Andrew Witty, chief executive officer, UnitedHealth Group, testified at two separate congressional hearings on Wednesday about what happened before and after the Change Healthcare cyberattack. He said the company has been working 24/7 on restoration efforts since February 21, the day of the ransomware attack.
Witty told senators in a two-hour hearing Wednesday morning that UnitedHealth Care paid a $22 million ransom in Bitcoin to try and protect patient data–which could affect a “substantial proportion of people in America”–that was compromised in the attack of its subsidiary Change Healthcare, a software and data analytics firm.
In a prepared statement, Witty told both the Senate Finance Committee and the House Energy and Commerce Committee Subcommittee on Oversight and Investigations, which held a hearing later Wednesday afternoon, that he made the decision to pay the ransom, calling it “one of the hardest decisions I’ve ever had to make.”
Witty said he was deeply sorry to all who were impacted by the attack, which compromised patients' personal information and disabled key services affecting patient care, including billing services, claims transmittals, and eligibility verifications.
“From the moment I learned of the intrusion, I felt a profound sense of responsibility to do everything we could to preserve access to care and support our customers and clients,” he said. “I want this committee and the American public to know that the people of UnitedHealth Group will not rest–I will not rest–until we fix this.”
RELATED: Change Healthcare cyberattack fallout: Steps organizations can take to protect their systems
Senator Finance Committee Chair Ron Wyden, D-Ore., said accountability for Change Healthcare’s failure starts at the top and he couldn’t understand why a company of UnitedHealthcare’s size failed to have multi-factor authentication on a server, which provided open door access to protected health information. In addition, Wyden said the company’s recovery plans were “woefully inadequate.”
UnitedHealth’s Optum unit purchased Change Healthcare in October 2022 and Witty said it had not fully upgraded the firm’s older technologies, which made it vulnerable to the attack. He said that all external-facing systems now have multi-factor authentication enabled, which provides a second layer of security by having users enter an auto-generated code in addition to their passwords.
Witty said that UnitedHealth deters an attempted cyberattack every 70 seconds and has thwarted more than 450,000 intrusions per year. Criminals have developed more sophisticated and malicious methodologies and have increasingly targeted critical infrastructure. “These adversaries are willing to attack everything from community hospitals to pharmacies to networks like ours that enable the information exchange necessary to provide care,” he said.
On the morning of February 21, cybercriminals called ALPHV or BlackCat successfully attacked Change Healthcare’s information technology environments, encrypting the company’s systems so staff could not access them. In response, and without knowing the entry point of the attack at the time, UnitedHealth immediately severed connectivity with Change’s data centers to eliminate the potential for malware to spread beyond Change to the broader health system. “It worked,” he said. “There has never been any evidence of spread beyond Change–not to any external environment and not to Optum, UnitedHealthcare or UnitedHealth Group.”
The company has since learned that on February 12, the cybercriminals used compromised credentials to remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops. The portal did not have multi-factor authentication enabled. Once they gained access, they exfoliated data and deployed ransomware nine days later.
Witty said files containing patients’ personal information were compromised in the breach, but it will likely take months of continued analysis before there is enough information available to identify and notify impacted customers and individuals. So far, the company hasn’t seen evidence that doctors’ charts or full medical histories were taken. Rather than wait for the full analysis to identify customers who had their personal health information stolen, UnitedHealth is providing free credit monitoring and identity theft protections to members for two years and has clinicians staffing a dedicated call center to provide support services.
RELATED: Medical providers still grappling with UnitedHealth cyberattack: ‘More devastating than COVID’
Meanwhile, he said that the company continues to make progress in restoring Change Healthcare’s impacted services. Its priorities are to secure the systems, ensure patient access to care and medication, and to assist providers with their financial needs.
Wyden said the Change Healthcare hack serves as a “dire warning” about the consequences of mega-corporations buying larger shares of the of the health care systems. “It is long past time to do a comprehensive scrub of UHG's anti-competitive practices, which likely prolonged the fallout from this hack. For example, Change Healthcare’s exclusive contracts prevented more than one third of providers from switching clearinghouses, even though Change’s systems were down for weeks,” he said.