UnitedHealth CEO Andrew Witty (above) testifies before the Senate and committee members about the Change Healthcare cyberattack by AlphV. The vulnerable platform used by the hackers to access Change's sensitive information did not meet security guidelines set forth by the FBI and U.S. cyber health officials, which were issued in December 2023. The guidelines warned that AlphV/BlackCat was focused on healthcare organizations. (Photo: Al Drago/Bloomberg)
US lawmakers on May 1 questioned Andrew Whitty, CEO of UnitedHealth Group, over a devastating cyber attack on subsidiary Change Healthcare in February. The attack crippled the U.S. health care system for weeks, impacting the finances of health insurance companies, hospitals, doctors, pharmacies, patients, and all involved. UnitedHealth recently admitted that the head of the cybercriminal organization paid AlphV a $22 million ransom in Bitcoin. However, if the slighted attacker demanded additional money, some documents were also released in his April. While the full impact of the cyberattack on Change remains unclear, Witty detailed to senators how and when AlphV gained access to its systems.
To understand the scale of the cyberattack, readers must first understand the extensive control that UnitedHealth and its subsidiaries have over the U.S. healthcare system.
- UnitedHealth manages approximately 15 billion transactions annually and one-third of U.S. patient records.
- UnitedHealth is the parent company of Change Healthcare and OptumRX, one of the largest pharmacy benefits managers in the United States
- One in 10 U.S. physicians is supervised by UnitedHealth.
- UnitedHealth's 2023 revenue was $371 billion.
- UnitedHealth is the 11th largest company in the world.
- Change Healthcare processes billing and payments for an estimated 900,000 physicians, 5,500 hospitals, 33,000 pharmacies, and 600 laboratories.
Whitty was called to testify before the Senate Finance Committee and the House Energy and Commerce Committee on May 1, where senators criticized the health care giant's response to the hack. Democratic and Republican senators have come together to question whether the company is entrenched too deeply into the health care system, with vast amounts of data being stolen. Whitty acknowledged that the data breach compromised about one-third of Americans' medical records.
What happened to “hacking”?
Whitty's testimony provided a clearer picture of the timeline of the Change Healthcare hack, which began nine days before UnitedHealth shut down its systems. On February 12, Alphv (also known as BlackCat) infiltrated Change's systems using outdated servers that lacked multi-factor authentication (MFA), the most important cybersecurity measure. The hackers used “compromised credentials,” such as stolen passwords, to easily gain access through legacy technology employed by Change. Mr Whitty admitted that digital security was inadequate, including inadequate backup plans and no way to cover payments to providers during that time.
Sen. Ron Wyden (D-Ore.), chairman of the Finance Committee, spoke out and called UnitedHealth “Cybersecurity 101” for not employing the most basic types of cybersecurity measures (MFA). He said he had failed. Sen. Thom Tillis, RN.C., held up a copy of “Hacking for Dummies” to illustrate the point. Whitty said all UnitedHealth's “external facing systems” now use MFA and the company is increasing its cybersecurity efforts. Whitty argued that while UnitedHealth is constantly under a barrage of cyber threats and thwarts an intrusion every 70 seconds, that was not the case on February 12th.
“Steroid Monopoly”
UnitedHealth shut down Change's systems on February 21 to prevent cybercriminals from spreading the attack to other subsidiaries, limiting the attack to Change Healthcare, which it acquired in 2022. Change's acquisition was initially stalled by the Justice Department's efforts to block it. There are concerns that it has sparked massive consolidation in the health care industry, with Sen. Elizabeth Warren (D-Mass.) calling UnitedHealth a “steroid monopoly,” a sentiment echoed at a May 1 hearing. repeated again.
“Change Hacking is a dire warning of the consequences of 'too big to fail' giant corporations eating ever increasing share of the health care system,” Wyden said. He expressed frustration with the lack of transparency regarding stolen data, stressing that sensitive medical data stolen about active-duty military personnel poses a “clear national security threat.”
Whitty acknowledged that the company made mistakes in its efforts to cover payments to affected providers, but senators were quick to point out that the company continues to lose victims. “Almost every provider I've encountered is waiting to get paid,” Wyden said. Sen. Marsha Blackburn (R-Tenn.) agreed, saying her office continues to be inundated with calls from health care providers, some demanding payments worth a month's income. He shared that some people are in arrears.
The Office for Civil Rights said in March that it would investigate the incident to determine whether Change Healthcare followed patient privacy laws and whether any protected health information was compromised. Announced.
