UnitedHealth CEO tells lawmakers the corporate paid hackers a $22 million ransom

UnitedHealth Group CEO Andrew Witty confirmed for the primary time that the corporate paid a $22 million ransom to hackers who breached its subsidiary Change Healthcare and prompted widespread fallout throughout the health-care sector. Witty’s feedback had been made throughout a Wednesday listening to earlier than the U.S. Senate Committee on Finance.

Change Healthcare offers cost, income administration and different options like e-prescription software program. The corporate disconnected affected techniques when the risk was detected, leaving many docs briefly unable to fill prescriptions or receives a commission for his or her companies.

UnitedHealth advised CNBC in April that it paid a ransom to attempt to defend affected person information. Earlier reviews had discovered a $22 million transfer on Bitcoin’s blockchain, however the firm had not confirmed the determine till now.

“The choice to pay a ransom was mine,” Witty mentioned. “This was one of many hardest selections I’ve ever needed to make, and I would not want it on anybody.”

UnitedHealth is without doubt one of the largest corporations on the earth, with a roughly $450 billion market cap. Its enterprise unit Optum — which offers care to 103 million prospects — and Change Healthcare — which touches one in three affected person information — merged in 2022.

Committee Chairman Sen. Ron Wyden, D-Ore., mentioned in his opening remarks that the Change Healthcare breach serves as a “dire warning concerning the penalties of too-big-to-fail mega-corporations.”

“Corporations which can be so massive have an obligation to guard their prospects and to guide on this difficulty,” Wyden mentioned.

Witty advised the committee that cybercriminals accessed Change Healthcare by a server that was not protected by multi-factor authentication, or MFA, which requires customers to confirm their identification in not less than two alternative ways. He mentioned UnitedHealth now has MFA in place throughout all external-facing techniques.

“Because of this malicious cyberattack, sufferers and suppliers have skilled disruptions and individuals are frightened about their personal well being information,” Witty mentioned. “To all these impacted, let me be very clear: I’m deeply, deeply sorry.”

Sen. Thom Tillis, R-N.C., held up a brilliant yellow copy of “Hacking for Dummies” through the listening to, saying the breach is UnitedHealth’s duty to repair.

“That is some fundamental stuff that was missed, so disgrace on inner audit, exterior audit and your techniques of us tasked with redundancy, they are not doing their job,” Tillis mentioned.

A submitting with the U.S. Securities and Trade Fee mentioned that UnitedHealth found {that a} cyber risk actor accessed a part of Change Healthcare’s data expertise community in late February.

Witty mentioned Change Healthcare’s core techniques are again on-line, although a few of its secondary assist features are nonetheless being restored.

UnitedHealth mentioned in February that the ransomware group Blackcat was behind the assault. Blackcat, which additionally goes by the names Noberus and ALPHV, steals delicate information from establishments and threatens to publish it until a ransom is paid, in line with a December release from the U.S. Division of Justice.

UnitedHealth confirmed in April that information containing protected well being data and personally identifiable data had been compromised within the breach. The corporate mentioned a knowledge evaluate is ongoing, so it may very well be months earlier than the corporate can notify affected people.

Witty mentioned Wednesday that UnitedHealth is working with regulators to evaluate the breach and to tell folks if their data has been compromised “as quickly as potential.”

Early in March, UnitedHealth launched a brief funding assistance program to assist assist suppliers which have skilled money circulation disruptions as a result of cyberattack. There aren’t any charges, curiosity or different prices on prime of the funds, and suppliers have 45 days to repay the funds as soon as their normal cost operations resume. 

Throughout the listening to, Witty mentioned the corporate has not but requested anybody for mortgage repayments, and will probably be as much as suppliers to find out when their operations have formally returned to regular.

Witty didn’t straight disclose whether or not UnitedHealth will present further assist to suppliers who could also be contending with different loans and curiosity funds due to the breach.

Sen. Michael Bennet, D-Colo., pressed Witty to share how UnitedHealth is working to make sure one thing just like the Change Healthcare breach is not going to occur once more. Witty mentioned the corporate plans to share what it discovers concerning the breach with others, including that there is a have to deal with decreasing the speed of cyberattacks on the health-care sector.

“We’re clearly making an attempt to take our duty on this assault. We’re additionally making an attempt to be taught from it,” he mentioned.