Congress Grills UnitedHealth CEO Over Change Healthcare Cyberattack

Witty discusses ransomware payment, patient data notification, cybersecurity standards

May 01, 2024

An outdated system and a lack of basic cybersecurity precautions led to the Change Healthcare cyberattack, UnitedHealth Group’s CEO testified before federal lawmakers today.

Andrew Witty, CEO of UnitedHealth Group, appeared before the House Energy and Commerce Committee and Senate Finance Committee today, discussing next steps following the February 21 Change Healthcare Cyberattack that has disrupted operations across the health care sector.

During his testimony, Witty said the cyberattack targeted a vulnerability in Change Healthcare’s system that had not been updated to modern standards. UnitedHealth “repels an attempted intrusion every 70 seconds—thwarting more than 450,000 intrusions per year,” he testified.

Among the key takeaways:

• What happened:  Witty testified that cybercriminals obtained “compromised credentials” to access a Change Healthcare application that enables remote access to desktops. The application did not have multi-factor authentication.
  • The actors gained access, moving laterally within the system, and deployed ransomware nine days later, he said. UnitedHealth was working to modernize Change Healthcare servers ahead of the cyberattack.
• Patient data and ransom:  Witty reiterated that it would take several weeks to months to “identify and notify impacted customers and individuals, partly because the files containing that data were compromised in the cyberattack.”
  • Witty confirmed UnitedHealth paid $22 million in ransom related to the cyberattack.
• Operational questions:  Witty agreed with lawmakers that UnitedHealth should not hold other organizations to require solely on the Change system, as this creates a single point of failure and potential for widespread outages.
  • Lawmakers also questioned if the company was doing enough to support patients beyond free credit monitoring services.
• Hospital impact:  “Providers will need to work through the backlog of claims, reprocess denials received during this time, reconcile payments to accounts, and bill patients, among other tasks. Therefore, hospitals, physicians and patients are continuing to experience financial and operational impacts,” the American Hospital Association wrote in a letter ahead of today’s hearings.
• Quotable:  “I continue to hear however from providers in Pennsylvania who are struggling to serve their patients as they await reimbursement for the care they are providing,” said U.S. Senator Bob Casey (D–PA).

Witty’s testimony and the House and Senate hearings are available online.

HAP continues to monitor the latest Change Healthcare cybersecurity news and advocate on behalf of our members. HAP created a one-stop shop to offer the latest resources online, including exclusive member-only information (login required).