Omar Marques | Lightrocket | Getty Images
UnitedHealth Group CEO Andrew Witty on Wednesday told lawmakers that data from an estimated one-third of Americans might have been compromised within the cyberattack on its subsidiary Change Healthcare, and that the corporate paid a $22 million ransom to hackers.
Witty testified in front of the Subcommittee on Oversight and Investigations, which falls under the House of Representatives’ Committee on Energy and Commerce. He said the investigation into the breach continues to be ongoing, so the precise number of individuals affected stays unknown. The one-third figure is a rough estimate.
UnitedHealth has previously said the cyberattack likely impacts a “substantial proportion of individuals in America,” in response to an April release. The corporate confirmed that files containing protected health information and personally identifiable information were compromised within the breach.Â
It’ll likely be months before UnitedHealth is in a position to notify individuals, given the “complexity of the information review,” the discharge said. The corporate is offering free access to identity theft protection and credit monitoring for people concerned about their data.
Witty also testified in front of the U.S. Senate Committee on Finance on Wednesday, when he confirmed for the primary time that the corporate paid a $22 million ransom to the hackers that breached Change Healthcare. On the hearing before the House legislators later that afternoon, Witty said the payment was made in bitcoin.
UnitedHealth disclosed that a cyberthreat actor breached a part of Change Healthcare’s information technology network late in February. The corporate disconnected the affected systems when the threat was detected, and the disruption has caused widespread fallout across the U.S. health-care sector.
Witty told the subcommittee in his written testimony that the cyberattackers used “compromised credentials” to infiltrate Change Healthcare’s systems on Feb. 12 and deployed a ransomware that encrypted the network nine days later.
The portal that the bad actors initially accessed was not protected by multifactor authentication, or MFA, which requires users to confirm their identities in no less than two other ways.Â
Witty told each committees Wednesday that UnitedHealth now has MFA in place across all external-facing systems.
