Omar Marques | Light rocket | Getty Images
UnitedHealth Group CEO Andrew Witty told lawmakers Wednesday that an estimated one-third of Americans' data may have been compromised in the cyberattack on its Change Healthcare subsidiary and that the company paid a $22 million ransom to hackers.
Witty testified before the Subcommittee on Oversight and Investigations, which is under the House Energy and Commerce Committee. He said the investigation into the breach was still ongoing, so the exact number of people affected was not yet known. The figure of one third is a rough estimate.
UnitedHealth previously said the cyberattack likely affected a “significant portion of the people of America,” according to an April press release. The company confirmed that the breach compromised files containing protected health information and personal data.
It will likely be months before UnitedHealth is able to notify individuals given the “complexity of data review,” the release said. The company offers free access to identity theft protection and credit monitoring to people concerned about their data.
Witty also testified before the Senate Finance Committee on Wednesday, confirming for the first time that the company had paid a $22 million ransom to the hackers who hacked Change Healthcare. At the hearing before House Democrats later that afternoon, Witty said the payment was made in Bitcoin.
UnitedHealth announced that a cyber threat breached part of Change Healthcare's information technology network in late February. The company shut down the affected systems when the threat was identified, and the disruption has had widespread impact across the U.S. healthcare sector.
Witty told the subcommittee in his written testimony that the cyberattackers used “compromised credentials” to infiltrate Change Healthcare's systems on Feb. 12 and nine days later deployed ransomware that encrypted the network.
The portal that the attackers originally accessed was not protected by multifactor authentication (MFA), which requires users to verify their identity in at least two different ways.
Witty told both committees Wednesday that UnitedHealth now has MFA in all external systems.
