UnitedHealth CEO blames lack of multifactor authentication for Change Healthcare cyberattack

May 2, 2024
1 min read



TLDR:

  • The Change Healthcare cyberattack was due to a lack of multifactor authentication, according to UnitedHealth CEO Andrew Witty.
  • The attack disrupted health care systems nationwide and cost UnitedHealth $22 million in ransom.

The Change Healthcare cyberattack that disrupted health care systems nationwide earlier this year started when hackers entered a server that lacked a basic form of security: multifactor authentication. UnitedHealth CEO Andrew Witty said Wednesday in a U.S. Senate hearing that his company, which owns Change Healthcare, is still trying to understand why the server did not have the additional protection. His admission did not sit well with Senate Finance Committee members who spent more than two hours questioning the CEO about the attack and broader health care issues.

Multifactor authentication adds a second layer of security to password-protected accounts by having users enter an auto-generated code. It’s common on apps protecting sensitive data like bank accounts and meant to guard against hackers guessing passwords. Change Healthcare provides technology used to submit and process billions of insurance claims a year. Hackers gained access in February and unleashed a ransomware attack that encrypted and froze large parts of the company’s system, Witty said.

He told a separate House Energy and Commerce committee hearing Wednesday that hackers used “compromised credentials” that may have included stolen passwords to enter Change’s system. The attack triggered a disruption of payment and claims processing around the country, stressing doctor’s offices and health care systems by interfering with their ability to file claims and get paid. UnitedHealth quickly disconnected the affected systems to limit damage and paid a $22 million ransom in bitcoin, Witty said. The company is still recovering.

The CEO also told senators that all of the company’s core systems were now fully functional. That included claims payment and pharmacy processing. In March, the Office for Civil Rights said it would investigate whether protected health information was exposed and whether Change Healthcare followed laws protecting patient privacy. The company said earlier this month that personal information that could cover a “substantial portion of people in America” may have been taken in the attack.

UnitedHealth is offering free credit monitoring and identity theft protection for two years. UnitedHealth Group runs one of the nation’s largest insurers and pharmacy benefits managers. It also provides care and technology services, which include the Change business. Cybersecurity experts say ransomware attacks have increased substantially in recent years, especially in the health care sector. Witty told senators UnitedHealth is “consistently” under attack.


Latest from Blog

EU push for unified incident report rules

TLDR: The Federation of European Risk Management Associations (FERMA) is urging the EU to harmonize cyber incident reporting requirements ahead of new legislation. Upcoming legislation such as the NIS2 Directive, DORA, and