Omar Marquez | Rocket Lite | Getty Images
UnitedHealth Group CEO Andrew Witty told lawmakers on Wednesday that the data of an estimated one-third of Americans could have been compromised in the cyberattack on its subsidiary Change Healthcare, and that the company paid a $22 million ransom to hackers.
Whitty testified before the Subcommittee on Oversight and Investigations of the House Energy and Commerce Committee. He said the investigation into the violation is still ongoing, so the exact number of people affected remains unknown. The one-third figure is a rough estimate.
UnitedHealth had previously said the cyberattack would likely impact “a significant percentage of people in America,” according to a statement in April. The company confirmed that files containing protected health information and personally identifiable information were compromised in the breach.
It will likely take months before UnitedHealth can notify individuals, given the “complexity of reviewing the data,” the statement said. The company offers free access to identity theft protection and credit monitoring to individuals who are concerned about their data.
Whitty also testified before the US Senate Finance Committee on Wednesday, when he confirmed for the first time that the company paid a $22 million ransom to hackers who breached Change Healthcare. At a hearing before House lawmakers later that afternoon, Whitty said the payment was made in bitcoin.
UnitedHealth revealed that a cyber threat actor compromised part of Change Healthcare's IT network in late February. The company disconnected the affected systems when the threat was detected, and this disruption caused widespread repercussions across the US healthcare sector.
Whitty told the subcommittee in written testimony that cyber attackers used “compromised credentials” to infiltrate Change Healthcare’s systems on February 12 and deployed ransomware that encrypted the network nine days later.
The portal that the bad actors initially accessed was not protected by multi-factor authentication, or MFA, which requires users to verify their identities in at least two different ways.
UnitedHealth now has MFA in all foreign-facing systems, Whitty told the committees on Wednesday.