Congress interrogates UnitedHealth CEO over Change Healthcare cyberattack

On Wednesday, UnitedHealth Group CEO Andrew Witty testified before legislators over the course of two congressional hearings, where he confirmed that the exfiltrated data includes “a substantial portion of people in America.” 

The February 21 attack has unleashed carnage upon the healthcare sector for several weeks, disrupting claims processing, prior authorizations, and revenue streams to providers.  

Cybersecurity failures

During the testimony, Witty shared new information about how the cybergang ALPHV gained access to their server through a remote desktop computer that did not employ multi factor authentication, a common cybersecurity method that involves using an additional password or code.  

With only a stolen password, the cybergang roamed the Change Healthcare server for a week without detection and roamed the entirety of the system without running into blocks.. 

Many lawmakers were keen to note that UnitedHealth Group did not report the hack publicly until nine days after it occurred. 

“We secured the perimeter of the attack and prevented malware from spreading beyond Change to the broader health system,” Witty stated. “It worked. There has never been any evidence of spread beyond Change—not to any external environment and not to Optum, UnitedHealthcare, or UnitedHealth Group.”  

At least, not that they know as of right now. He also mentioned they are still working to understand the depth of data exfiltrated.  

Witty explained that the encryption ransomware’s impact in this attack was exacerbated by the outdated technology at Change Healthcare, which had developed over many decades. The ransomware not only compromised the main systems but also affected the backup systems, especially those not stored in the cloud. 

“It’s extremely frustrating to have one of the largest companies in the world failing to meet its obligations under existing law to adequately protect some of our most sensitive personal information,” said Rep. Frank Pallone, D-N.J. “Mr. Witty, this never should have happened, and it can’t happen again.”   

Ransom paid, but data leaked anyway

Witty confirmed that he paid the $22 million ransom to protect private health data, which he said was one of the most difficult decisions he had to make. The data was leaked on the dark web shortly after.  

Committee members spoke against paying the ransom as it rewards and entices criminals, as they did weeks earlier when hearing from healthcare and cybersecurity experts.  

“Here’s the problem. It didn’t stop a data leak. Americans’ personal and private health information is on the dark web. This is private health data that you are responsible for protecting,“ said Rep. Cathy McMorris Rodgers, R-Wash. “Mr. Witty, I suspect that decision will be a case study in crisis mismanagement for decades to come.”