Senators blast UnitedHealth CEO for lackluster cybersecurity, monopoly
Legacy technology at Change Healthcare was missing multifactor authentication, giving cybercriminals an easy way in.
U.S. lawmakers questioned UnitedHealth Group Chief Executive Officer Andrew Witty this week over the devastating cyberattack on its subsidiary, Change Healthcare, in February.
The event crippled the U.S. health care system for several weeks, impacting health insurers, hospitals, doctors, pharmacies, patients and the finances of all parties.
UnitedHealth recently admitted to paying a $22 million ransom in Bitcoin to the cybercriminal gang responsible, AlphV. However, some documents were still released in April when slighted threat actors asked for more money.
The full impact of the cyberattack on Change Healthcare remains unknown, but Witty gave senators a closer look at when and how AlphV gained access to its system.
To understand the magnitude of the cyberattack, it is first important to understand the massive control UnitedHealth and its subsidiaries have on the U.S. healthcare system:
- UnitedHealth manages about 15 billion transactions per year and one-third of American patient records.
- UnitedHealth is the parent company of Change Healthcare and OptumRX, one of the biggest pharmacy benefit managers in the U.S.
- One in 10 doctors in the U.S. are overseen by UnitedHealth.
- UnitedHealth’s revenue in 2023 was $371 billion.
- UnitedHealth is the 11th biggest company worldwide.
- Change Healthcare processes claims and payments for an estimated 900,000 doctors, 5,500 hospitals, 33,000 pharmacies and 600 laboratories.
Witty was summoned to testify in front of the Senate Finance Committee and House Energy and Commerce Committee panel on May 1, where senators criticized the healthcare giant’s handling of the hack. Democrat and Republican senators came together to question if the company was too deeply engrained in the medical system due to the sheer breadth of data stolen. Witty admitted the data breach compromised about one-third of American’s medical records.
What the ‘hack’ happened?
Witty’s testimony painted a clearer picture of the timeline of the Change Healthcare hack, which started nine days before UnitedHealth shut down the system.
On Feb. 12, 2024, Alphv (also called BlackCat) broke into Change Healthcare’s systems using an old server that did not have today’s number-one cybersecurity measure: multifactor authentication (MFA). Hackers used “compromised credentials,” like stolen passwords, and easily gained access through legacy technology. Witty acknowledged the poor digital security, including an inadequate backup plan and no way to cover payments for providers in the interim.
Senator and Chairman of the Finance Committee Ron Wyden (D-Ore.) said UnitedHealth failed “cybersecurity 101” by not employing the most basic kind of cybersecurity measures (MFAs).
Senator Thom Tillis (R-N.C.) held a copy of “Hacking for Dummies” to illustrate that point.
Witty said all UnitedHealth “external-facing systems” now use MFAs, and the company is bulking up cybersecurity efforts. Witty alleged UnitedHealth is under a constant barrage of cyber threats, preventing intrusions every 70 seconds, though, notably, not on Feb. 12.
“Monopoly on steroids”
UnitedHealth shut down Change Healthcare’s system on Feb. 21, 2024 to stop cybercriminals from expanding the attack to its other subsidiaries as well as attempt to limit the impact to Change Healthcare, which it acquired in 2022. The acquisition was initially stalled when the U.S. Justice Department tried to block it amid concerns it triggered a mass consolidation in the health care industry. This sentiment was echoed in the May 1 hearing, with Senator Elizabeth Warren (D-Mass.) calling UnitedHealth “a monopoly on steroids.”
Wyden expressed frustration about the lack of transparency about the stolen data and emphasized sensitive medical data stolen about active military personnel posed a “clear national security threat.”
“The Change hack is a dire warning about the consequences of ‘too big to fail’ mega-corporations gobbling up larger and larger shares of the health care system,” Wyden said. “Practically every provider I bump into is waiting to be paid.”
Senator Marsha Blackburn (R-Tenn.) agreed, sharing that her office is still bombarded with calls from healthcare providers, some of whom are missing payments equal to a month’s revenue.
Witty admitted the corporation mishandled efforts to cover payments for affected providers, but senators quickly pointed out the company continues to fail victims.
In March, the Office for Civil Rights said it also plans to investigate the incident to determine if Change Healthcare followed patient privacy protection laws and whether protected health information was exposed.
Related: