During a Congressional hearing, UnitedHealth‘s CEO, Andrew Witty, revealed the gravity of a recent cyberattack on the company’s Change Healthcare unit.
Witty disclosed that hackers may have accessed sensitive data belonging to a significant portion of the American population, potentially compromising protected health information and personally identifiable data.
The breach, which occurred on February 12, has caused widespread disruptions in claims processing, impacting patients and healthcare providers nationwide.
Witty faced intense questioning from Senators about the company’s failure to prevent the breach and contain its aftermath.
He admitted that the breach was facilitated by stolen login credentials and occurred on an older server lacking multi-factor authentication.
The platform breached was in the process of being upgraded following UnitedHealth’s acquisition of Change Healthcare in 2022.
The cybercriminal group AlphV, responsible for the breach, reportedly demanded a ransom of around $22 million in Bitcoin.
Despite paying the ransom, UnitedHealth cannot guarantee the security of the breached data, raising concerns about potential leaks.
Another hacking group claiming affiliation with AlphV has asserted possession of the data, though the company has unverified this claim.
The breach has not only affected individuals but also had broader implications for the healthcare industry and national security.
It has resulted in significant financial losses for hospitals and healthcare providers, with many reporting damage to cash flow and revenue loss due to the inability to process claims.
The American Hospital Association and the American Medical Association highlighted the severe financial impact on their members, underscoring the far-reaching consequences of the cyberattack.
In response to concerns raised during the hearing, UnitedHealth emphasized its commitment to addressing the breach’s fallout and safeguarding sensitive data in the future.
However, the incident has underscored the urgent need for enhanced cybersecurity measures across the healthcare sector to mitigate such risks effectively.