UnitedHealth Group Chief Executive Andrew Witty confirmed for the first time that the company paid a $22 million ransom to hackers who breached its subsidiary Change Healthcare and caused widespread repercussions across the healthcare industry. Witty made the remarks during a hearing of the U.S. Senate Finance Committee on Wednesday.
Change Healthcare provides payment, revenue management and other solutions such as e-prescribing software. When the threat was detected, the company disconnected affected systems, leaving many doctors temporarily unable to write prescriptions or get paid for their services.
UnitedHealth told CNBC in April that it paid the ransom in an attempt to protect patient data.It was previously reported that A $22 million transfer discovered on Bitcoin’s blockchain, but the company has not confirmed the figure so far.
“As CEO, the decision to pay the ransom was mine,” Witty said. “This was one of the hardest decisions I’ve ever made and I wouldn’t wish it on anyone else.”
UnitedHealth is one of the world’s largest companies, with a market capitalization of approximately $450 billion. Its business units Optum, which provides care to 103 million customers, and Change Healthcare, which touches one-third of patient records, merged in 2022.
Committee Chairman Senator. Ron WydenIn her opening statement, Oregon Democrats said the Change Healthcare breach was “a dire warning of the consequences for large businesses that are too big to fail.”
“Companies this large have an obligation to protect their customers and provide leadership on this issue,” Wyden said.
Witty told the committee that cybercriminals accessed Change Healthcare through servers that were not protected by multi-factor authentication (MFA), which requires users to verify their identity in at least two different ways. He said UnitedHealth now has MFA deployed in all external systems.
“Patients and providers are experiencing disruptions and people are concerned about their private health data as a result of this malicious cyberattack,” Witty said. “To everyone affected, let me make it very clear: I am deeply sorry. “
Republican Sen. Tilli Tillis held up a bright yellow copy of “Hacking for Dummies” at the hearing and said UnitedHealth had a responsibility to fix the vulnerability.
“This is something fundamental that was missed, so shame on internal audit, external audit and the systems people responsible for the redundancy, they weren’t doing their jobs,” Tillis said.
UnitedHealth discovered that cyber threat actors gained access to parts of Change Healthcare’s information technology network in late February, according to a filing with the U.S. Securities and Exchange Commission.
Witty said Change Healthcare’s core systems are back online, but some of its ancillary support functions are still being restored.
UnitedHealth said in February that ransomware group Blackcat was behind the attack. Black cats (also known as Noberus and ALPHV) steal sensitive data from organizations and threaten to make the data public unless a ransom is paid. Released in December From the U.S. Department of Justice.
UnitedHealth confirmed in April that documents containing protected health information and personally identifiable information were exposed in the breach. The company said a data review is ongoing, so it could take several months before it notifies affected individuals.
Witty said Wednesday that UnitedHealth Group is working with regulators to assess the breach and to notify people “as quickly as possible” whether their information was compromised.
In early March, UnitedHealth launched a temporary financial assistance program to help support providers experiencing cash flow disruptions due to cyberattacks. There are no fees, interest or other charges other than payment, and providers have 45 days to repay the funds once standard payment operations resume.
During the hearing, Witty said the company had not asked anyone to repay their loans and it would be up to the providers to decide when normal operations would officially resume.
Witty did not directly say whether UnitedHealth would provide additional support to providers who may face additional loans and interest payments as a result of the breach.
Sen. Michael Bennet, D-Colo., urged Witty to share how UnitedHealth is working to ensure breaches like the Change Healthcare breach don’t happen again. Witty said the company planned to share the breaches it discovered with others, adding that there was a need to focus on reducing the rate of cyberattacks in the healthcare industry.
“We are obviously trying to take responsibility for this attack. We are also trying to learn from it,” he said.