UnitedHealth CEO Andrew Witty testified before the House Energy and Commerce Committee that the personal data of potentially a third of US citizens may have been exposed on the dark web following the ransomware attack on its Change Healthcare unit.
Despite paying a $22 million ransom in Bitcoin to regain access to encrypted files, Witty admitted that the company cannot confirm whether copies of the data were made or published online.
During the hearing, Witty initially indicated that a “substantial proportion” of individuals were impacted based on preliminary targeted data sampling. However, under further questioning, he specified that the breach could affect “maybe a third” of the US population, though he could not provide a definite figure as the investigation is ongoing.
Witty also mentioned that efforts to monitor the internet and dark web for any signs of the data leak were ongoing.
Additionally, he disclosed hearing of a splinter cybercriminal group that had threatened to release patient information but from whom the company has not received recent communications.
Multi-factor authentication and other concerns
A significant concern raised by the Committee was UnitedHealth’s failure to implement multi-factor authentication (MFA), a now-standard cybersecurity measure.
The committee emphasized that MFA should be a fundamental expectation for an entity like Change Healthcare, given the vast amount of sensitive data it handles.
Witty explained that Change Healthcare, which merged into UnitedHealth towards the end of 2022, utilized older technologies that the company had been updating since its acquisition.
However, the timing proved critical as the ransomware attack compromised both the primary and backup systems, rendering the backups inoperable and exacerbating the impact of the breach.
The committee also highlighted a joint cybersecurity alert issued in December 2023 by the FBI, HHS, and the Cybersecurity Infrastructure Security Agency. This alert detailed the tactics of a sophisticated Russian hacker group known as Alpha 5 or Black Cat that targets critical infrastructure.
In response, Witty acknowledged that a server within Change Healthcare lacked the protective measures outlined in the alert, and he confirmed that an investigation into this oversight is underway.
The committee further expressed concerns about the potential national security implications if the personal records of federal employees were compromised in the breach. They emphasized the importance of UnitedHealth notifying them promptly if such a breach occurred, underscoring the gravity of the situation.
Response to the attack
Witty said UnitedHealth is in the process of restoring its operations, a task prolonged by the necessity to rebuild its platforms using modern, often cloud-based technologies that offer enhanced security features compared to pre-attack systems.
UnitedHealth has also engaged several third-party vendors to bolster its cybersecurity measures, including Mandiant, Palo Alto Systems, and Bishop Fox. Furthermore, UnitedHealth has appointed Mandiant as a permanent advisor to enhance ongoing security efforts.
“… we’ve brought into the organization supplemental screening capabilities with third-party organizations, so making sure that we have secondary and tertiary level screening going on in the organization in addition to our own capabilities,” Witty said. “And we’re also reviewing through our investigations any lessons learned from this attack, which will obviously not only be implemented across United, but we’ll share with other partners in the system.”
However, when questioned about which vendors were responsible for cybersecurity at the time of the attack, Witty stated that he did not have the names.
The company is also working on new platforms to improve customer confidence after the incident. “We’ve had those platforms tested by all the best cybersecurity companies in the country, including aggressive penetration tests to prove that they can withstand the highest levels of assault, that we share that information with key partners in the system who need to connect with us,” Witty said.