Data stolen in Change Healthcare attack likely included U.S. service members, executive says
After warning that a substantial portion of Americans’ data was compromised by a February ransomware attack on Change Healthcare, Andrew Witty, CEO of UnitedHealth Group, told lawmakers Wednesday that current and former U.S. military personnel are among those who were likely impacted.
During an occasionally withering Senate Finance Committee hearing, Chair Ron Wyden, D-Ore., pressed Witty on whether UnitedHealth leadership had determined that the Change Healthcare hackers accessed the data of federal employees, referencing national security concerns presented by the 2015 Office of Personnel Management data breach that exposed the personal information of more than 20 million U.S. government workers.
“We do believe there will be members of the armed forces and … veterans” whose data was stolen, Witty said, adding that he would make it a “top priority” to deliver on Wyden’s demand for an accounting, in writing, of the number of military personnel affected and UnitedHealth’s “best assessment of who they are.”
Witty testified that UnitedHealth hasn’t yet notified individuals whose data was stolen, going beyond the 60-day reporting window required by the Health Insurance Portability and Accountability Act. The CEO said the company is working with U.S. regulators on “how best to do that,” but faced delays in accessing Change’s original dataset.
Sen. Maggie Hassan, D-N.H., said UnitedHealth needs to “at least send preliminary notifications to individuals so that they can take protective actions like monitoring their bank accounts, changing passwords and enrolling in the credit monitoring system that United Healthcare set up” with Equifax.
Wyden and other committee members, meanwhile, railed against Witty over the revelation that the Change Healthcare server breached by an affiliate of the ALPHV ransomware gang did not employ multi-factor authentication, allowing the hackers to gain remote access to the payment processor’s systems with a set of stolen credentials.
Witty said all external systems across UnitedHealth Group have now enabled MFA, but Change Healthcare — which UHG acquired in October 2022 — hadn’t taken those precautions on this particular server as of February.
“My understanding is that when Change came into the organization, there was [an] extensive amount of modernization required and, unfortunately, and very frustratingly, this server had not had MFA deployed on it prior to the attack,” said Witty, who confirmed that he signed off on the $22 million ransom payment made to the hacking group.
In response to questioning from Sen. Thom Tillis, Witty said he was not aware of any internal or external audits of systems controls that identified non-MFA compliance as a security risk. The North Carolina Republican also prodded Witty on why redundancy protocols — keeping data in multiple places within a storage system — weren’t employed, preventing a simpler process to restart systems.
Witty said Change was “in the process” of upgrading its systems when the hackers hit. “The attack itself implicated both the prime and the backup environments,” he added. “That was partly due to the age of the technology and the fact that large amounts were not in the cloud.
“With the elements which were in the cloud, we were able to bring back almost immediately. The elements which were in the older data centers, and had within them multi-layers of historical legacy technologies, that was the challenge on restart,” the CEO said.
Without minimum cybersecurity standards from the Department of Health and Human Services, some lawmakers expressed concern over the possibility of more attacks on health care providers. Sen. Mark Warner, D-Va., said the health care industry should be subject to baseline standards, just as the finance and energy industries are, and asked Witty for his feelings on that with respect to both UnitedHealth Group and Change Healthcare.
Witty said the company is “supportive” of moving “toward minimum standards,” noting that the industry currently suffers from a lack of clarity and “a mix of different oversight agencies” putting out guidance.
“As you think about smaller and medium-size organizations across health care, it’s difficult oftentimes to navigate some of those things,” he said. “So I do think … minimum standards do make sense. We’d be very, very happy to engage in any lessons learned from this review.”
Beyond any future adoption of minimum standards, Witty said UnitedHealth Group has worked to strengthen the company’s cybersecurity bona fides by adding Mandiant representation to its advisory board. The company also has “daily engagement” with the Centers for Medicare & Medicaid Services to “support providers and to prioritize recovery of the system,” Witty said, adding that the FBI continues to be its “prime” law enforcement partner.
Wyden closed the hearing with additional calls for MFA and redundancy, telling Witty that UnitedHealth “let the country down” with Change’s failures to implement both security practices. Going forward, the health care giant will need to be “much more active and much more forthcoming” on cyber issues, he added.
“We don’t even know what data was stolen. And I’m not convinced that we are going to find that out anytime soon. We may never find it out,” Wyden said. “So there’s a lot of heavy lifting to do.”
