UnitedHealth data breach caused by lack of multifactor authentification

Khristopher J. Brooks

Updated May 2, 2024 at 2:15 PM·3 min read

Oops!
Something went wrong.
Please try again later.

Hackers breached the computer system of a UnitedHealth Group subsidiary and released ransomware after stealing someone's password, CEO Andrew Witty testified Wednesday on Capitol Hill. The cybercriminals entered through a portal that didn't have multifactor authentification (MFA) enabled.

During an hourslong congressional hearing, Witty told lawmakers that the company has not yet determined how many patients and health care professionals were impacted by the cyberattack on Change Healthcare in February. The hearing focused on how hackers were able to gain access to Change Healthcare, a separate division of UnitedHealth that the company acquired in October 2022. Members of the House Energy and Commerce Committee asked Witty why the nation's largest health care insurer did not have the basic cybersecurity safeguard in place before the attack.

"Change Healthcare was a relatively older company with older technologies, which we had been working to upgrade since the acquisition," Witty said. "But for some reason, which we continue to investigate, this particular server did not have MFA on it."

Multifactor authentication adds a second layer of security to password-protected accounts by having users enter an auto-generated code sent to their phone or email. A common feature on apps, the safeguard is used to protect customer accounts against hackers who obtain or guess passwords. Witty said all logins for Change Healthcare now have multifactor authentication enabled.

The cyberattack came from Russia-based ransomware gang ALPHV or BlackCat. The group itself claimed responsibility for the attack, alleging it stole more than six terabytes of data, including "sensitive" medical records. The attack triggered a disruption of payment and claims processing around the country, stressing doctor's offices and health care systems by interfering with their ability to file claims and get paid.

Witty confirmed Wednesday that UnitedHealth paid a $22 million ransom in the form of bitcoin to BlackCat, a decision he made on his own, according to prepared testimony before the hearing. Despite the ransom payment, lawmakers said Wednesday that some of the sensitive records from patients have still been posted by hackers on the dark web.

The ransom payment "was one of the hardest decisions I've ever had to make and I wouldn't wish it on anyone," Witty said.

The scale of the attack — Change Healthcare processes 15 billion transactions a year, according to the American Hospital Association — meant that even patients who weren't customers of UnitedHealth were potentially affected. The company said earlier this month that personal information that could cover a "substantial portion of people in America" may have been taken in the attack.

The breach has already cost UnitedHealth Group nearly $900 million, company officials said in reporting first-quarter earnings last week, not including ransom paid.

Ransomware attacks, which involve disabling a target's computer systems, have become increasingly common within the health care industry. The annual number of ransomware attacks against hospitals and other health care providers doubled from 2016 to 2021, according to a 2022 study published in JAMA Health Forum.

