United Health Group CEO Andrew Witty confirmed for the first time that the company has paid a $22 million ransom to hackers who broke into its subsidiary Change Healthcare, with far-reaching consequences across the healthcare sector. Witty's comments came during a hearing Wednesday before the U.S. Senate Finance Committee.
Change Healthcare offers payment, revenue management and other solutions such as e-prescription software. When the threat was identified, the company shut down affected systems, temporarily preventing many doctors from writing prescriptions or being paid for their services.
UnitedHealth told CNBC in April that it paid a ransom to protect patient data. Previous reports had discovered a $22 million transfer on the Bitcoin blockchain, but the company had not yet confirmed the figure.
“The decision to pay a ransom was mine,” Witty said. “This was one of the hardest decisions I have ever had to make and I would not wish it on anyone.”
UnitedHealth is one of the largest companies in the world with a market capitalization of around $450 billion. Its business units Optum – which serves 103 million customers – and Change Healthcare – which handles one in three patient records – merged in 2022.
Committee Chairman Sen. Ron Wyden, D-Ore., said in his opening statement that the Change Healthcare breach was a “bleak warning of the consequences of megacorporations that are too big to fail.”
“Companies this large have a duty to protect their customers and lead the way on this issue,” Wyden said.
Witty told the committee that cybercriminals accessed Change Healthcare through a server that was not protected by multi-factor authentication (MFA), which requires users to verify their identity in at least two different ways. He said UnitedHealth has now implemented MFA in all external systems.
“As a result of this malicious cyberattack, patients and providers have experienced disruption and people are concerned about their private health information,” Witty said. “I would like to say very clearly to everyone affected: I am deeply sorry.”
Sen. Thom Tillis, R-N.C., held up a bright yellow copy of “Hacking for Dummies” during the hearing and said UnitedHealth was responsible for fixing the breach.
“These are some basic things that have been overlooked. So it's a shame for internal audit, external audit and your systems people who are charged with redundancy, they're not doing their job,” Tillis said.
A filing with the U.S. Securities and Exchange Commission said UnitedHealth discovered in late February that a cyber threat actor had accessed part of Change Healthcare's information technology network.
Witty said Change Healthcare's core systems are back online, although some of its secondary support functions are still being restored.
UnitedHealth said in February that the Blackcat ransomware group was behind the attack. According to a December press release from the U.S. Department of Justice, Blackcat, also known as Noberus and ALPHV, steals sensitive data from institutions and threatens to release it unless a ransom is paid.
UnitedHealth confirmed in April that the breach compromised files containing protected health information and personal data. The company said a data review is ongoing and therefore it could take months before the company can notify affected individuals.
Witty said Wednesday that UnitedHealth is working with regulators to assess the breach and notify people “as quickly as possible” if their data has been compromised.
In early March, UnitedHealth launched a temporary financial assistance program to support providers that experienced cash flow disruptions due to the cyberattack. There are no fees, interest or other costs in addition to payments and providers have 45 days to repay the funds once their regular payment operations resume.
During the hearing, Witty said the company has not yet asked anyone for loan repayments and that it is up to providers to determine when their operations officially return to normal.
Witty did not immediately disclose whether UnitedHealth will provide additional support to providers who may be struggling with other loans and interest payments because of the breach.
Sen. Michael Bennet, D-Colo., pressed Witty to share how UnitedHealth is working to ensure something like the Change Healthcare breach doesn't happen again. Witty said the company plans to share its discoveries about the breach, adding that it needs to focus on reducing the rate of cyberattacks on the healthcare sector.
“We are clearly trying to assume our responsibilities in this attack. We are also trying to learn from it,” he said.
