Fraud Management & Cybercrime , Ransomware , Standards, Regulations & Compliance
Lawmakers Grill UnitedHealth CEO on Change Healthcare Attack
UnitedHealth Group CEO Andrew Witty Explains the Steps the Company Is TakingLawmakers on Wednesday grilled UnitedHealth Group CEO Andrew Witty over security lapses leading up to the Change Healthcare cyberattack and the company's handling of the incident, including the sectorwide disruption it caused and the compromise of millions of individuals' sensitive data.
See Also: Using the Netskope HIPAA Mapping Guide
"Americans are still in the dark about how much of their sensitive information was stolen, and the credit monitoring service UnitedHealth Group is offering is cold comfort," Senate Finance Committee chair Ron Wyden, D-Ore., said of the incident, which he described as "the biggest disruption to healthcare in U.S. history." Up to one-third of Americans are potentially affected, Witty estimated when pressed.*
UnitedHealth Group, which acquired Change Healthcare in late 2022, was in the process of updating Change Healthcare's IT systems when the attack occurred, Witty said during a hearing Wednesday morning by the Senate Finance Committee.
Later that afternoon, Witty testified before the House Energy and Commerce Committee's Oversight and Investigations Subcommittee.
Change Healthcare's technology was heavy on legacy systems and largely operated in data centers and on-premises when attackers accessed an external-facing Change server that lacked multifactor authentication, nine days before attackers launched the ransomware on Feb. 21, Witty told lawmakers (see: UnitedHealth CEO: Paying Ransom Was 'Hardest Decision' Ever).
Change Healthcare was established in 2007, but before it was purchased by UnitedHealth Group, the company was the result of multiple acquisition and had some legacy systems that dated back 40 years, Witty said.
Since the attack, Change's IT environment has been rebuilt from scratch and much of it has been moved to the cloud, which he said is "more secure." The CEO said the company has worked to bring all Change Healthcare systems up to UHG's cybersecurity standards, which includes requiring MFA on external-facing systems.
UnitedHealth Group - like much of the rest of the healthcare sector - is constantly under attack, and an attempt is made about every minute, Witty said.
He did not know why that particular Change Healthcare server lacked MFA protection and whether that deficiency might have been picked up on previous security audits but not remediated before the attack.
An expansive range of data in Change Healthcare's primary and backup systems was encrypted by the attack, and the decision to take all of Change Healthcare's IT systems offline in the immediate response to the attack helped prevent the infection from spreading, Witty said.
Lawmakers asked why affected individuals and healthcare providers have not yet been notified about a compromise involving their PHI and PII, and Witty explained that it took until mid-March for UnitedHealth Group to get the affected dataset back for review.
It could take several more weeks before the company is able to determine specifically what types of protected health information and personal identifiable information of which individuals were affected by the incident, Witty said.
In the meantime, the company is offering all Americans - whether they know for sure if their data was affected or not - the opportunity to sign up for 24 months of complimentary credit and identity monitoring services.
Wyden said he's all for offering affected individuals those kinds of services but that he views identity and credit monitoring as "the thoughts and prayers of data breaches."
National Security Worries
The incident poses extremely concerning national security concerns, Wyden said. "People claiming to be involved with this hack have asserted they stole data on American employees, including active duty U.S. military members," which is reminiscent of the 2015 hack on the U.S. Office of Personnel Management, Wyden said.
"This posed very serious counter-intelligence concerns, and I am very concerned about the national security implications of this hack as well."
Witty said he's also extremely concerned about "any patients' information" being compromised in the incident, and so far the company has determined that "a substantial portion of people across the country could be implicated here. We do believe there will be members of the armed forces and veterans associated," Witty said, pledging to "prioritize" that analysis as soon as possible.
Witty confirmed to lawmakers at both hearings that UnitedHealth Group paid the attacker a $22 million ransom in bitcoin.
Rep. Michael Burgess, R-TX, one of 19 physicians currently serving in Congress, expressed his anger at the cybercriminals and asked Witty how closely UnitedHealth Group is working with the Department of Justice and other government agencies in the investigation.
"I want to see someone arrested and forced to the center of town and shot for doing this," Burgess said. "So, are you helping law enforcement track these people down?" he asked Witty.
"Absolutely," Witty replied. "In the very first hours, we reached out to the FBI, and I would like to acknowledge the fantastic engagement we've had with the FBI every step of the way.
"We will continue to provide them with whatever information is helpful to them and hopefully track down and catch these folks," he said. "I am completely aligned with you - I would love to see these people brought to justice. And I hope we're the last people they ever attack."
Some lawmakers said the incident underscores the need for minimum cybersecurity standards for the healthcare ecosystem, and Witty said he supports that.
Sen. Mark Warner, D-Va., said minimum cybersecurity standards need to be widely implemented "across the food chain" of the healthcare ecosystem.
Other lawmakers, including Sen. Marsha Blackburn, R-Tenn., grilled Witty on why it has taken so long for UnitedHealth Group to resume full functioning of systems that medical practices rely on for claims processing - and ultimately their financial solvency.
Witty said most of the company's critical systems, including pharmacy, claims processing and authorization, are back online and operating normally, but some of the more ancillary systems are still being restored. UHG has already provided $6.5 million in interest-free loans to affected providers and will continue to offer that help, he said.
Blackburn and others questioned Witty about a lack of redundancy that might have allowed Change Healthcare's IT to continue to function during the recovery as well as the company's exclusivity clauses that prevented customers from having backup suppliers for their processing needs while the outage persisted.
Witty said the company is dropping exclusivity clauses in Change Healthcare's contracts and that he would encourage all providers to have at least two back-up plans in case of future attacks.
Because Change Healthcare customer files were encrypted in the attack, contacting those customers during the crisis was very difficult, he said.
It will take several more weeks for UHG to determine who to notify and what information is affected. The company is working with the Department of Health and Human Services to ensure it meets the notification and reporting duties and is offering to take 100% responsibility for notification to simplify the process, Witty said.
Other lawmakers, including Sen. Elizabeth Warren, D-Mass., cited UHG as an example of a company that has been allowed to grow too big through mergers and acquisitions. Warren expressed concern that UHG would use the cyberattack to grow even bigger by buying up doctor practices that have been stressed by the financial havoc caused by the crisis.
Witty said he'd agree to a "firewall," suggested by Wyden that would prevent UHG to use the occasion to gobble up troubled practices.
The Change Healthcare attack demonstrates multiple challenges the healthcare sector faces, Wyden said, but a company as large as UnitedHealth Group should have been better prepared.
"Companies that are so big have an obligation to protect their customers and to lead on this issue. I think your company on your watch let the country down."
*Updated May 3, 2024 UTC 13:09 to include Witty's estimate of percentage of Americans potentially affected in breach.