Arizona governor signs 1864 abortion ban repeal into law

Some 401(k) plans may cut you a monthly check

Google makes case against DOJ's antitrust allegations

TechCrunch
UnitedHealthcare CEO says 'maybe a third' of US citizens were affected by recent hack
Two months after hackers broke into Change Healthcare systems stealing and then encrypting company data, it’s still unclear how many Americans were impacted by the cyberattack. Last month, Andrew Witty, the CEO of Change Healthcare’s parent company UnitedHealth Group, said that the stolen files include the personal health information of “a substantial proportion of people in America.” On Wednesday, during a House hearing, when pushed to give a more definitive answer, Witty testified that the breach impacted “I think, maybe a third [of Americans] or somewhere of that level.”
TechCrunch
UnitedHealth data breach should be a wake-up call for the UK and NHS
The ransomware attack that has engulfed U.S. health insurance giant UnitedHealth Group and its tech subsidiary Change Healthcare is a data privacy nightmare for millions of U.S. patients, with CEO Andrew Witty confirming this week that it may impact as much as one-third of the country. As one of the largest healthcare companies in the U.S., UnitedHealth is well known domestically, intersecting with every facet of the healthcare industry from insurance and billing and winding all the way through the physician and pharmacy networks -- it's a $500 billion juggernaut, and the 11th largest company globally by revenue.
TechCrunch
UnitedHealth CEO tells Senate all systems now have multi-factor authentication after hack
UnitedHealth Group Chief Executive Officer Andrew Witty told senators on Wednesday that the company has now enabled multi-factor authentication on all the company’s systems exposed to the internet in response to the recent cyberattack against its subsidiary Change Healthcare. The lack of multi-factor authentication was at the center of the ransomware attack that hit Change Healthcare earlier this year, which impacted pharmacies, hospitals and doctors' offices across the United States. Multi-factor authentication, or MFA, is a basic cybersecurity mechanism that prevents hackers from breaking into accounts or systems with a stolen password by requiring a second code to log in.
TechCrunch
Change Healthcare hackers broke in using stolen credentials — and no MFA, says UHG CEO
The ransomware gang that hacked into U.S. health tech giant Change Healthcare used a set of stolen credentials to remotely access the company's systems that weren't protected by multifactor authentication (MFA), according to the chief executive of its parent company, UnitedHealth Group (UHG). UnitedHealth CEO Andrew Witty provided the written testimony ahead of a House subcommittee hearing on Wednesday into the February ransomware attack that caused months of disruption across the U.S. healthcare system. This is the first time the health insurance giant has given an assessment of how hackers broke into Change Healthcare's systems, during which massive amounts of health data were exfiltrated from its systems.
TechCrunch
UnitedHealth says Change hackers stole health data on 'substantial proportion of people in America'
Health insurance giant UnitedHealth Group has confirmed that a ransomware attack on its health tech subsidiary Change Healthcare earlier this year resulted in a huge theft of Americans' private healthcare data. UnitedHealth said in a statement on Monday that a ransomware gang took files containing personal data and protected health information that it says may "cover a substantial proportion of people in America." The health insurance giant did not say how many Americans are affected but said the data review was "likely to take several months" before the company would begin notifying individuals that their information was stolen in the cyberattack.
Yahoo Finance
Stock market today: S&P 500 breaches 5,300 as stocks rally to records after CPI
Stocks edged higher on Wednesday as investors digested fresh readings on inflation and consumer spending.
TechCrunch
Google adds live threat detection and screen-sharing protection to Android
On the second day of the Google I/O 2024 conference, Google said on Wednesday that it is adding new security and privacy protections to Android, including on-device live threat detection to catch malicious apps, new safeguards for screen sharing, and better security against cell site simulators. The company said it is increasing the on-device capability of its Google Play Protect system to detect fraudulent apps trying to breach sensitive permissions. Google said if the system is certain about malicious behavior, it disables the app automatically.
TechCrunch
Senate study proposes 'at least' $32B yearly for AI programs
A long-running working group in the Senate has issued its policy recommendation for federal funding for AI: $32 billion yearly, covering everything from infrastructure to grand challenges to national security risk assessments. In a final report published by the office of Chuck Schumer (D-NY), majority leader in the Senate, the bipartisan working group identifies the most important areas of investment to keep the U.S. competitive with its rivals abroad. "A cross-government AI R&D effort, including relevant infrastructure," meaning getting the DOE, NSF, NIST, NASA, Commerce, and half a dozen other agencies and departments to format and share data in an AI-friendly way.
Engadget
Ubisoft's planned free-to-play Division game is dead
Ubisoft is killing its planned free-to-play Division game as it doubles down on open-world and live-service titles.
TechCrunch
Google still hasn't fixed Gemini's biased image generator
Back in February, Google paused its AI-powered chatbot Gemini's ability to generate images of people after users complained of historical inaccuracies. Google CEO Sundar Pichai apologized, and Demis Hassabis, the co-founder of Google's AI research division DeepMind, said that a fix should arrive "in very short order" — but we're now well into May, and the promised fix has yet to appear. Google touted plenty of other Gemini features at its annual I/O developer conference this week, from custom chatbots to a vacation itinerary planner and integrations with Google Calendar, Keep and YouTube Music.
Yahoo Sports
PGA Championship: Ludvig Åberg, dealing with knee injury, trying to ‘focus on the golf’ after Masters finish
Ludvig Åberg, who finished in second at the Masters last month, will be playing with a knee brace this week at Valhalla.
Yahoo Sports
New Statcast hitting metrics explained, Phillies first to 30 wins, Angels are scuffling
Jake Mintz & Jordan Shusterman break down all the new Statcast hitting metrics released by MLB, the Phillies success that’s led to them to being the first team to 30 wins this season, the Angels continuing to be a disappointment and other news from around the league.
Yahoo Sports
Jokic takes over, Knicks bully Pacers & LeBron shows up in Cleveland | Good Word with Goodwill
Vincent Goodwill checks in from Denver after watching the Nuggets take game 5 from the Timberwolves to break down the NBA Playoffs and the Lakers coaching search.
Yahoo News
Trump hush money trial: What we've learned from the Stormy Daniels and Michael Cohen testimony so far
Here are some of the key highlights, revelations and dramatic moments from the combined 16 and a half hours that the prosecution’s star witnesses spent on the witness stand.
Yahoo Life Shopping
'Way better than the oven': This Betty Crocker countertop pizza maker cooks pies in a snap — nab it on sale
If 'za is your love language, this little gadget will make you swoon.
Yahoo TV
Kevin Costner shares his side of 'Yellowstone' drama: Where he stands on the future of the series
Part one of "Yellowstone" Season 5 ended in January 2023. Since then, its star Kevin Costner walked away from his starring role — and there's been a very public back-and-forth over why that happened.
Autoblog
Lawmakers call out eight automakers for sharing connected vehicle data
Eight automakers admitted to sharing location and other data with law enforcement without a warrant or owner consent.
Yahoo Finance
Housing costs still push inflation higher but rise at slowest annual rate in two years
Shelter costs continued to pressure inflation in April, but a moderation continues and economists expect these pressure to ease in the months ahead.
Yahoo Life Shopping
Tell biting bugs to buzz off with this top-selling $17 indoor fly trap that uses zero chemicals
An insect-buster that has over 18,000 five-star fans? We'll bite!
TechCrunch
Google TV to launch AI-generated movie descriptions
As anticipated, numerous AI-related announcements were made at this year's Google I/O 2024 conference, including the unveiling of a new feature for Google TV. Gemini, the company's family of generative AI models, will enhance the smart TV operating system so it can generate descriptions for movies and TV shows. When a description is missing on the home screen, the AI will fill it in automatically to ensure that viewers never have to wonder what a title is about, Google explains.

