One-third of Americans could be affected by Change Healthcare cyberattack


Omar Marqués | Light rocket | fake images

UnitedHealth Group CEO Andrew Witty told lawmakers on Wednesday that the data of about a third of Americans may have been compromised in the cyberattack on its subsidiary Change Healthcare, and that the company paid a $22 million ransom to the hackers.

Witty testified before the Subcommittee on Oversight and Investigations, which reports to the House Energy and Commerce Committee. She said the investigation into the breach is still ongoing, so the exact number of people affected is unknown. The one-third figure is a rough estimate.

UnitedHealth has previously said the cyberattack likely affects a “substantial proportion of people in the United States,” according to an April statement. The company confirmed that files containing protected health information and personally identifiable information were compromised in the breach.

It will likely be months before UnitedHealth can notify people, given the “complexity of the data review,” according to the statement. The company offers free access to identity theft protection and credit monitoring for people concerned about their data.

Witty also testified before the U.S. Senate Finance Committee on Wednesday, confirming for the first time that the company paid a $22 million ransom to hackers who breached Change Healthcare. At the hearing before House lawmakers that same afternoon, Witty said the payment was made in bitcoin.

UnitedHealth revealed that a cyber threat actor breached part of Change Healthcare's information technology network in late February. The company took affected systems offline when the threat was detected, and the outage has caused widespread consequences across the US healthcare sector.

Witty told the subcommittee in his written testimony that cyber attackers used “compromised credentials” to infiltrate Change Healthcare's systems on Feb. 12 and deployed ransomware that encrypted the network nine days later.

The portal the criminals initially accessed was not protected by multi-factor authentication, or MFA, which requires users to verify their identities in at least two different ways.

Witty told both committees Wednesday that UnitedHealth now has MFA in all external systems.

Don't miss these CNBC PRO exclusives

scroll to top