Advertisement

Close this content

UnitedHealth Hack Put Data of One in Three Americans at Risk

John Tozzi

May 1, 2024 at 5:25 PM·5 min read

Oops!
Something went wrong.
Please try again later.
Oops!
Something went wrong.
Please try again later.

(Bloomberg) -- UnitedHealth Group Inc. Chief Executive Officer Andrew Witty told lawmakers his company is still trying to determine why its computer systems were left vulnerable to hackers who perpetrated a devastating cyberattack.

Most Read from Bloomberg

Lawmakers zeroed in on lax defenses during more than two hours of questioning by the Senate Finance Committee, in the first of two congressional hearings about the breach on Wednesday. The intruders got in through a server that didn’t have multifactor authentication — a basic cybersecurity measure used on consumer bank accounts — and got access to a hoard of health and personal data. Witty said the trove might cover one-third of Americans.

“We’re trying to dig through exactly why that server had not been protected,” Witty told lawmakers. “I’m as frustrated as anybody about that fact.”

Some lawmakers said the company had neglected basic safeguards and failed both to prevent the attack and recover from it, with backup systems that were also vulnerable. “This company flunked both,” said Senator Ron Wyden, the Oregon Democrat who chairs the Finance Committee.

The largest US health insurer faced aggressive questions from some lawmakers over the February hacking incident, including concerns about whether its vast reach into myriad health-care operations concentrated risk that cybercriminals exploited. The hack snarled billions of dollars in payments for doctors and hospitals.

The ransomware strike that wrecked systems at UnitedHealth’s Change Healthcare subsidiary will likely be the largest health-care data breach in the US to date, the company said. It’s also among the most costly hacks ever, denting UnitedHealth’s profit by as much as $1.6 billion this year.

Witty was the sole witness to appear in the hearings, which also included an afternoon session with a subcommittee of the House Energy and Commerce Committee. Lawmakers from both parties expressed concern about UnitedHealth’s size at a separate House panel two weeks ago.

Senator Elizabeth Warren, the Massachusetts Democrat, called on regulators to break up the company during the Wednesday hearing. Even conservatives expressed concern about its corporate power.

“Is the dominant role of United too dominant, because it’s into everything, and messing up United messes up everybody?” said Senator Bill Cassidy, a Republican from Louisiana.

Witty said Change Healthcare’s footprint was the same as it was before UnitedHealth acquired it in 2022. The company UnitedHealth bought for almost $8 billion ran on legacy technology, he said, with some systems 40 years old. “We’ve been working to improve those,” he said.

UnitedHealth’s shares closed almost unchanged Wednesday, a sign that Witty’s grilling in Washington had little impact for investors.

Read More: Hack That Paralyzed US Health Care Turns Up Scrutiny on Insurer

Lax Defense

Wyden said the committee is drafting legislation in response to the attack. He called again for standards for the industry, and said larger companies would have to meet tougher standards. “The bigger the company the more significant your responsibilities,” he said.

UnitedHealth faces constant attacks from intruders trying to crack digital defenses, with more than 450,000 attempts a year, according to Witty’s prepared testimony released ahead of the hearings. The exact nature of those attempts wasn’t immediately clear.

Despite the persistent threat, he said the intruders gained entry to Change Healthcare’s systems through a Citrix remote access portal that wasn’t protected by multifactor authentication, a common cyberdefense meant to thwart hackers by requiring more than a password to verify that a login is legitimate.

Once they broke into the system on Feb. 12, attackers claiming to be the notorious cybercrime group BlackCat pilfered data undetected for more than a week. They deployed ransomware nine days later. Witty said he was at a board meeting when he learned of the attack on Feb. 21.

Wyden questioned whether UnitedHealth knew how much personal data of its users was stolen. “You don’t have the logs to show what data walked out the door,” he said.

