Technology

UnitedHealth CEO estimates one-third of Americans could be impacted by Change Healthcare cyberattack

In this article

Omar Marques | Lightrocket | Getty Images

UnitedHealth Group CEO Andrew Witty on Wednesday told lawmakers that data from an estimated one-third of Americans could have been compromised in the cyberattack on its subsidiary Change Healthcare, and that the company paid a $22 million ransom to hackers.

Witty testified in front of the Subcommittee on Oversight and Investigations, which falls under the House of Representatives’ Committee on Energy and Commerce. He said the investigation into the breach is still ongoing, so the exact number of people affected remains unknown. The one-third figure is a rough estimate.

UnitedHealth has previously said the cyberattack likely impacts a “substantial proportion of people in America,” according to an April release. The company confirmed that files containing protected health information and personally identifiable information were compromised in the breach. 

It will likely be months before UnitedHealth is able to notify individuals, given the “complexity of the data review,” the release said. The company is offering free access to identity theft protection and credit monitoring for individuals that are concerned about their data.

Witty also testified in front of the U.S. Senate Committee on Finance on Wednesday, when he confirmed for the first time that the company paid a $22 million ransom to the hackers that breached Change Healthcare. At the hearing with the Oversight & Investigations later that afternoon, Witty said the payment was made in Bitcoin.

UnitedHealth disclosed that a cyber threat actor breached part of Change Healthcare’s information technology network late in February. The company disconnected the affected systems when the threat was detected, and the disruption has caused widespread fallout across the U.S. health-care sector.

Witty told the subcommittee in his written testimony that the cybercriminals used “compromised credentials” to infiltrate Change Healthcare’s systems on Feb. 12 and deployed a ransomware that encrypted the network nine days later.

The portal that the bad actors initially accessed was not protected by multi-factor authentication, or MFA, which requires users to verify their identities in at least two different ways. 

Witty told both committees Wednesday that UnitedHealth now has MFA in place across all external-facing systems.

Articles You May Like

King praises response to ‘lawless’ UK riots in Christmas message – as he gives ‘personal’ thanks to medics
MIT Researchers Measure Quantum Geometry of Electrons in Solid Materials for First Time
Killer whale who carried dead calf in ‘show of grief’ gives birth again – but experts are concerned
One of Texas’ dirtiest coal plants will swap to solar with help from US grant
Grandmother, 80, ‘fell to her knees’ after IDF shot her six times during raid, says son