UnitedHealth Group’s CEO, Andrew Witty, testified on Wednesday, May 1, before the House Energy and Commerce Committee on the Change Healthcare cyberattack. In his opening statement, Witty told the committee that criminals used compromised credentials to remotely access a Change Healthcare Citrix portal, which enables remote access to desktops. Witty admitted that this portal did not have multi-factor authentication (MFA).
Witty said it will likely take several months to identify all impacted individuals. UnitedHealth, along with experts, is continuously monitoring the dark web to see if data has been leaked.
“This was one of the hardest decisions I’ve ever had to make,” Witty confided regarding the decision to pay ransom, “And I wouldn’t wish it on anyone.”
Senator Ron Wyden said the attack could have been stopped with “Cybersecurity 101.” “On your watch, there was a cybersecurity failure,” Wyden admonished UnitedHealth’s CEO. “It shouldn’t have taken the worst cyberattack ever in the healthcare sector for an agreement to do this bare minimum,” Wyden said in response to Witty conveying that multifactor authentication has now been implemented for all UnitedHealth’s external-facing systems.
Senator John Barrasso stated that this breach may send rural health systems into a financial spiral they can’t recover from. Witty responded by saying that a third of the 6.5 billion dollars issued have gone to those types of organizations. “We want to make sure you’re specifically prioritizing these rural and financially vulnerable hospitals,” Barrasso told Witty, “because they need to keep their doors open, and they’re the only source of supply.”
“The responses that you’ve had to me, it seems like an excuse,” said Barrasso while asking Witty why multifactor authentication hadn’t been in place for Change Healthcare. “Like you, I’m very disappointed and frustrated that this particular server did not have MFA installed when Change Healthcare came into our group,” Witty responded. “We’ve been upgrading their technology since we acquired it,” he added.
Throughout the hearing, Witty apologized for the aftermath of the Change Healthcare breach.
