UnitedHealth Group CEO Andrew Witty confirmed for the first time that the company paid a $22 million ransom to hackers who breached its Change Healthcare subsidiary and caused widespread fallout across the healthcare sector. Witty's comments were made during a hearing Wednesday before the U.S. Senate Finance Committee.
Change Healthcare offers payment, revenue management and other solutions, such as e-prescribing software. The company took affected systems offline when the threat was detected, leaving many doctors temporarily unable to fill prescriptions or receive payments for their services.
UnitedHealth told CNBC in April that it paid a ransom to try to protect patient data. Previous reports had discovered a $22 million transfer on the Bitcoin blockchain, but the company had not confirmed the figure until now.
“The decision to pay the ransom was mine,” Witty said. “This was one of the hardest decisions I have ever had to make and I wouldn't wish it on anyone.”
UnitedHealth is one of the largest companies in the world, with a market capitalization of approximately $450 billion. Its Optum business unit, which provides care to 103 million customers, and Change Healthcare, which touches one in three patient records, merged in 2022.
Committee Chairman Sen. Ron Wyden, D-Ore., said in his opening remarks that the Change Healthcare breach serves as a “dire warning about the consequences of too-big-to-fail megacorporations.”
“Companies this large have an obligation to protect their customers and lead on this issue,” Wyden said.
Witty told the committee that cybercriminals accessed Change Healthcare through a server that was not protected by multi-factor authentication, or MFA, which requires users to verify their identity in at least two different ways. She said UnitedHealth now has MFA in all external systems.
“As a result of this malicious cyberattack, patients and providers have experienced disruptions and people are concerned about their private health data,” Witty said. “To everyone affected, let me be very clear: I am deeply sorry.”
Sen. Thom Tillis, R.N.C., held up a bright yellow copy of “Hacking for Dummies” during the hearing and said it's UnitedHealth's responsibility to fix the breach.
“These are some basic things that were overlooked, so it's a shame for internal audit, external audit and the systems people in charge of redundancy, they're not doing their job,” Tillis said.
A filing with the U.S. Securities and Exchange Commission said UnitedHealth discovered that a cyber threat actor accessed part of Change Healthcare's information technology network in late February.
Witty said Change Healthcare's core systems are back online, although some of its secondary support functions are still being restored.
UnitedHealth said in February that the Blackcat ransomware group was behind the attack. Blackcat, which also goes by the names Noberus and ALPHV, steals sensitive data from institutions and threatens to publish it unless a ransom is paid, according to a December statement from the U.S. Department of Justice.
UnitedHealth confirmed in April that files containing protected health information and personally identifiable information were compromised in the breach. The company said a data review is underway, so it could be months before it can notify affected people.
Witty said Wednesday that UnitedHealth is working with regulators to evaluate the breach and inform people if their information has been compromised “as soon as possible.”
In early March, UnitedHealth launched a temporary financial assistance program to help providers who have experienced cash flow disruptions due to the cyberattack. There are no fees, interest or other costs in addition to payments, and providers have 45 days to refund funds once their standard payment operations resume.
During the hearing, Witty said the company has not yet asked anyone to repay the loan and that it will be up to suppliers to determine when their operations have officially returned to normal.
Witty did not directly disclose whether UnitedHealth will provide additional support to providers who may have to deal with other loans and interest payments due to default.
Sen. Michael Bennet, D-Colo., pressed Witty to share how UnitedHealth is working to ensure something like the Change Healthcare breach doesn't happen again. Witty said the company plans to share what he discovers about the breach with others, adding that there is a need to focus on reducing the rate of cyberattacks in the healthcare sector.
“We are clearly trying to take responsibility for this attack. We are also trying to learn from it,” he said.
