The cyberattack that caused massive disruption to health care systems across the US earlier this year was an easy payday for hackers, UnitedHealth Group CEO Andrew Witty admitted Wednesday. He told the Senate Finance Committee that criminals using "compromised credentials" accessed a Change Healthcare portal that did not have multifactor authentication, CBS News reports. The lack of the basic form of security allowed hackers to unleash a ransomware attack that froze large parts of the system, reports the AP. Witty said that in "one of the hardest decisions" he's ever had to make, he agreed to pay $22 million to the BlackCat cybercriminal gang.
"This hack could have been stopped with cybersecurity 101," Democratic Sen. Ron Wyden, the committee's chairman, told Witty. Republican Sen. Thom Tillis held up a copy of the book Hacking for Dummies. Witty said multifactor authentication is standard at UnitedHealth and he was "incredibly frustrated" to find that it was lacking at Change, which the company bought in 2022. He said he was "deeply, deeply sorry" and that the company had "literally built this platform back from scratch." The Feb. 21 hack disrupted payment systems, causing major problems at hospitals, doctors' offices, and pharmacies.
Change, which processes around 15 billion transactions a year, "serves as a digital highway between health insurers and hospitals and doctors," as the New York Times puts it. During Wednesday's hearing, Democratic and Republican senators suggested the hack was so devastating because UnitedHealth, the world's' 11th-biggest company, makes up such a huge part of the nation's health care system, the Times reports. The hack "is a dire warning about the consequences of 'too big to fail' mega-corporations gobbling up larger and larger shares of the health care system," Wyden said. (More UnitedHealth stories.)