Omar Marques | Lightrocket | Getty Photos
UnitedHealth Group CEO Andrew Witty on Wednesday advised lawmakers that knowledge from an estimated one-third of People may have been compromised within the cyberattack on its subsidiary Change Healthcare, and that the corporate paid a $22 million ransom to hackers.
Witty testified in entrance of the Subcommittee on Oversight and Investigations, which falls below the Home of Representatives’ Committee on Power and Commerce. He mentioned the investigation into the breach remains to be ongoing, so the precise variety of individuals affected stays unknown. The one-third determine is a tough estimate.
UnitedHealth has beforehand mentioned the cyberattack seemingly impacts a “substantial proportion of individuals in America,” in accordance with an April launch. The corporate confirmed that information containing protected well being data and personally identifiable data have been compromised within the breach.
It is going to seemingly be months earlier than UnitedHealth is ready to notify people, given the “complexity of the info evaluate,” the discharge mentioned. The corporate is providing free entry to id theft safety and credit score monitoring for people which might be involved about their knowledge.
Witty additionally testified in entrance of the U.S. Senate Committee on Finance on Wednesday, when he confirmed for the primary time that the corporate paid a $22 million ransom to the hackers that breached Change Healthcare. On the listening to with the Oversight & Investigations later that afternoon, Witty mentioned the cost was made in Bitcoin.
UnitedHealth disclosed {that a} cyber risk actor breached a part of Change Healthcare’s data expertise community late in February. The corporate disconnected the affected methods when the risk was detected, and the disruption has brought on widespread fallout throughout the U.S. health-care sector.
Witty advised the subcommittee in his written testimony that the cybercriminals used “compromised credentials” to infiltrate Change Healthcare’s methods on Feb. 12 and deployed a ransomware that encrypted the community 9 days later.
The portal that the unhealthy actors initially accessed was not protected by multi-factor authentication, or MFA, which requires customers to confirm their identities in no less than two alternative ways.
Witty advised each committees Wednesday that UnitedHealth now has MFA in place throughout all external-facing methods.
