One-Third of Americans’ Data May Have Been Compromised in UnitedHealth Hack

The February ransomware attack on Change Healthcare, a UnitedHealth Group subsidiary, may have exposed a third of Americans’ data, UnitedHealth CEO Andrew Witty disclosed in testimony to Congress on May 1.

During the tense Congressional hearing, Witty faced questions regarding the Group’s handling of the breach and the disruption inflicted on the US healthcare system. The breach paralyzed the healthcare system nationwide, affecting healthcare providers, patients, and the processing of medical claims.

The Change Healthcare breach left lawmakers clamoring for information, as the company handles approximately 15 billion transactions annually and manages medical claims for around 50% of the US population.

The Congressional committee consisting of the Senate Finance Committee and a panel of the House Energy and Commerce Committee was convened after UnitedHealth declined to appear before the House health subcommittee in April, according to the New York Times.

In the hearing, lawmakers questioned whether the failure of UnitedHealth’s existing security system had led to the breach. It also questioned its adherence to the Health Insurance Portability and Accountability Act (HIPAA) and whether these factors led to the exposure of the personal information of millions of Americans.

When pressed by lawmakers to give a definite answer regarding the stolen data, Witty said, “maybe a third [of Americans] or somewhere of that level” had their healthcare and personally identifiable information (PII) compromised. But, he hesitated to provide a more conclusive response as the investigation into the breach is ongoing.

In a written statement presented to the House subcommittee before the May 1 Senate hearing, Witty expressed that “it is likely to take several months” for the company to analyze the “full scope of impacted patient, provider, and payer information” compromised. He indicated that so far, there’s no evidence that any medical histories had been leaked.

The hearing also cited a December 2023 joint warning issued by the FBI and U.S. cyber and health officials regarding potential attacks on the US healthcare system by groups like AlphV or BlackCat. The warning also recommended mitigation measures, including enabling a multifactor authentication system.

When questioned whether the company’s failure to implement robust security measures had led to the hack, Witty acknowledged the absence of a strong security system. He said that hackers had used stolen credentials to remotely access Change Healthcare’s server, which, despite the joint warning, did not have a multi-factor authentication system in place.

During the hearing, Witty reassured the committee that as of the day of the hearing, all UHG systems have multi-factor authentication enabled. He also said that the company is working with regulators to investigate the breach and will soon notify the impacted customers and individuals.