UnitedHealth Group CEO Andrew Whitty said during a Senate Finance Committee hearing on May 1, 2024 in Washington, D.C. He testified about the February 21st cyber attack.Photo: Al Drago/Bloomberg
Members of the Senate Finance Committee finally had a chance Wednesday to grill UnitedHealth Group CEO Andrew Whitty over the cyberattack on UnitedHealth Group's Change Healthcare subsidiary. Senators from both parties demanded answers about why the attack happened and what Whitty is doing about it.
Sen. Ron Wyden, D-Ore., the committee's chairman, said, “The failures of CEOs like Whitty, who months later do not know how many people had their data stolen, warrant the FBI's warning.'' It is something that will become a reality.”
Republican Sen. Thom Tillis of North Carolina also said, “It's kind of interesting that you get a notification that you may be involved in a data breach and they say, 'We're going to fix your problem.' It was something,” he said positively. He said. “And I'm thinking, 'No, I'll help.' you and your problem. 'But we don't want to make this difficult for consumers. We'll keep track.it must be your problem To fix it. ”
In a separate House Energy and Commerce Committee hearing Wednesday, Whitty said the hackers used “compromised credentials,” which could include stolen passwords, to break into Change's systems. Stated. The hacked server did not require multi-factor authentication for access. This adds a second layer of security to her password-protected account by having the user enter an automatically generated code.
“This hack could have been stopped with cybersecurity 101,” Wyden said. Witty has pledged to require this type of certification company-wide and implement the same standards used by federal agencies within the next six months.
“It's a factor, but it's just a factor on defense,” Witty said. “For example, in addition to our normal company-wide scans of our technology environment, we now bring in an external third party who performs double or triple scans across our systems.”
Sen. Elizabeth Warren, D-Mass., criticized UnitedHealth Group's size. She said she was now in a position to “go up prices, squeeze competitors, hide profits, and pressure doctors to put profits before patients.” “UnitedHealth is a steroid monopoly.”
Asked about the scope of the cyberattack, Whitty said consumers likely won't know for some time whether they are affected. “It will be several months before sufficient information is available to identify and notify affected customers and individuals, in part because the files contained in that data may have been compromised,” he said. It was a violation of the law,” he said.
The company is offering two years of free credit monitoring and identity theft protection to affected customers and interest-free financing to healthcare providers.
“We have advanced more than $6.5 billion in early payments and interest-free, no-fee financing to thousands of providers,” Whitty said. “Most of these funds were for non-UHG health insurance claims, and approximately 34% of the loans went to safety-net hospitals and federally qualified health centers. We receive claims from health care providers. We are providing this assistance for as long as it takes to receive it, and payments have increased to pre-incident levels.”
Whitty told senators that UnitedHealth is under attack “on an ongoing basis” and that the company is repelling intrusion attempts every 70 seconds.
