During a Senate hearing, Andrew Witty, the CEO of UnitedHealth Group, informed lawmakers that the company has taken significant measures to enhance the security of its systems following the cyberattack on its subsidiary, Change Healthcare. Consequently, the company has implemented multi-factor authentication across all its internet-facing systems.
The absence of multi-factor authentication played a pivotal role in the ransomware attack that targeted Change Healthcare earlier this year, causing significant disruptions to pharmacies, hospitals, and doctors’ offices throughout the United States. Multi-factor authentication, also known as MFA, serves as a fundamental cybersecurity measure that adds an extra layer of protection against unauthorised access to accounts or systems. It accomplishes this by mandating the use of a second code in addition to a password during the login process, effectively thwarting hackers who may have obtained a stolen password.
Witty revealed in a written statement on Tuesday, before two congressional hearings, that hackers exploited a set of stolen credentials to access a Change Healthcare server. He noted that the server lacked multi-factor authentication, leaving it vulnerable to such attacks. According to Witty’s statement, the hackers successfully infiltrated the server and proceeded to access other systems within the company to extract data. Subsequently, they encrypted the data using ransomware. 
Senators on the Finance Committee questioned Witty about the cyberattack today in the first of those two hearings. Sen. Ron Wyden questioned Witty, who responded that multi-factor authentication is currently active on all UHG external-facing systems.
“We have implemented a strict policy throughout the organisation to ensure that all external systems have multi-factor authentication,” Witty stated.
According to UnitedHealth Group’s spokesperson, Anthony Marusic, when asked to confirm Witty’s statement, he emphasised that Witty’s declaration was very clear.
Witty attributed the lack of system upgrades at Change Healthcare to UnitedHealth Group’s acquisition in 2022.
We were in the process of improving the technology we had obtained. However, Witty expressed his deep frustration at the lack of MFA protection on the server in question. That server was the entry point for the cybercriminals who infiltrated Change. And then they initiated a ransomware attack, which effectively encrypted and paralysed significant portions of the system.
According to Witty, the company is currently investigating the reason behind the absence of multi-factor authentication on that server.
Wyden expressed disappointment with the company’s lack of server upgrades. We received information about a policy, but it appears your team is not implementing it effectively. “And that’s why we have the problem,” Wyden stated.
During the hearing, Witty pointed out that UnitedHealth has not yet informed the affected individuals about the cyberattack. Witty emphasised that the company is still in the process of assessing the full scope of the breach and the compromised data. Currently, the company has disclosed that hackers have compromised the personal and health information of a sizable number of Americans.
Last month, UnitedHealth disclosed that it had made a payment of $22 million to the hackers responsible for breaching the company’s systems. During the Senate hearing, Witty confirmed the payment.
During the House Energy and Commerce committee meeting on Tuesday afternoon, Witty shared a concerning statistic: a significant number of Americans have unfortunately fallen victim to hackers who have stolen their personal health information.
