UnitedHealth Group CEO Andrew Witty told senators on Wednesday that the company has now enabled multi-factor authentication on all of the company’s internet-exposed systems in response to the recent cyber attack against its subsidiary Change Healthcare.
The lack of multi-factor authentication was at the heart of the ransomware attack that hit Change Healthcare earlier this year, which affected pharmacies, hospitals and doctor’s offices across the United States. Multi-factor authentication, or MFA, is a key cybersecurity mechanism that prevents hackers from breaking into accounts or systems with a stolen password, requiring a second password to log in.
In written statement submitted Tuesday before two congressional hearings, Witty revealed that hackers used a set of stolen credentials to gain access to a Change Healthcare server, which he said was not protected by multi-factor authentication. After breaking into that server, the hackers were then able to move into another company’s systems to infiltrate data and later encrypt it with ransomware, Witty said in the statement.
Today, during the first In those two hearings, Witty faced questions about the cyberattack from senators on the Finance Committee. In response to questions from Sen. Ron Wyden, Witty said that “as of today, across UHG, all of our exterior-facing systems have multi-factor authentication enabled.”
“We have a mandated organization-wide policy for multi-factor authentication across all of our external systems, which is in place,” Witty said.
When asked to confirm Witty’s statement, UnitedHealth Group spokesman Anthony Marusic told TechCrunch that Witty “was very clear with his statement.”
Witty blamed the fact that Change Healthcare’s systems had not yet been upgraded after the company was acquired by UnitedHealth Group in 2022.
“We were in the process of upgrading the technology we had acquired. But in there, there was one server, which I’m incredibly disappointed to tell you, that was not protected by MFA,” Witty said. “This was the server through which the cybercriminals were able to get into Change. And then they led, if you will, a ransomware attack, which encrypted and froze large parts of the system.”
Witty also said the company is still working to understand exactly why this server did not have multi-factor authentication enabled.
Wyden criticized the company’s failure to upgrade the server. “We heard from your people that you had a policy, but not everyone implemented it. And that’s why we have the problem,” Wyden said.
UnitedHealth has not yet notified people affected by the cyberattack, Witty said during the hearing, arguing that the company still needs to determine the extent of the hack and the information stolen. For now, the company said only that the hackers stole the personal and health data of “a significant percentage of people in America.”
Last month, UnitedHealth said it paid $22 million to hackers who broke into the company’s systems. Witty confirmed this payment during the Senate hearing.