Witty estimated that the data breach could affect about one-third of all Americans — which would be more than 100 million people — though he said the number was uncertain. Facing a House panel in the afternoon, he said he couldn’t guarantee that hackers hadn’t copied stolen the data to distribute online.

The full extent of that breach will take months to assess, according to UnitedHealth, leaving Americans in the dark about what private medical data may have been exposed. The company has set up a site to offer credit monitoring and other help.

Witty said he decided to pay a ransom to protect patient data, “one of the hardest decisions I’ve ever had to make.” He confirmed that the payment was $22 million, a figure that has previously been reported based on an analysis of cryptocurrency payments.

He also said the attackers locked up the company’s backup systems, delaying how long it took to restore Change Healthcare’s services. UnitedHealth rebuilt much of the infrastructure from scratch on cloud-based systems, he said.

He told the committee that UnitedHealth’s response was “swift and forceful,” by disconnecting Change’s systems from the rest of the health-care world. While that was “extremely disruptive,” he said it stopped the damage from spreading more widely.

The company said many systems are back online. It has advanced more than $6.5 billion in payments and interest-free loans to medical providers facing cash-flow interruptions.

Witty also said the company supports minimum security standards for health-care companies and improvements to the US’s cyber defenses, including standardized reporting of cybersecurity events.

--With assistance from Jamie Tarabay, Alexander Ruoff and Andrew Martin.

(Updates with additional details about data breach and the closing share price, starting in second paragraph)

Most Read from Bloomberg Businessweek

©2024 Bloomberg L.P.

