UnitedHealth Hack Put Data of One in Three Americans at Risk
UnitedHealth Group Inc. Chief Executive Officer Andrew Witty told lawmakers his company is still trying to determine why its computer systems were left vulnerable to hackers who perpetrated a devastating cyberattack.
Lawmakers zeroed in on lax defenses during more than two hours of questioning by the Senate Finance Committee, in the first of two congressional hearings about the breach on Wednesday. The intruders got in through a server that didn’t have multifactor authentication — a basic cybersecurity measure used on consumer bank accounts — and got access to a hoard of health and personal data. Witty said the trove might cover one-third of Americans.
“We’re trying to dig through exactly why that server had not been protected,” Witty told lawmakers. “I’m as frustrated as anybody about that fact.”
Some lawmakers said the company had neglected basic safeguards and failed both to prevent the attack and recover from it, with backup systems that were also vulnerable. “This company flunked both,” said Senator Ron Wyden, the Oregon Democrat who chairs the Finance Committee.
The largest US health insurer faced aggressive questions from some lawmakers over the February hacking incident, including concerns about whether its vast reach into myriad health-care operations concentrated risk that cybercriminals exploited. The hack snarled billions of dollars in payments for doctors and hospitals.
The ransomware strike that wrecked systems at UnitedHealth’s Change Healthcare subsidiary will likely be the largest health-care data breach in the US to date, the company said. It’s also among the most costly hacks ever, denting UnitedHealth’s profit by as much as $1.6 billion this year.
Witty was the sole witness to appear in the hearings, which also included an afternoon session with a subcommittee of the House Energy and Commerce Committee. Lawmakers from both parties expressed concern about UnitedHealth’s size at a separate House panel two weeks ago.
Senator Elizabeth Warren, the Massachusetts Democrat, called on regulators to break up the company during the Wednesday hearing. Even conservatives expressed concern about its corporate power.
“Is the dominant role of United too dominant, because it’s into everything, and messing up United messes up everybody?” said Senator Bill Cassidy, a Republican from Louisiana.
Witty said Change Healthcare’s footprint was the same as it was before UnitedHealth acquired it in 2022. The company UnitedHealth bought for almost $8 billion ran on legacy technology, he said, with some systems 40 years old. “We’ve been working to improve those,” he said.
UnitedHealth’s shares closed almost unchanged Wednesday, a sign that Witty’s grilling in Washington had little impact for investors.
Lax Defense
Wyden said the committee is drafting legislation in response to the attack. He called again for standards for the industry, and said larger companies would have to meet tougher standards. “The bigger the company the more significant your responsibilities,” he said.
UnitedHealth faces constant attacks from intruders trying to crack digital defenses, with more than 450,000 attempts a year, according to Witty’s prepared testimony released ahead of the hearings. The exact nature of those attempts wasn’t immediately clear.
Despite the persistent threat, he said the intruders gained entry to Change Healthcare’s systems through a Citrix remote access portal that wasn’t protected by multifactor authentication, a common cyberdefense meant to thwart hackers by requiring more than a password to verify that a login is legitimate.
Once they broke into the system on Feb. 12, attackers claiming to be the notorious cybercrime group BlackCat pilfered data undetected for more than a week. They deployed ransomware nine days later. Witty said he was at a board meeting when he learned of the attack on Feb. 21.
Wyden questioned whether UnitedHealth knew how much personal data of its users was stolen. “You don’t have the logs to show what data walked out the door,” he said.
Witty estimated that the data breach could affect about one-third of all Americans — which would be more than 100 million people — though he said the number was uncertain. Facing a House panel in the afternoon, he said he couldn’t guarantee that hackers hadn’t copied stolen the data to distribute online.
The full extent of that breach will take months to assess, according to UnitedHealth, leaving Americans in the dark about what private medical data may have been exposed. The company has set up a site to offer credit monitoring and other help.
Witty said he decided to pay a ransom to protect patient data, “one of the hardest decisions I’ve ever had to make.” He confirmed that the payment was $22 million, a figure that has previously been reported based on an analysis of cryptocurrency payments.
He also said the attackers locked up the company’s backup systems, delaying how long it took to restore Change Healthcare’s services. UnitedHealth rebuilt much of the infrastructure from scratch on cloud-based systems, he said.
He told the committee that UnitedHealth’s response was “swift and forceful,” by disconnecting Change’s systems from the rest of the health-care world. While that was “extremely disruptive,” he said it stopped the damage from spreading more widely.
The company said many systems are back online. It has advanced more than $6.5 billion in payments and interest-free loans to medical providers facing cash-flow interruptions.
Witty also said the company supports minimum security standards for health-care companies and improvements to the US’s cyber defenses, including standardized reporting of cybersecurity events.
Top photo: Andrew Witty, chief executive officer of UnitedHealth Group Inc., center, arrives for a Senate Finance Committee hearing in Washington, DC, US, on Wednesday, May 1, 2024. UnitedHealth, which has a market value of $451 billion, has estimated that the Feb. 21 cyberattack that paralyzed much of the US health-care system could reduce its profit by as much as $1.6 billion this year, making it one of the costliest hacks ever. Photographer: Al Drago/Bloomberg.