Health insurance provider UnitedHealth paid a multi-million dollar ransom to hackers who broke into one of its subsidiaries and disrupted health care providers across the country for months, CEO Andrew Witty confirmed Wednesday.
At a Senate Finance Committee hearing, Witty said the decision to pay the $22 million ransom was entirely his. “This was one of the most difficult decisions I’ve ever had to make,” he said. UnitedHealth acknowledged last month that it paid a ransom to hackers who breached UnitedHealth-owned Change Healthcare systems, but did not disclose the amount. In March, the company said BlackCat, which was responsible for hacking the MGM casino in Las Vegas, was responsible for the breach. same month, mad BlackCat, which also operates as ALPHV, reported receiving $22 million in transactions in Bitcoin on March 1.
BlackCat previously claimed to have obtained more than six terabytes of data as part of a hack carried out in February this year. According to CBS News, the ransomware gang said the data included “sensitive” medical records.
“Criminals used compromised credentials to remotely access the Change Healthcare Citrix portal, an application that enables remote access to desktops,” Witty said in his testimony, adding that the portal “did not have multi-factor authentication.” Yes.
“This hack could have been prevented with Cybersecurity 101,” said Sen. Ron Wyden (D-OR), chairman of the committee. “It shouldn’t have taken the worst cyberattack in the healthcare sector to agree to take this minimum step,” Witty said after confirming that United would require multi-factor authentication company-wide in the future.
The impact of the hack was far-reaching. After the breach was discovered, United shut down its Change Healthcare system for a week, leaving hospitals, clinics and pharmacies across the country unable to pay their bills. At the hearing, Witty said the system was now “largely back to normal.” But some senators told Witty that hospitals and other health care providers are still waiting to be paid. Wyden (D-OR) told Witty that some providers who submitted claims in February were told they would have to wait until June to receive payment.
UnitedHealth manages more than a third of all U.S. patient records and oversees one in 10 doctors nationwide, according to a letter the American Hospital Association sent to the Department of Health and Human Services in March. In his opening remarks, Wyden called United “a behemoth of health care” and described the hack as “a dire warning of the consequences of a giant corporation that is too big to fail.”