During a Senate hearing, Andrew Witty, the CEO of UnitedHealth Group, informed lawmakers that the company has taken significant measures to enhance the security of its systems following the cyberattack on its subsidiary, Change Healthcare. Consequently, the company has implemented multi-factor authentication across all its internet-facing systems.
The absence of multi-factor authentication played a pivotal role in the ransomware attack that targeted Change Healthcare earlier this year, causing significant disruptions to pharmacies, hospitals, and doctors’ offices throughout the United States. Multi-factor authentication, also known as MFA, serves as a fundamental cybersecurity measure that adds an extra layer of protection against unauthorized access to accounts or systems. It accomplishes this by mandating the use of a second code in addition to a password during the login process, effectively thwarting hackers who may have obtained a stolen password.
Witty revealed in a written statement on Tuesday, before two congressional hearings, that hackers exploited a set of stolen credentials to access a Change Healthcare server. He noted that the server lacked multi-factor authentication, leaving it vulnerable to such attacks. According to Witty’s statement, the hackers successfully infiltrated the server and proceeded to access other systems within the company to extract data. Subsequently, they encrypted the data using ransomware.
Senators on the Finance Committee questioned Witty about the cyberattack today in the first of those two hearings. When asked by Sen. Ron Wyden, Witty confirmed that currently, all external-facing systems within UHG have multi-factor authentication enabled.
“We have implemented a strict policy throughout the organization to ensure that all external systems have multi-factor authentication,” Witty stated.
According to UnitedHealth Group’s spokesperson Anthony Marusic, when asked to confirm Witty’s statement, he emphasized that Witty’s declaration was very clear.
Witty attributed the lack of system upgrades at Change Healthcare to UnitedHealth Group’s acquisition in 2022.
We were in the process of improving the technology we had obtained. However, Witty expressed his deep frustration at the lack of MFA protection on the server in question. That server was the entry point for the cybercriminals who infiltrated Change. And then they initiated a ransomware attack, which effectively encrypted and paralyzed significant portions of the system.
According to Witty, the company is currently investigating the reason behind the absence of multi-factor authentication on that server.
Wyden expressed disappointment with the company’s lack of server upgrades. We received information about a policy, but it appears your team is not implementing it effectively. “And that’s why we have the problem,” Wyden stated.
During the hearing, Witty pointed out that UnitedHealth has not yet informed the affected individuals about the cyberattack. Witty emphasized that the company is still in the process of assessing the full scope of the breach and the compromised data. Currently, the company has disclosed that a significant number of individuals in the United States have had their personal and health information compromised by hackers.
Last month, UnitedHealth disclosed that it had made a payment of $22 million to the hackers responsible for breaching the company’s systems. During the Senate hearing, Witty confirmed the payment.
During the House Energy and Commerce committee meeting on Tuesday afternoon, Witty shared a concerning statistic: a significant number of Americans have unfortunately fallen victim to hackers who have stolen their personal health information.