TechCrunch
UnitedHealth CEO tells Senate all systems now have multi-factor authentication after hack
UnitedHealth Group Chief Executive Officer Andrew Witty told senators on Wednesday that the company has now enabled multi-factor authentication on all the company’s systems exposed to the internet in response to the recent cyberattack against its subsidiary Change Healthcare. The lack of multi-factor authentication was at the center of the ransomware attack that hit Change Healthcare earlier this year, which impacted pharmacies, hospitals and doctors' offices across the United States. Multi-factor authentication, or MFA, is a basic cybersecurity mechanism that prevents hackers from breaking into accounts or systems with a stolen password by requiring a second code to log in.
TechCrunch
Change Healthcare hackers broke in using stolen credentials — and no MFA, says UHG CEO
The ransomware gang that hacked into U.S. health tech giant Change Healthcare used a set of stolen credentials to remotely access the company's systems that weren't protected by multifactor authentication (MFA), according to the chief executive of its parent company, UnitedHealth Group (UHG). UnitedHealth CEO Andrew Witty provided the written testimony ahead of a House subcommittee hearing on Wednesday into the February ransomware attack that caused months of disruption across the U.S. healthcare system. This is the first time the health insurance giant has given an assessment of how hackers broke into Change Healthcare's systems, during which massive amounts of health data were exfiltrated from its systems.
TechCrunch
UnitedHealth data breach should be a wake-up call for the UK and NHS
The ransomware attack that has engulfed U.S. health insurance giant UnitedHealth Group and its tech subsidiary Change Healthcare is a data privacy nightmare for millions of U.S. patients, with CEO Andrew Witty confirming this week that it may impact as much as one-third of the country. As one of the largest healthcare companies in the U.S., UnitedHealth is well known domestically, intersecting with every facet of the healthcare industry from insurance and billing and winding all the way through the physician and pharmacy networks -- it's a $500 billion juggernaut, and the 11th largest company globally by revenue.
TechCrunch
UnitedHealthcare CEO says 'maybe a third' of US citizens were affected by recent hack
Two months after hackers broke into Change Healthcare systems stealing and then encrypting company data, it’s still unclear how many Americans were impacted by the cyberattack. Last month, Andrew Witty, the CEO of Change Healthcare’s parent company UnitedHealth Group, said that the stolen files include the personal health information of “a substantial proportion of people in America.” On Wednesday, during a House hearing, when pushed to give a more definitive answer, Witty testified that the breach impacted “I think, maybe a third [of Americans] or somewhere of that level.”
TechCrunch
UnitedHealth says Change hackers stole health data on 'substantial proportion of people in America'
Health insurance giant UnitedHealth Group has confirmed that a ransomware attack on its health tech subsidiary Change Healthcare earlier this year resulted in a huge theft of Americans' private healthcare data. UnitedHealth said in a statement on Monday that a ransomware gang took files containing personal data and protected health information that it says may "cover a substantial proportion of people in America." The health insurance giant did not say how many Americans are affected but said the data review was "likely to take several months" before the company would begin notifying individuals that their information was stolen in the cyberattack.
Autoblog
Lawmakers call out eight automakers for sharing connected vehicle data
Eight automakers admitted to sharing location and other data with law enforcement without a warrant or owner consent.
Yahoo Sports
PGA Championship: Brooks Koepka, big-game hunter, is in his element
Brooks Koepka heads to the PGA Championship seeking his sixth career major victory.
Yahoo Life
Extreme heat can be dangerous for kids. Here's how to keep them safe in high temperatures.
"Kids' bodies produce heat faster than adults and they can't get rid of that heat as quickly," an expert warns.
Yahoo Finance
Housing costs still push inflation higher but rise at slowest annual rate in two years
Shelter costs continued to pressure inflation in April, but a moderation continues and economists expect these pressure to ease in the months ahead.
Engadget
Google's Wear OS 5 promises better battery life
Google has unveiled Wear OS 5 at its I/O developer conference today, giving us a glimpse of new features and other improvements coming with the platform.
Yahoo Life Shopping
Tell biting bugs to buzz off with this top-selling $17 indoor fly trap that uses zero chemicals
An insect-buster that has over 18,000 five-star fans? We'll bite!
TechCrunch
Uber has a new way to solve the concert traffic problem
Uber is taking a shuttle product it developed for commuters in India and Egypt and converting it for an American audience. The ride-hail and delivery giant announced Wednesday at its annual Go-Get event in New York City it will launch a shuttle service in certain U.S. cities this summer. Uber Shuttle in the U.S. will repurpose the technology and business model that Uber has built to help commuters in emerging markets where there's a public transportation gap.
Yahoo Finance
Stock market today: Stocks eye record highs as cooler inflation revives Fed rate cut hopes
Stocks edged higher on Wednesday as investors digested fresh readings on inflation and consumer spending.
TechCrunch
The top AI announcements from Google I/O
Google’s going all-in on AI — and it wants you to know it. During the company’s keynote at its I/O developer conference on Tuesday, Google mentioned “AI” more than 120 times. Google plans to use generative AI to organize entire Google Search results pages.
Yahoo Life Shopping
These are the best under eye creams of 2024, tested and reviewed
From bags to dark circles, wrinkles to crepey skin, the delicate area under our eyes poses a host of issues. Here's how to safely target them.
Autoblog
25 cars most likely, and 25 least likely, to face future recalls
Automotive data firm iSeeCars looked at past government vehicle recall data and then projected future likely recall expectations, creating a list of cars most and least likely to be recalled.
Yahoo Finance
Retail sales flat in April, falling short of Wall Street's expectations
April's update on retail sales comes as economists are closely watching for any signs of weakening consumer demand amid sticky inflation and higher interest rates.
Yahoo Finance
Walmart Q1 earnings preview: Wall Street expects positive momentum as consumers seek value
The retail giant is expected to report strong numbers as Americans looks to stretch their dollars.
Yahoo News
Trump hush money trial: What we've learned from the Stormy Daniels and Michael Cohen testimony so far
Here are some of the key highlights, revelations and dramatic moments from the combined 16 and a half hours that the prosecution’s star witnesses spent on the witness stand.
Yahoo Sports
'Hard Knocks' extending to offseason access and will feature the Giants
The Giants' offseason will be on full display for "Hard Knocks."