UnitedHealth Group Inc. CEO Andrew Witty spoke with lawmakers, telling them he is still attempting to figure out how hackers launched a devastating cyberattack on the company.
Amid rigorous questioning by the Senate Finance Committee during the congressional hearings about the February breach on Wednesday, lawmakers honed in on lax defenses for why UnitedHealth Group Inc.’s computer systems were left vulnerable. The intruders were found to have gained access through a server that did not have multifactor authentication enabled, a relatively standard cyber security measure used on consumer bank accounts. The hackers ultimately accessed a plethora of health information and personal data. Witty says the trove might cover as many as one-third of Americans.
“We’re trying to dig through exactly why that server had not been protected… I’m as frustrated as anybody about that fact,” Witty told lawmakers on Wednesday.
Oregon Democrat and Chair of the Finance Committee Senator Ron Wyden is among some lawmakers who believe the company neglected basic safeguards, failing to prevent and recover from the attack. Wyden said, “This company flunked both.”
Some lawmakers hurled aggressive questions at the largest US health insurer, all concerning the breach. Questions included concerns about whether its expansive reach into numerous healthcare operations concentrated the risk that the intruders effortlessly subjugated. The hack effectively knotted up billions of dollars in payments for hospitals and doctors.
According to the company, the ransomware strike will likely be the most significant healthcare data breach in US history, as it will involve demolishing systems at UnitedHealth’s Change Healthcare subsidiary. Furthermore, it is among the most expensive hacks ever seen, draining UnitedHealth’s profit by a possible total of $1.6 billion this year.
Witty was the only witness at the hearings, which included a session with a House Energy and Commerce Committee subcommittee. Lawmakers from both parties conveyed trepidation about the magnitude of UnitedHealth at a separate House panel.
Massachusetts Democrat Senator Elizabeth Warren spoke up during the Wednesday hearing to call on regulators, urging them to break up the company entirely. This statement was not much refuted, as even conservatives showed concern about its power.
Senator Bill Cassidy, a Republican from Louisiana, questioned, “Is the dominant role of united too dominant, because it’s into everything, and messing up united messes up everybody?”
Witty stated that Change Healthcare’s footprint was the same as before UnitedHealth acquired it in 2022. The company that UnitedHealth purchased for nearly $8 billion was operating on legacy technology, he said, remarking that some systems are at least 40 years old. “We’ve been working to improve those,” Witty said.
Witty’s grilling in Washington had minimal impact on investors as UnitedHealth shares closed nearly unchanged Wednesday.
Wyden said the committee is in the process of drafting legislation in response to the cyberattack. He called for industry standards, stating that larger companies should meet stricter standards. Explicitly, he said, “The bigger the company, the more significant your responsibilities are.”
With more than 450,000 attempts a year, UnitedHealth faces constant attacks from intruders attempting to crack through digital defenses, according to Witty’s prepared testimony that he released before the hearings. The precise nature of those attempts was only made apparent after some time.
According to Witty, he opted to pay a ransom to protect patient data, calling the decision “One of the hardest decisions I’ve ever had to make.” He verified the payment was for a total of $22 million, an amount that has also been reported based on an analysis of cryptocurrency payments.
Witty further stated that the attackers locked up the company’s backup systems, delaying the restoration of Change Healthcare services. He said that UnitedHealth rebuilt most of the infrastructure from scratch on cloud-based systems.
According to Witty, the company fully supports minimum security standards for healthcare companies and enhancements to the US’s cyber defenses, which include standardized reporting of cybersecurity events.