One-third of Americans could be impacted by Change Healthcare cyberattack
In testimony to Congress on Wednesday, UnitedHealth CEO Andrew Witty estimated that a third of Americans' personal information was compromised during a February ransomware assault on a UnitedHealth Group subsidiary that affected pharmacies around the country.
Witty stated in written testimony that it will most likely take "several months" for UnitedHealth to identify and contact Americans affected by the theft since the business is still digging through the stolen data.
Highlights:
- A February ransomware attack on UnitedHealth compromised data of one-third of Americans, CEO Andrew Witty testified.
- The attack disrupted medical claims processing, leading to a $22 million ransom payment.
- Senators are advocating for stricter cybersecurity measures, with the Department of Health and Human Services investigating UnitedHealth's data protection.
In hours of Senate and House hearings Wednesday, Witty apologized to patients and physicians, admitting that hackers gained access to the subsidiary via a poorly protected computer system, and stated that he ordered a $22 million ransom payment to the hackers.
The evidence demonstrates that the extent of what experts see as the most serious health-care hack in US history is significantly larger than previously thought. The hacking event has prompted some senators to advocate for cybersecurity restrictions for health-care providers.
The February ransomware assault crippled systems that Change Healthcare, a UnitedHealth subsidiary, uses for handling claims for medical care across the country. According to one hospital group, health providers have been denied billions of dollars in reimbursements, and numerous health facilities have warned CNN that they are on the verge of going bankrupt. The Department of Health and Human Services is looking into whether UnitedHealth followed federal law in preserving patient data.
More than two months after the ransomware assault, Witty hailed the company's recovery efforts, which included reconstructing computer systems and returning insurance claims to "near-normal" levels. However, he stated that the process of identifying and contacting Americans impacted by the attack was time-consuming, in part due to data files being stolen during the event.
During the session, some members questioned if UnitedHealth and Change Healthcare, which conduct over 15 billion health care transactions yearly, controlled a sizable piece of the US health industry, making it vulnerable to hackers and other disruptions.