UnitedHealth CEO Testifies on Cyberattack Before Senate

May 2, 2024
Stolen credentials used to remotely access a UnitedHealth’s portal that didn’t have multi-factor protection, CEO testifies.

UnitedHealth Group’s CEO, Andrew Witty, testified on Wednesday, May 1, before the House Energy and Commerce Committee on the Change Healthcare cyberattack. In his opening statement, Witty told the committee that criminals used compromised credentials to remotely access a Change Healthcare Citrix portal, which enables remote access to desktops. Witty admitted that this portal did not have multi-factor authentication (MFA).

Witty said it will likely take several months to identify all impacted individuals. UnitedHealth, along with experts, is continuously monitoring the dark web to see if data has been leaked.

“This was one of the hardest decisions I’ve ever had to make,” Witty confided regarding the decision to pay ransom, “And I wouldn’t wish it on anyone.”

Senator Ron Wyden said the attack could have been stopped with “Cybersecurity 101.” “On your watch, there was a cybersecurity failure,” Wyden admonished UnitedHealth’s CEO. “It shouldn’t have taken the worst cyberattack ever in the healthcare sector for an agreement to do this bare minimum,” Wyden said in response to Witty conveying that multifactor authentication has now been implemented for all UnitedHealth’s external-facing systems.

Senator John Barrasso stated that this breach may send rural health systems into a financial spiral they can’t recover from. Witty responded by saying that a third of the 6.5 billion dollars issued have gone to those types of organizations. “We want to make sure you’re specifically prioritizing these rural and financially vulnerable hospitals,” Barrasso told Witty, “because they need to keep their doors open, and they’re the only source of supply.”

“The responses that you’ve had to me, it seems like an excuse,” said Barrasso while asking Witty why multifactor authentication hadn’t been in place for Change Healthcare. “Like you, I’m very disappointed and frustrated that this particular server did not have MFA installed when Change Healthcare came into our group,” Witty responded. “We’ve been upgrading their technology since we acquired it,” he added.

Throughout the hearing, Witty apologized for the aftermath of the Change Healthcare breach.

Sponsored Recommendations

Executive Handbook: Ten Transformative Trends 2024

The editors of Healthcare Innovation have published their annual Ten Transformative Trends ensemble of articles

Leveraging the Power of Generative AI to Transform Patient Care

Learn more about how Generative AI has emerged as a transformative force helping care providers improve a range of hospital operations, enhance efficiency and drive innovation...

Meet New Demands in Patient, Clinician Experience and Operational Efficiency

Learn how hospitals are streamlining onboarding and EMR workflows with AI-driven technologies

Finish 2024 Strong: How to Prioritize and Close Impactful Care Gaps

Access this on-demand webinar to learn how to prioritize resources to close care gaps, benchmark your populations, identify areas of opportunity in your data, and more.