UnitedHealth Group CEO Andrew Whitty told senators on Wednesday that the company is responding to a recent cyber attack on its subsidiary Change Healthcare and that all of its systems exposed to the internet have been compromised. He said he has enabled multi-factor authentication.
The lack of multi-factor authentication was at the heart of the ransomware attack that hit Change Healthcare earlier this year, impacting pharmacies, hospitals, and clinics across the United States. Multi-factor authentication (MFA) is a basic cybersecurity mechanism that prevents hackers from using stolen passwords to break into your accounts and systems by requiring a second code to log in.
In a written statement filed Tuesday ahead of two Congressional hearings, Whitty revealed that the hackers used a set of stolen credentials to access the Change Healthcare server, and that the server was He said it was not protected by factor authentication. After breaking into that server, the hackers were able to break into other companies' systems and steal data, which they then encrypted with ransomware, Whitty said in a statement.
Today, in the first of those two hearings, Mr. Whitty faced questions about the cyberattack from senators on the Finance Committee. “As of today, multi-factor authentication is enabled on all external systems across UHG,” Whitty said in response to a question from Sen. Ron Wyden.
“We have an organization-wide policy of implementing multi-factor authentication on all external systems, and that is in place,” Whitty said.
When asked to confirm Whitty's statement, UnitedHealth Group spokesperson Anthony Marusic told TechCrunch that Whitty was “very clear in what he said.”
Whitty blamed the fact that Change Healthcare's systems have yet to be upgraded after UnitedHealth Group acquired the company in 2022.
“We were in the process of upgrading the technology that we had acquired, and some of them, very unfortunately, were not protected by MFA,” Witty said. “This was a server for cybercriminals to infiltrate Change. And they launched a ransomware attack that resulted in large portions of the system being encrypted and frozen.”
Witty also said the company is still working on understanding exactly why multi-factor authentication isn't enabled on its servers.
Wyden criticized the company for not upgrading its servers. “We've been hearing from your people that you have a policy, but you haven't implemented it. That's why we have a problem,” Wyden said. he said.
Whitty said during the hearing that UnitedHealth has not yet notified those affected by the cyberattack, arguing that the company still needs to determine the scope of the hack and the information stolen. So far, the company has said only that the hackers stole personal and health information data of “a significant percentage of people in the United States.”
UnitedHealth announced last month that it paid $22 million to hackers who broke into its systems. Mr. Whitty acknowledged the payment in a Senate hearing.
Whitty is also scheduled to appear before the House Energy and Commerce Committee on Tuesday afternoon, and we will update this article as more information becomes available.
Source link