare server without MFA security using stolen credentials in a pre-hearing testimony on Tuesday before two Congressional sessions, as reported by TechCrunch. Hackers used this initial access to penetrate other computers, steal data, and encrypt them with ransomware.
Andrew Witty faced questions about the hack during the first Senate Finance Committee hearing. In response to Senator Ron Wyden, Witty confirmed MFA on all UnitedHealth Group external-facing systems.
Anthony Marusic, UnitedHealth Group's spokesperson, confirmed Witty's remark that MFA is a company-wide policy.
Witty Admits There Was a Cybersecurity Mistake
Witty credited Change Healthcare's MFA-free systems to continuous modifications after UnitedHealth Group's 2022 purchase. Witty regretted the data breach incident and emphasized the importance of figuring out why the vulnerable server did not activate MFA.
Senator Wyden blamed the security vulnerability on the company's policy violations.
UnitedHealth Group has not notified impacted individuals due to the necessity of analyzing the extent of the hack and the exposed data. Witty testified that the business paid $22 million to hackers.
Witty will speak before the House Energy and Commerce Committee on Tuesday, May 2, with expected developments.
At the hearing, Andrew Witty explained the hack and his reaction. Cybercriminals infiltrated Change's computers on February 12, nine days before UnitedHealth realized they needed to shut them down. Witty noted the company's quick response to limit the cyber assault, preventing it from spreading to Optum, a pharmacy benefit manager, according to The New York Times.
Witty noted that United alone sees attempted invasions every 70 seconds, highlighting the healthcare sector's general susceptibility to cyberattacks. After 18 months of purchasing Change, United had not fully upgraded its "legacy technologies," making Change's systems vulnerable.
UnitedHealth's top executive sympathized with providers who were unwilling to use Change's services during the session. He stated that the protracted recovery period was necessary to rebuild the platform from scratch and remove any contaminated environment from the new technologies.
Other Issues Raised by Lawmakers
Senators discussed healthcare consolidation when United acquired the Change Network in 2022. A federal judge sided with United over the Justice Department's anticompetitive acquisition claim.
Senator Elizabeth Warren starkly described UnitedHealth as "a monopoly on steroids," highlighting its staggering 11th-largest global presence and control over one in 10 doctors. She further alleged that UnitedHealth exploited the breach to expand its influence over physicians' practices.
Andrew Witty countered Warren by citing fields in which United does not operate. Despite its size, he underlined that the United does not own US hospitals or medication makers.
TechTimes previously reported that UnitedHealth has acknowledged a significant breach, a ransomware assault on its subsidiary, Change Healthcare, which has potentially compromised the health data of numerous Americans.
According to the health insurance company, targeted data sampling has initially found files with PII or PHI, possibly affecting a large section of the US population.
UnitedHealth expects the complicated data to take months to analyze. The organization offers rapid service and strong security. It collaborates with industry experts to identify cyberattack-affected data and provide assistance as soon as possible.