UnitedHealth Group (UHG) CEO Andrew Witty recently gave a testimony at a House subcommittee hearing. The Senators confronted Witty concerning the Change Healthcare ransomware attack and because one-of-three Americans might be impacted.
Witty apologized for the cyberattack, the trouble and financial pressure put on companies, and the effect of the attack on patients. He mentioned that UHG gave a $22 million ransom payment. He confirmed the use of compromised credentials, probably bought by the attacker on the dark web, to get access to Change Healthcare’s network.
Credentials only shouldn’t be enough to get access to a system. Witty stated that the stolen credentials were for a Citrix website employed for remote access, and that access became possible because of the insufficient multifactor authentication (MFA). He stated that the company requires using MFA on all externally facing devices yet MFA was lacking on the Citrix website. Change Healthcare’s head of cybersecurity knew this. Witty stated that all externally facing systems already have MFA activated.
Change Healthcare announced on its website that its systems work with the data of one in three people in America, therefore the data breach can be massive affecting over 110 million U.S. citizens. Witty was asked to state the magnitude of the breach but was hesitant lest he make a wrong statement. Yet when pushed to provide an estimate, he mentioned that 33% of U.S. citizens might be affected.
Senator Demands Prompt Notifications of Possibly Impacted Patients
U.S. Senator Maggie Hassan (D-NH) required UHG to promptly alert patients whose information was possibly stolen during the Change Healthcare cyberattack. She told Witty that UHG is obligated under HIPAA to send notifications when protected health information (PHI) is likely compromised. That indicates sending notifications to all patients who have data retained by Change Healthcare.
“The attack occurred on February 21st. The last day for sending HIPAA breach reports to the OCR and to the individuals affected was on April 21. It’s already May 1st. Millions of Americans should not wait too long to know that their data might be exposed to criminals on the dark web. Many HIPAA-regulated entities think that the counting begins on the date that the PHI exposure is confirmed, which is when the forensic investigation is finished, or when the evaluation of all documents on the breached system is completed. That may be a few months after the security breach is discovered. Witty mentioned that the complicated investigation and review implies that issuing the notifications may take several months.
During the hearing, Sen Hassan succeeded in getting Witty to waive exclusivity conditions from agreements with Change Healthcare, which will allow healthcare companies to easily create contingency plans and act immediately in case of a future attack on Change Healthcare.
Is Change Healthcare Too Big?
Sen. Ron Wyden (D-OR), the chairman of the Senate Finance Committee, and a few other Senators questioned UHG’s speed in updating its security and systems. UHG bought Change Healthcare in 2022 and the improvements to systems and security are still not completed. UHG was likewise questioned for taking a long time to recover from the attack. Although most of the core systems are working, Witty mentioned that it is still restoring older Change systems.
The hacking on Change Healthcare serves as a warning about the effects of big corporations taking up bigger shares of the healthcare industry. It’s time to perform a thorough check of UHG’s anti-competitive strategies, which probably extended the after-effects of this hack. Sen. Marsha Blackburn (R-TN) criticized Witty for the insufficient readiness, which may include compliance with HIPAA-training requirements, to face an unavoidable cyberattack. In 2023, UHG made about $22 billion in revenue. It should have taken the required action to avoid vulnerability to an attack and experiencing it.
The size of UHG was often mentioned during the hearing. Sen. Bill Cassidy (R-LA) said that the prominence of UHG in the healthcare industry generated a particular vulnerability and the attack created a big ripple effect.
