One-third of Americans may have been victims of a massive health care data breach.
UnitedHealth will probably need "several months" to find and inform Americans affected by the hack, as they're still going through the stolen data, Witty stated in his written testimony.
Appearing before the Senate and House for hours of hearings on Wednesday, Witty offered his apologies to patients and doctors, admitted that the hackers infiltrated the subsidiary through an unsecured computer server, and confirmed he authorized a $22 million ransom payment to the hackers.
These testimonies indicate that the extent of the health care cyberattack in US history - considered the most significant - is even greater than initially thought. As a result, some lawmakers are calling for regulations on cybersecurity for health care companies.
The February ransomware attack left Change Healthcare, UnitedHealth's subsidiary, unable to process medical claims across the country. Healthcare providers were unable to access billions of dollars in payments, and some clinics told CNN they were at risk of running out of money. The Department of Health and Human Services is investigating whether UnitedHealth complied with federal law when protecting patient data.
Over two months since the ransomware attack, Witty praised the company's recovery by rebuilding computer systems and bringing insurance claims back to "near-normal" levels. However, he added that the process of identifying and notifying those affected was time-consuming partly because the data files were also taken in the incident.
During the hearing, various lawmakers inquired whether UnitedHealth and Change Healthcare, which processes approximately 15 billion healthcare transactions each year, held too much power in the US health sector, making it prone to cyberattacks and other interruptions.
"Your revenues are larger than some countries' GDP," Sen. Marsha Blackburn, a Tennessee Republican, remarked to Witty. "And how in the world did you not have the redundancies in place so that you did not experience this attack and found yourselves so vulnerable?"
UnitedHealth has pinned the blame on a well-known criminal group called ALPHV, or BlackCat, which the Justice Department claims has engaged in ransomware attacks on global victims.
The FBI generally discourages victims from paying ransoms because it could lead to more attacks. However, UnitedHealth is one of several major US companies that have made multimillion-dollar payments to try and retrieve stolen data or get systems back online. Colonial Pipeline, a pipeline operator that transports fuel to the East Coast, paid a $4.4 million ransom in 2021 after a Russian-speaking ransomware group disrupted pipeline operations for days.
UnitedHealth has maintained it made the payment "as part of the company's commitment to do everything possible to protect patient data from disclosure."
Nonetheless, lawmakers on Wednesday vowed to keep pressing the company for details on the personal information that was accessed.
"Americans are still in the dark about how much of their sensitive information was stolen," Sen. Ron Wyden, an Oregon Democrat who chairs the finance committee, regretted. [Title]: Hack on UnitedHealth Subsidiary: Several Months to Identify and Notify Victims
Read also:
- Year of climate records: extreme is the new normal
- Precautionary arrests show Islamist terror threat
- UN vote urges Israel to ceasefire
- SPD rules out budget resolution before the end of the year
UnitedHealth is still going through the stolen data to identify and inform Americans affected by the hack, as stated by Witty. Due to the data files also being taken in the incident, this process is time-consuming.
Source: edition.cnn.com