(Bloomberg) — UnitedHealth Group Inc. CEO Andrew Witty defended the company’s response to a disastrous cyberattack that disrupted payments to doctors in the first consecutive hearing in Washington.
Bloomberg’s Most Read
The largest U.S. health insurer faced aggressive questions from some lawmakers over the February hacking incident ahead of the hearings, including concerns about whether its vast reach across numerous health care operations concentrated the risk that cybercriminals exploited.
The ransomware attack that destroyed the systems of UnitedHealth’s Change Healthcare subsidiary will likely be the largest U.S. healthcare data breach to date, the company said. It is also one of the costliest attacks ever, reducing UnitedHealth’s profit by up to $1.6 billion this year.
Witty is the only witness scheduled for hearings before the Senate Finance Committee on Wednesday morning and the House Energy and Commerce Oversight and Investigations Subcommittee in the afternoon. Lawmakers from both parties expressed concerns about UnitedHealth’s size at a separate House panel two weeks ago.
UnitedHealth shares were relatively unchanged at 9:45 a.m. in New York.
UnitedHealth faces constant attacks from intruders trying to breach its digital defenses, with more than 450,000 attempts a year, according to Witty’s prepared testimony released ahead of the hearings. The exact nature of these attempts was not immediately clear.
Despite the persistent threat, he said the attackers were able to get into Change Healthcare’s systems through a Citrix remote access portal that was not protected by multi-factor authentication, a common cyber defense intended to thwart hackers by requiring more than a password. to check whether a login has been made. lawful.
Once they broke into the system on February 12, attackers claiming to be the notorious BlackCat cybercrime group stole data undetected for more than a week. They deployed the ransomware nine days later.
Senator Ron Wyden, chairman of the Finance Committee, blamed UnitedHealth for failing to prevent a hack that he said could have been stopped with basic cybersecurity precautions. Witty needs to explain “how a company of UHG’s size and importance could not have multi-factor authentication on a server that provides open access to protected health information,” Wyden, an Oregon Democrat, said at the hearing.
Wyden questioned whether UnitedHealth knew how much of its users’ personal data was stolen. “You don’t have records to show what data went out the door,” he said.
The full extent of this breach will take months to assess, according to UnitedHealth, leaving Americans in the dark about what private medical data may have been exposed. The theft could cover a “substantial proportion” of Americans, the company said. A website has been created to offer credit monitoring and other help.
Witty said he decided to pay a ransom to protect patient data, “one of the most difficult decisions I have ever had to make, and he confirmed that the payment was $22 million, an amount that has been previously reported based on an analysis of cryptocurrency payments.
He told the committee that UnitedHealth’s response was “swift and forceful” in disconnecting Change’s systems from the rest of the healthcare world. While this was “extremely disruptive,” he said it stopped the damage from spreading more widely.
The company said many systems are back online. It has advanced more than $6.5 billion in payments and interest-free loans to medical providers facing cash flow disruptions.
Witty also said the company supports minimum security standards for healthcare companies and improvements to U.S. cyber defenses, including standardized reporting of cybersecurity events.
–With assistance from Jamie Tarabay.
(Updates with Witty confirming ransom size in 12th paragraph.)
Bloomberg Businessweek Most Read
©2024 Bloomberg LP
