Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Change Healthcare Cyberattack Was Due to a Lack of Multifactor Authentication, UnitedHealth CEO says

UnitedHealth CEO Andrew Witty said in a U.S. Senate hearing that his company is still trying to understand why the server did not have the additional protection.

UnitedHealth Change Healthcare cyberattack

The Change Healthcare cyberattack that disrupted health care systems nationwide earlier this year started when hackers entered a server that lacked a basic form of security: multifactor authentication.

UnitedHealth CEO Andrew Witty said Wednesday in a U.S. Senate hearing that his company, which owns Change Healthcare, is still trying to understand why the server did not have the additional protection.

His admission did not sit well with Senate Finance Committee members who spent more than two hours questioning the CEO about the attack and broader health care issues.

“This hack could have been stopped with cybersecurity 101,” Oregon Democratic Sen. Ron Wyden told Witty.

Multifactor authentication adds a second layer of security to password-protected accounts by having users enter an auto-generated code. It’s common on apps protecting sensitive data like bank accounts and meant to guard against hackers guessing passwords.

Change Healthcare provides technology used to submit and process billions of insurance claims a year. Hackers gained access in February and unleashed a ransomware attack that encrypted and froze large parts of the company’s system, Witty said.

He told a separate House Energy and Commerce committee hearing Wednesday that hackers used “compromised credentials” that may have included stolen passwords to enter Change’s system.

The attack triggered a disruption of payment and claims processing around the country, stressing doctor’s offices and health care systems by interfering with their ability to file claims and get paid.

Advertisement. Scroll to continue reading.

UnitedHealth quickly disconnected the affected systems to limit damage and paid a $22 million ransom in bitcoin, Witty said. The company is still recovering.

“We’ve literally built this platform back from scratch so that we can reassure people that there are not elements of the old attacked environment within the new technology,” Witty said, also noting that he was “deeply, deeply sorry” for the attack.

The CEO also told senators that all of the company’s core systems were now fully functional. That included claims payment and pharmacy processing.

Witty said his company had been in the process of upgrading technology for Change, which it acquired in 2022, and he was “incredibly frustrated” to learn about the lack of multifactor authentication, which is a standard across UnitedHealth.

In March, the Office for Civil Rights said it would investigate whether protected health information was exposed and whether Change Healthcare followed laws protecting patient privacy.

The company said earlier this month that personal information that could cover a “substantial portion of people in America” may have been taken in the attack.

Company officials have said they see no signs that doctor charts or full medical histories were released after the attack. But they also have noted that it may take several months of analysis to identify and notify those who were affected. UnitedHealth is offering free credit monitoring and identity theft protection for two years.

UnitedHealth Group runs one of the nation’s largest insurers and pharmacy benefits managers. It also provides care and technology services, which include the Change business.

Cybersecurity experts say ransomware attacks have increased substantially in recent years, especially in the health care sector.

Witty told senators UnitedHealth is “consistently” under attack. He said in prepared remarks that his company repels an attempted intrusion every 70 seconds.

Related: US Offering $10 Million Reward for Information on Change Healthcare Hackers

Related: Cyber Insights 2024: Ransomware

Written By

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights