/cdn.vox-cdn.com/uploads/chorus_asset/file/23318433/akrales_220309_4977_0182.jpg "UnitedHealth CEO Andrew Witty admits he paid million ransom to hackers")
Health insurance provider UnitedHealth paid a multimillion-dollar ransom to hackers who broke into one of its subsidiaries and disrupted health care providers nationwide for months, CEO Andrew Witty confirmed Wednesday.
In a hearing before the Senate Committee on Finance, Witty said that the decision to pay the $22 million ransom was entirely his. “It was one of the hardest decisions I’ve ever had to make,” he said. UnitedHealth acknowledged last month that it had paid a ransom to hackers who broke into the Change Healthcare system — which is owned by UnitedHealth — but did not disclose the amount. In March, the company blamed the breach on BlackCat, the same entity responsible for the MGM casino hack in Las Vegas. In the same month, wired BlackCat, also known as ALPHV, was reported to have received $22 million worth of transactions on Bitcoin on March 1.
Blackcat had earlier claimed that it had obtained more than six terabytes of data as part of the hack, which it carried out in February this year. According to CBS News, the ransomware gang said the data included “sensitive” medical records.
“The criminals used the compromised credentials to remotely access the Change Healthcare Citrix Portal, which is the application used to enable remote access to desktops,” Vitti said during his testimony. He said the portal “did not have multifactor authentication.”
Sen. Ron Wyden (D-OR), chairman of the committee, said, “This hack could have been prevented with Cybersecurity 101.” After Witty confirmed that United would require multifactor authentication across the company in the future, Wyden said that “this minimal compromise should not have led to the worst cyberattack ever in the healthcare sector.”
The effects of the hack were far-reaching. After the breach was discovered, United shut down the Change Healthcare system for a week, causing hospitals, clinics and pharmacies across the country to miss payments. During the hearing, Vitti said the system is now “largely back to normal.” But some senators told Witty that hospitals and other health care providers are still waiting for payments. Wyden (D-OR) told Witty that some providers who filed claims in February were told they would have to wait until June to get paid.
UnitedHealth manages more than a third of all patient records in the U.S. and oversees 1 in 10 doctors nationwide, according to a letter the American Hospital Association sent to the Department of Health and Human Services in March. In his opening remarks, Wyden called United a “healthcare leviathan” and described the hack as a “sober warning about the consequences of too-big-to-fail mega-corporations.”
