(Bloomberg) — UnitedHealth Group Inc. Chief Executive Officer Andrew Witty defended the company’s response to a disastrous cyberattack that snarled payments for doctors in the first of back-to-back hearings in Washington.
Most Read from Bloomberg
The largest US health insurer has faced aggressive questions from some lawmakers over the February hacking incident ahead of the hearings, including concerns about whether its vast reach into myriad health-care operations concentrated risk that cybercriminals exploited.
The ransomware strike that wrecked systems at UnitedHealth’s Change Healthcare subsidiary will likely be the largest health-care data breach in the US to date, the company said. It’s also among the most costly hacks ever, denting UnitedHealth’s profit by as much as $1.6 billion this year.
Witty is the sole witness scheduled for hearings at the Senate Finance Committee Wednesday morning and the House Energy and Commerce Oversight and Investigations Subcommittee in the afternoon. Lawmakers from both parties expressed concern about UnitedHealth’s size at a separate House panel two weeks ago.
UnitedHealth’s shares were relatively unchanged as of 9:45 a.m. in New York.
UnitedHealth faces constant attacks from intruders trying to crack digital defenses, with more than 450,000 attempts a year, according to Witty’s prepared testimony released ahead of the hearings. The exact nature of those attempts wasn’t immediately clear.
Despite the persistent threat, he said the intruders gained entry to Change Healthcare’s systems through a Citrix remote access portal that wasn’t protected by multifactor authentication, a common cyber defense meant to thwart hackers by requiring more than a password to verify that a login is legitimate.
Once they broke into the system on Feb. 12, attackers claiming to be the notorious cybercrime group BlackCat pilfered data undetected for more than a week. They deployed ransomware nine days later.
Senator Ron Wyden, chair of the Finance Committee, blamed UnitedHealth for failing to prevent a hack that he said could have been stopped with basic cybersecurity precautions. Witty needs to explain “how a company of UHG’s size and importance failed to have multifactor authentication on a server providing open-door access to protected health information,” Wyden, an Oregon Democrat, said at the hearing.
Wyden questioned whether UnitedHealth knew how much personal data of its users was stolen. “You don’t have the logs to show what data walked out the door,” he said.
The full extent of that breach will take months to assess, according to UnitedHealth, leaving Americans in the dark about what private medical data may have been exposed. The theft could cover a “substantial proportion” of Americans, the company has said. It’s set up a site to offer credit monitoring and other help.
Witty said he decided to pay a ransom to protect patient data, “one of the hardest decisions I’ve ever had to make, and he confirmed that the payment was $22 million, a figure that has previously been reported based on an analysis of cryptocurrency payments.
He told the committee that UnitedHealth’s response “swift and forceful,” by disconnecting Change’s systems from the rest of the health-care world. While that was “extremely disruptive,” he said it stopped the damage from spreading more widely.
The company said many systems are back online. It has advanced more than $6.5 billion in payments and interest-free loans to medical providers facing cash-flow interruptions.
Witty also said the company supports minimum security standards for health care companies and improvements to the US’s cyber defenses, including standardized reporting of cybersecurity events.
–With assistance from Jamie Tarabay.
(Updates with Witty confirming size of ransom in 12th paragraph.)
Most Read from Bloomberg Businessweek
©2024 Bloomberg L.P.
EMEA Tribune is not involved in this news article, it is taken from our partners and or from the News Agencies. Copyright and Credit go to the News Agencies, email news@emeatribune.com Follow our WhatsApp verified Channel
