Medical health insurance supplier UnitedHealth paid a multimillion-dollar ransom to hackers who broke into one in every of its subsidiaries, disrupting healthcare suppliers throughout the nation for months, CEO Andrew Witty confirmed on Wednesday.
In a listening to earlier than the Senate Committee on Finance, Witty mentioned the choice to pay the $22 million ransom was fully his. “This was one of many hardest choices I’ve ever needed to make,” he mentioned. UnitedHealth admitted final month that it had paid a ransom to the hackers who breached the Change Healthcare system — which is owned by UnitedHealth — however didn’t disclose the sum. In March, the corporate attributed the breach to BlackCat, the identical entity accountable for the MGM on line casino hack in Las Vegas. That very same month, Wired reported that BlackCat, which additionally goes by ALPHV, acquired a $22 million transaction on Bitcoin on March 1st.
BlackCat beforehand claimed it netted greater than six terabytes of knowledge as a part of the hack, which it carried out in February of this yr. The ransomware gang mentioned the information included “delicate” medical information, in keeping with CBS Information.
“Criminals used compromised credentials to remotely entry Change Healthcare Citrix portal, an software used to allow distant entry to desktops,” Witty mentioned throughout his testimony, including that the portal “didn’t have multifactor authentication.”
“This hack might’ve been stopped with cybersecurity 101,” mentioned Sen. Ron Wyden (D-OR), the chair of the committee. After Witty confirmed United would require multifactor authentication companywide going ahead, Wyden mentioned it “shouldn’t have taken the worst cyberattack ever within the healthcare sector for an settlement to do that naked minimal.”
The consequences of the hack have been far-reaching. After the breach was found, United shut down the Change Healthcare system for per week, which prevented hospitals, clinics, and pharmacies throughout the nation from getting paid. Throughout the listening to, Witty mentioned the system is now “broadly again to regular.” However some senators instructed Witty that hospitals and different healthcare suppliers are nonetheless ready on funds. Wyden (D-OR) instructed Witty that some suppliers who filed claims in February have been instructed they’d have to attend till June to receives a commission.
UnitedHealth manages greater than one-third of all affected person information within the US and oversees 1 in 10 medical doctors throughout the nation, in keeping with a letter the American Hospital Affiliation despatched to the Division of Well being and Human Providers in March. In his opening remarks, Wyden known as United a “healthcare leviathan” and described the hack as a “dire warning concerning the penalties of too-big-to-fail mega-corporations.”