One challenge to getting the full picture is that hackers also encrypted Change’s customer database, making it hard to know who to notify about the incident, Witty said. UnitedHealth Group will likely need several months of analysis before it can identify and contact everyone affected. And, of course, when dealing with criminals there’s no guarantees: Witty acknowledged that despite his company paying a $22 million ransom, he cannot confirm whether hackers actually deleted all their stolen data. Since that extortion payment, an additional hacking group has come forward claiming to have the stolen data.
Rep. Gary Palmer said national security could be at risk if the theft includes sensitive data on federal employees with high-level security clearances. Foreign adversaries might use the information for blackmail, Rep. Morgan Griffith agreed.
In February, BlackCat ransomware hackers penetrated Change’s systems by taking advantage of a simple mistake: Change hadn’t applied multifactor authentication to a remote desktop access portal, meaning hackers only needed compromised credentials to access it. From there, the hackers spread through Change systems, exfiltrating data over the course of nine days, before ultimately encrypting and demanding payment, Witty testified.
Applying multifactor authentication is a common best practice that the company should’ve been aware of, noted Rep. Kathy Castor. The Department of Health and Human Resources recommended in a 2022 publication that health-care organizations adopt multifactor authentication, and a subsequent 2023 newsletter specifically called for multifactor authentication on remote access services. Plus, the risks were known: UnitedHealth’s May 2022 SEC filing discusses the heightened chance of cyber attacks against remote access services, she said.
But UnitedHealth Group’s company policy is already to have multifactor authentication on all externally facing systems, Witty said, and the company is investigating why it was missing on the targeted server.
Witty suggested the problems may stem from historic practices at Change. In 2022, UnitedHealth Group acquired Change, bringing on board an older company with older technology, he said. UnitedHealth Group had been working to upgrade Change’s systems and cybersecurity but hadn’t finished the job.
Lack of multifactor authentication led to the initial intrusion, but stronger backup practices might have helped Change bounce back. Unfortunately, most of Change’s backups were stored in on-prem data centers that hackers also encrypted during the attack, preventing easy restoration, Witty said. Storing backups in the cloud would’ve been safer, he said.
Now UnitedHealth is rebuilding Change’s infrastructure from scratch, introducing modern and often cloud-based tech with better security, Witty said.
Looking ahead, lawmakers should consider cybersecurity requirements for Medicare contractors, Rep. Frank Pallone said. Witty, too, said in written comments that he’d support mandatory minimum health-care security standards, but that such requirements should be crafted in collaboration with the private sector and that funding and training should be provided to help entities comply.
As for Change’s own restoration, nearly all pharmacies can again process claims, and payment processing is running at about 86 percent of pre-incident levels, Witty wrote. Additionally, medical claims are flowing at “near normal levels” due either to systems being restored or providers switching to different methods.
Still, he acknowledged that some entities that rely on unrestored systems remain unable to switch to other Change systems or to one of its competitors. In such cases, the company is providing them with loans to ease the financial strain. UnitedHealth’s loan program originally came under fire for “suspect” terms and conditions that some providers feared could be wielded “in a predatory way,” said Rep. Kim Schrier. But the company has since revised its approach, Witty said, now offering loans without fees or interest, and letting providers repay 45 business days after self-reporting that their cash flow is back to normal.
Witty also disputed reports that UnitedHealth had snatched up companies that fell into dire financial straits due to revenue drying up during Change’s outage. UnitedHealth’s recent purchase of a medical practice had been agreed to before the attack, and its recent acquisition of two independent physician associations were based on pre-incident economic assessments, Witty told lawmakers.
