Omar Marks | Light Rocket | Getty Images
UnitedHealth Group Chief Executive Andrew Witty told lawmakers on Wednesday that an estimated one-third of Americans may have had their data exposed in a cyberattack on subsidiary Change Healthcare, which paid $22 million to hackers of ransom.
Witty testified before the Oversight and Investigations Subcommittee, which is part of the House Energy and Commerce Committee. He said the investigation into the breach was ongoing, so the exact number of people affected remained unclear. The one-third figure is a rough estimate.
UnitedHealth Insurance Company has previously said cyberattacks could affect “a significant portion of Americans.” Released in April. The company confirmed that documents containing protected health information and personally identifiable information were exposed in the breach.
The news release said it could take several months for UnitedHealth to notify individuals due to the “complexity of the data review.” The company offers free identity theft protection and credit monitoring services to individuals concerned about their data.
Witty also testified before the U.S. Senate Finance Committee on Wednesday, confirming for the first time that the company paid $22 million in ransom to hackers who breached Change Healthcare. At a hearing before House lawmakers later that afternoon, Witty said the payment was made in Bitcoin.
UnitedHealth revealed that a cyber threat actor compromised part of Change Healthcare’s information technology network in late February. When a threat was detected, the company disconnected affected systems, an outage that has had widespread repercussions across the U.S. healthcare industry.
Witty told the subcommittee in written testimony that cyberattackers used “leaked credentials” to infiltrate Change Healthcare’s systems on February 12 and deployed ransomware to encrypt the network nine days later.
The bad actor’s initial portal is not protected by multi-factor authentication (MFA), which requires users to verify their identity in at least two different ways.
Witty told both committees on Wednesday that UnitedHealth now has MFA deployed in all external-facing systems.