In a shocking revelation, UnitedHealth CEO Andrew Witty testified before two congressional committees on Wednesday about a massive cyberattack on the company’s tech unit, Change Healthcare. The breach, which occurred in February, potentially compromised the data of a third of all Americans, making it the largest cyberattack on a U.S. health insurer.
During the hearings, Witty faced intense questioning from House Energy and Commerce Committee members about the company’s failure to prevent the breach and contain its impact. He revealed that the stolen data included protected health information and personally identifiable information of millions of Americans.
“We continue to investigate the amount of data involved here,” Witty said. “We do think it’s going to be substantial.”
The cyberattack was carried out by the criminal gang AlphV, who hacked into Change Healthcare’s system using stolen login credentials on an older server that did not have multifactor authentication. Witty also admitted that the platform was in the process of being upgraded following UnitedHealth’s acquisition of Change in 2022.
What is even more concerning is that the platform did not have the necessary security measures recommended by the FBI and U.S. cyber and health officials in a joint alert issued in December 2023, specifically warning about AlphV targeting healthcare organizations.
To make matters worse, UnitedHealth paid the hackers a ransom of $22 million in bitcoin. However, Witty stated that there is no guarantee that the stolen data is secure and cannot be leaked. In fact, another hacking group claiming to be an offshoot of AlphV has come forward, stating that they have a copy of the data. While the company has not verified this claim, it is a cause for further concern.
The Senate Finance Committee also probed into the outsized influence of UnitedHealth, which has a market capitalization of $445 billion and annual revenue of $372 billion, on the American healthcare system. However, Witty reassured the committee that the company’s problems are not a threat to the broader economy.
Senator Bill Cassidy raised concerns about the company’s dominant role in the healthcare industry, stating that “if it fails, it’s going to bring down far more than it ordinarily would.” In response, Witty emphasized that despite its size, UnitedHealth does not own any hospitals or drug manufacturers.
However, it is important to note that Change Healthcare processes medical claims for around 900,000 physicians, 33,000 pharmacies, 5,500 hospitals, and 600 laboratories in the U.S. This means that the impact of the cyberattack is far-reaching and has caused widespread disruptions in claims processing, affecting patients and providers across the country.
In a shocking revelation, Witty also disclosed that data belonging to U.S. military members was also stolen in the hack, although he did not specify the number of individuals affected.
The hack has not only caused financial damage to UnitedHealth but has also had a significant impact on healthcare providers. The American Hospital Association reported that an internal survey of its members found that 94% of hospitals reported damage to cash flow, and more than half reported “significant or serious” financial damage due to Change’s inability to process claims.
Similarly, the American Medical Association conducted a survey of doctors, with 90% of respondents stating that they continue to lose revenue because of the hack. This has had a direct impact on patient care, with many seniors unable to pick up their prescriptions due to the disruption in claims processing.
In light of these revelations, Senate Finance Committee Chairman Ron Wyden called the hack a national security threat. He also expressed concern over UnitedHealth’s lack of transparency regarding the extent of the data breach and its impact on patients and providers.
“UnitedHealth Group has not revealed how many patients’ private medical records were stolen, how many providers went without reimbursement, and how many seniors are unable to pick up their prescriptions as a result of the hack,” said Wyden.
The cyberattack on UnitedHealth’s tech unit has not only exposed the vulnerabilities in the healthcare industry’s cybersecurity but has also highlighted the need for stronger measures to protect sensitive patient data. It is imperative that companies like UnitedHealth take responsibility for safeguarding the data of millions of Americans and work towards preventing such attacks in the future.
In conclusion, the cyberattack on UnitedHealth’s tech unit is a wake-up call for the healthcare industry to prioritize cybersecurity and take necessary measures to protect patient data. It is also a reminder for companies to be transparent and accountable in the face of