News

Life

Entertainment

Finance

Sports

New on Yahoo

UnitedHealth data breach caused by lack of multifactor authentification

Recommended Stories

UnitedHealthcare CEO says 'maybe a third' of US citizens were affected by recent hack

UnitedHealth data breach should be a wake-up call for the UK and NHS

UnitedHealth CEO tells Senate all systems now have multi-factor authentication after hack

Change Healthcare hackers broke in using stolen credentials — and no MFA, says UHG CEO

UnitedHealth says Change hackers stole health data on 'substantial proportion of people in America'

Stock market today: S&P 500 breaches 5,300 as stocks rally to records after CPI

Google adds live threat detection and screen-sharing protection to Android

Senate study proposes 'at least' $32B yearly for AI programs

Ubisoft's planned free-to-play Division game is dead

Google still hasn't fixed Gemini's biased image generator

PGA Championship: Ludvig Åberg, dealing with knee injury, trying to ‘focus on the golf’ after Masters finish

New Statcast hitting metrics explained, Phillies first to 30 wins, Angels are scuffling

Jokic takes over, Knicks bully Pacers & LeBron shows up in Cleveland | Good Word with Goodwill

Trump hush money trial: What we've learned from the Stormy Daniels and Michael Cohen testimony so far

'Way better than the oven': This Betty Crocker countertop pizza maker cooks pies in a snap — nab it on sale

Kevin Costner shares his side of 'Yellowstone' drama: Where he stands on the future of the series

Lawmakers call out eight automakers for sharing connected vehicle data

Housing costs still push inflation higher but rise at slowest annual rate in two years

Tell biting bugs to buzz off with this top-selling $17 indoor fly trap that uses zero chemicals

Google TV to launch AI-generated movie descriptions