UnitedHealth CEO Testifies on Cyberattack Before Senate

May 2, 2024
Stolen credentials used to remotely access a UnitedHealth’s portal that didn’t have multi-factor protection, CEO testifies.

UnitedHealth Group’s CEO, Andrew Witty, testified on Wednesday, May 1, before the House Energy and Commerce Committee on the Change Healthcare cyberattack. In his opening statement, Witty told the committee that criminals used compromised credentials to remotely access a Change Healthcare Citrix portal, which enables remote access to desktops. Witty admitted that this portal did not have multi-factor authentication (MFA).

Witty said it will likely take several months to identify all impacted individuals. UnitedHealth, along with experts, is continuously monitoring the dark web to see if data has been leaked.

“This was one of the hardest decisions I’ve ever had to make,” Witty confided regarding the decision to pay ransom, “And I wouldn’t wish it on anyone.”

Senator Ron Wyden said the attack could have been stopped with “Cybersecurity 101.” “On your watch, there was a cybersecurity failure,” Wyden admonished UnitedHealth’s CEO. “It shouldn’t have taken the worst cyberattack ever in the healthcare sector for an agreement to do this bare minimum,” Wyden said in response to Witty conveying that multifactor authentication has now been implemented for all UnitedHealth’s external-facing systems.

Senator John Barrasso stated that this breach may send rural health systems into a financial spiral they can’t recover from. Witty responded by saying that a third of the 6.5 billion dollars issued have gone to those types of organizations. “We want to make sure you’re specifically prioritizing these rural and financially vulnerable hospitals,” Barrasso told Witty, “because they need to keep their doors open, and they’re the only source of supply.”

“The responses that you’ve had to me, it seems like an excuse,” said Barrasso while asking Witty why multifactor authentication hadn’t been in place for Change Healthcare. “Like you, I’m very disappointed and frustrated that this particular server did not have MFA installed when Change Healthcare came into our group,” Witty responded. “We’ve been upgrading their technology since we acquired it,” he added.

Throughout the hearing, Witty apologized for the aftermath of the Change Healthcare breach.

Sponsored Recommendations

Patient Engagement and ML/AI – Modern Interoperability as an enabler for value based care

Discover how modern interoperability empowers patient engagement and leverages ML/AI for better outcomes in value-based care. Join us on June 18th to learn how seamless data integration...

New Research: The State of Healthcare Cloud Security and Compliance Posture

Compliance & Security Debt Awareness Could Have Prevented Change Healthcare & Ascension Healthcare Breaches

Telehealth: Moving Forward Into the Future

Register now to explore two insightful sessions that delve into the transformative potential of telehealth and virtual care management solutions.

Telehealth: Moving Forward Into the Future

Register now to explore two insightful sessions that delve into the transformative potential of telehealth and virtual care management solutions.