Two months after hackers breached Change Healthcare’s systems, stealing and then encrypting company data, it’s still unclear how many Americans were affected by the cyber attack.
Last month, Andrew Witty, CEO of Change Healthcare’s parent company UnitedHealth Group, said the stolen records included the personal health information of “a significant percentage of people in America.”
On Wednesday, during a House hearing, when pressed for a more definitive answer, Witty testified that the breach affected “I think, maybe a third [of Americans] or somewhere of that level.”
Contact us
Do you have more information about the Change Healthcare ransomware attack? From a non-working device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382 or via Telegram, Keybase and Wire @lorenzofb or via email. You can also contact TechCrunch via SecureDrop.
Witty said he was reluctant to give a more precise answer because the company is still investigating the breach and trying to figure out exactly how many people were affected.
UnitedHealth spokesman Anthony Marusic did not immediately respond to a request for comment on Witty’s assessment.
During a Senate hearing earlier Wednesday, Witty said it will likely take “a few months” before the company starts notifying victims of the data breach.
In a written statement filed by Witty before the two hearings, the CEO wrote that “so far, we have not seen evidence of material intrusion such as physician charts or complete medical history among the data.”
According to Witty’s testimony, the hackers “used compromised credentials to remotely access a Change Healthcare Citrix portal,” which was not protected by multi-factor authentication, a key cybersecurity measure that adds an extra step to logging into accounts and systems.
If this gateway had enabled multi-factor authentication, the breach may not have occurred. Several senators probed Witty about this failure, asking him whether the UnitedHealth and Change Healthcare systems are now protected with multi-factor authentication.
During the Senate hearing, Witty said, “We have an agency-wide mandated policy for multi-factor authentication on all of our external systems, which is in place.”
