Omar Marques | Light flare | Getty Images
UnitedHealth Group CEO Andrew Witty told lawmakers Wednesday that the data of about a third of Americans may have been compromised in the cyberattack on its Change Healthcare subsidiary and that the company paid a $22 million ransom to the hackers.
Witty testified before the Subcommittee on Oversight and Investigations, which falls under the House Energy and Commerce Committee. He said the investigation into the breach was still ongoing and therefore the exact number of people affected remained unknown. The figure of one third is a rough estimate.
UnitedHealth previously said the cyberattack would likely affect “a substantial proportion of people in America,” according to an April statement. The company confirmed that files containing protected health information and personally identifiable information were compromised in this breach.
It will likely be months before UnitedHealth is able to notify individuals, given the “complexity of reviewing the data,” the statement said. The company offers free access to identity theft protection and credit monitoring to people concerned about their data.
Witty also testified before the U.S. Senate Finance Committee on Wednesday, when he confirmed for the first time that the company paid a $22 million ransom to the hackers who breached Change Healthcare. At the hearing before House lawmakers later that afternoon, Witty said the payment was made in Bitcoin.
UnitedHealth revealed that a cyberthreat actor breached part of Change Healthcare’s computer network in late February. The company took affected systems offline when the threat was detected, and the disruption had widespread consequences across the U.S. healthcare industry.
Witty told the subcommittee in written testimony that cyberattackers used “compromised credentials” to infiltrate Change Healthcare’s systems on Feb. 12 and deployed ransomware that encrypted the network nine days later.
The portal that the bad actors initially accessed was not protected by multi-factor authentication, or MFA, which requires users to verify their identity in at least two different ways.
Witty told both committees Wednesday that UnitedHealth has now implemented MFA in all external systems.
cnbc
