UnitedHealth CEO Testifies to Senate on Cyberattack That Stole Military Members' Data

Massive cyberattack on UnitedHealth subsidiary Change Healthcare disrupts US healthcare system, costing $1.6B and exposing vulnerabilities. CEO calls for stronger cybersecurity measures to protect sensitive patient data.

author-image
Waqas Arain
New Update
UnitedHealth CEO Testifies to Senate on Cyberattack That Stole Military Members' Data

UnitedHealth CEO Testifies to Senate on Cyberattack That Stole Military Members' Data

UnitedHealth CEO Andrew Witty testified before the Senate on Monday about a massive cyberattack in February that targeted Change Healthcare, a UnitedHealth subsidiary that processes 50% of all medical claims in the United States. The attack resulted in the theft of sensitive data belonging to U.S. military members and caused widespread disruption in payments to doctors and healthcare facilities across the country.

According to Witty, the hackers gained access to Change Healthcare's systems through a compromised account that lacked multifactor authentication. This allowed the AlphV ransomware group to move laterally within the company's network and deploy their malware. "The decision to pay a $22 million ransom was one of the hardest I've had to make," Witty told the Senate Finance Committee.

The attack has cost UnitedHealth up to $1.6 billion and reduced cash flow for some medical practices by over 80% for six weeks, forcing them to seek loans and patient advances to stay afloat. Small clinics were hit particularly hard, with some coming close to shutting down completely. The American Hospital Association reported that 94% of hospitals experienced damage to cash flow and over 50% faced "significant or serious" financial damage due to Change Healthcare's inability to process claims.

Why this matters: The Change Healthcare cyberattack exposed the vulnerability of having a single point of failure in the U.S. healthcare system. It also highlighted the need for stronger cybersecurity measures and mandatory minimum security standards across the industry to protect sensitive patient data and ensure the continuity of care.

Witty apologized for the incident and the hardships it caused healthcare providers and patients. He called for mandatory minimum security standards for the healthcare industry, including funding and training for institutions in need, as well as stronger national cybersecurity infrastructure. UnitedHealth is working with the FBI and cybersecurity firms to investigate the hack and has "literally built this platform back from scratch" to ensure it is safe for providers to reconnect. However, some systems are still being restored nearly three months after the attack.

Key Takeaways

  • Massive cyberattack on UnitedHealth subsidiary Change Healthcare in Feb.
  • Hackers gained access via compromised account lacking multifactor authentication
  • Attack cost UnitedHealth up to $1.6B, disrupted payments to doctors/facilities
  • Exposed vulnerability of single point of failure in US healthcare system
  • CEO called for mandatory security standards, stronger national cybersecurity