Hackers breached the pc system of a UnitedHealth Group subsidiary and launched ransomware after stealing somebody’s password, CEO Andrew Witty testified Wednesday on Capitol Hill. The cybercriminals entered by means of a portal that did not have multifactor authentification (MFA) enabled.
Throughout an hourslong congressional listening to, Witty instructed lawmakers that the corporate has not but decided what number of sufferers and well being care professionals had been impacted by the cyberattack on Change Healthcare in February. The listening to targeted on how hackers had been in a position to achieve entry to Change Healthcare, a separate division of UnitedHealth that the corporate acquired in October 2022. Members of the Home Power and Commerce Committee requested Witty why the nation’s largest well being care insurer didn’t have the fundamental cybersecurity safeguard in place earlier than the assault.
“Change Healthcare was a comparatively older firm with older applied sciences, which we had been working to improve because the acquisition,” Witty mentioned. “However for some purpose, which we proceed to analyze, this explicit server didn’t have MFA on it.”
Multifactor authentication provides a second layer of safety to password-protected accounts by having customers enter an auto-generated code despatched to their cellphone or e mail. A typical function on apps, the safeguard is used to guard buyer accounts towards hackers who receive or guess passwords. Witty mentioned all logins for Change Healthcare now have multifactor authentication enabled.
The cyberattack got here from Russia-based ransomware gang ALPHV or BlackCat. The group itself claimed duty for the assault, alleging it stole greater than six terabytes of knowledge, together with “delicate” medical data. The assault triggered a disruption of fee and claims processing across the nation, stressing physician’s workplaces and well being care programs by interfering with their skill to file claims and receives a commission.
Witty confirmed Wednesday that UnitedHealth paid a $22 million ransom within the type of bitcoin to BlackCat, a call he made on his personal, in keeping with ready testimony earlier than the listening to. Regardless of the ransom fee, lawmakers mentioned Wednesday that a few of the delicate data from sufferers have nonetheless been posted by hackers on the darkish net.
The ransom fee “was one of many hardest selections I’ve ever needed to make and I would not want it on anybody,” Witty mentioned.
The dimensions of the assault — Change Healthcare processes 15 billion transactions a 12 months, in accordance to the American Hospital Affiliation — meant that even sufferers who weren’t prospects of UnitedHealth had been doubtlessly affected. The corporate mentioned earlier this month that non-public info that might cowl a “substantial portion of individuals in America” might have been taken within the assault.
The breach has already price UnitedHealth Group almost $900 million, firm officers mentioned in reporting first-quarter earnings final week, not together with ransom paid.
Ransomware assaults, which contain disabling a goal’s laptop programs, have turn out to be more and more frequent throughout the well being care trade. The annual variety of ransomware assaults towards hospitals and different well being care suppliers doubled from 2016 to 2021, in keeping with a 2022 examine printed in JAMA Well being Discussion board.
