Health insurance provider UnitedHealth paid a multimillion-dollar ransom to hackers who broke into one of its subsidiaries, disrupting healthcare providers across the country for months, CEO Andrew Witty confirmed on Wednesday.
In a hearing before the Senate Committee on Finance, Witty said the decision to pay the $22 million ransom was entirely his. “This was one of the hardest decisions I’ve ever had to make,” he said. UnitedHealth admitted last month that it had paid a ransom to the hackers who breached the Change Healthcare system — which is owned by UnitedHealth — but didn’t disclose the sum. In March, the company attributed the breach to BlackCat, the same entity responsible for the MGM casino hack in Las Vegas. That same month, Wired reported that BlackCat, which also goes by ALPHV, received a $22 million transaction on Bitcoin on March 1st.
BlackCat previously claimed it netted more than six terabytes of data as part of the hack, which it carried out in February of this year. The ransomware gang said the data included “sensitive” medical records, according to CBS News.
“Criminals used compromised credentials to remotely access Change Healthcare Citrix portal, an application used to enable remote access to desktops,” Witty said during his testimony, adding that the portal “did not have multifactor authentication.”
“This hack could’ve been stopped with cybersecurity 101,” said Sen. Ron Wyden (D-OR), the chair of the committee. After Witty confirmed United will require multifactor authentication companywide going forward, Wyden said it “shouldn’t have taken the worst cyberattack ever in the healthcare sector for an agreement to do this bare minimum.”
The effects of the hack were far-reaching. After the breach was discovered, United shut down the Change Healthcare system for a week, which prevented hospitals, clinics, and pharmacies across the country from getting paid. During the hearing, Witty said the system is now “broadly back to normal.” But some senators told Witty that hospitals and other healthcare providers are still waiting on payments. Wyden (D-OR) told Witty that some providers who filed claims in February were told they’d have to wait until June to get paid.
UnitedHealth manages more than one-third of all patient records in the US and oversees 1 in 10 doctors across the country, according to a letter the American Hospital Association sent to the Department of Health and Human Services in March. In his opening remarks, Wyden called United a “healthcare leviathan” and described the hack as a “dire warning about the consequences of too-big-to-fail mega-corporations.”