Security news that informs and inspires

Senators Reprimand UnitedHealth CEO in Ransomware Hearing

By

Senators at a Wednesday government hearing had strong words for UnitedHealth Group CEO Andrew Witty about the organization’s lack of security protections leading up to the February Change Healthcare ransomware attack, and the fallout across the healthcare industry that occurred after the attack.

Witty’s statements during the Senate Finance Committee hearing, and later the Energy and Commerce’s Oversight and Investigations subcommittee hearing, stayed largely within the confines of his written testimony, though he did confirm UnitedHealth Group’s $22 million ransom payment and acknowledge that potentially one-third of Americans’ data was stolen. The questions and criticisms from senators across the board, meanwhile, highlighted overarching concerns about the impact of large corporations coming under attack. In this case, attackers targeted Change Healthcare - owned by UnitedHealth Group, which is the fifth largest company in the U.S. and that touches 152 million individuals overall - via a Change Healthcare Citrix remote access portal that didn’t have multi-factor authentication enabled.

“Mr. Witty owes Americans an explanation for how a company of UHG’s size and importance failed to have multi-factor authentication on a server providing open door access to protected health information, why its recovery plans were so woefully inadequate and how long it will take to finally secure all of its systems,” said Sen. Ron Wyden (D-Ore.) during the hearing.

Wyden condemned the attack as an example of the cybersecurity concerns that could happen should a “too big to fail” organization get hit by ransomware. After threat actors deployed the ransomware in February, nine days after gaining initial access via the stolen Citrix credentials, the fallout from the Change Healthcare attack lasted several weeks and crippled healthcare providers, hospitals and pharmacies across the countries.

The question of accountability loomed over the Wednesday hearings, and some of the questions centered around whether Witty knew about the lack of security measures, such as MFA, that enabled the attack. This follows a trend previously predicted by Gartner, where CEOs and board members are being increasingly held personally liable for breaches. As part of its cybersecurity rule finalized last year, the SEC also considered requiring companies to describe their board members’ oversight of security risks and cybersecurity expertise.

“UHG has not revealed how many patients’ private medical records were stolen, how many providers went without reimbursement, and how many seniors were unable to pick up their prescriptions as a result of the hack.”

Wyden said that UnitedHealth’s anti-competitive practices likely prolonged the fallout from the ransomware attack, and that the company and its top executives need to take responsibility for the attack.

“Consistently, your views seem to minimize the impact of your involvement,” said Wyden, speaking to Witty during the hearing. “You say that UnitedHealth’s payments processing accounts for only 6 percent of payments in the healthcare system. My view is that’s basically hiding the ball. In 2022 the Department of Justice said that Change retains records of at least 211 million individuals going back to 2012.”

Witty during the hearing said that it’s UnitedHealth’s policy to have MFA enabled for externally-facing applications and said that he did not know that MFA wasn’t enabled on the Change server before the attack. He also said that he was not aware of any audits conducted before the attacks that identified a lack of MFA on “this particular server” as a compliance or security risk. When asked why MFA wasn’t enabled on the application, the CEO said that Change Healthcare, acquired by UnitedHealth in 2022, came to its company with legacy technologies, and it was in the process of upgrading this technology when the attack occurred.

One other point of contention during the hearing was the compromised data itself. UnitedHealth Group recently said that attackers gained access to some protected health information and personally identifiable information “which could cover a substantial proportion of people in America,” but it will likely take several more months of investigation to fully understand what data was exfiltrated and who has been impacted. Wyden said beyond the sensitive nature of the data stolen - which could include cancer diagnoses or mental health treatment plans - the fact that government and military personnel information is included makes the hack a “clear national security priority.”

“Leaving this sensitive patient information vulnerable to hackers, whether criminals or a foreign government, is a clear national security threat,” said Wyden. “UHG has not revealed how many patients’ private medical records were stolen, how many providers went without reimbursement, and how many seniors were unable to pick up their prescriptions as a result of the hack.”