Senators blast UnitedHealth CEO for lackluster cybersecurity, monopoly | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

UnitedHealth CEO Andrew Witty (above) testifies in front of senate and committee members about Change Healthcare cyberattack by AlphV. The vulnerable platform hackers used to access sensitive information at Change did not meet the security guidelines prescribed by the FBI and U.S. cyber and health officials issued in Dec. 2023, which warned about AlphV/BlackCat focusing on healthcare organizations. (Photo: Al Drago/Bloomberg)

U.S. lawmakers questioned UnitedHealth Group’s chief executive officer, Andrew Witty, on May 1 over the devastating cyberattack on its subsidiary Change Healthcare in February. The attack crippled the U.S. healthcare system for several weeks, affecting health insurers, hospitals, doctors, pharmacies, patients and the finances of all parties. UnitedHealth recently admitted to paying a $22 million ransom in Bitcoin to the cybercriminal gang responsible, AlphV. However, some documents were still released in April when slighted threat actors asked for more money. The full impact of the cyberattack on Change remains unknown, but Witty gave senators a closer look at when and how AlphV gained access to its system.

To understand the magnitude of the cyberattack, readers must first understand the massive control UnitedHealth and its subsidiaries have on the U.S. healthcare system:

  • UnitedHealth manages about 15 billion transactions per year and one-third of American patient records.
  • UnitedHealth is the parent company of Change Healthcare and OptumRX, one of the biggest pharmacy benefit managers in the U.S.
  • One in 10 doctors in the U.S. are overseen by UnitedHealth.
  • UnitedHealth’s revenue in 2023 was $371 billion.
  • UnitedHealth is the 11th biggest company worldwide.
  • Change Healthcare processes claims and payments for an estimated 900,000 doctors, 5,500 hospitals, 33,000 pharmacies and 600 laboratories.

Witty was summoned to testify in front of the Senate Finance Committee and House Energy and Commerce Committee panel on May 1, where senators criticized the healthcare giant’s handling of the hack. Democrat and Republican senators came together to question if the company was too deeply engrained in the medical system due to the sheer breadth of data stolen. Witty admitted the data breach compromised about one-third of American’s medical records.

What the ‘hack’ happened 

Witty’s testimony painted a clearer picture of the timeline of the Change Healthcare hack, which started nine days before UnitedHealth shut down the system. On Feb. 12, Alphv (also called BlackCat) broke into Change’s systems using an old server that did not have the number one cybersecurity measure: multifactor authentication (MFA). Hackers used “compromised credentials,” like stolen passwords, and easily gained access through legacy technology employed by Change. Witty acknowledged the poor digital security, including an inadequate backup plan and no way to cover payments for providers in the interim.

Senator and Chairman of the Finance Committee Ron Wyden (D-Ore.) spoke up, saying UnitedHealth had failed “cybersecurity 101” by not employing the most basic kind of cybersecurity measures (MFAs). Senator Thom Tillis (R-N.C.) held a copy of “Hacking for Dummies” to illustrate the point. Witty said all UnitedHealth “external-facing systems” now use MFAs, and the company is bulking up cybersecurity efforts. Witty alleged UnitedHealth is under a constant barrage of cyber threats, preventing intrusions every 70 seconds, though, notably, not on Feb. 12.

“Monopoly on steroids”

UnitedHealth shut down Change’s system on Feb. 21, stopping cybercriminals from expanding the attack to its other subsidiaries and limiting the scope to Change Healthcare, which it acquired in 2022. The acquisition of Change was initially stalled when The Justice Department tried to block it amid concerns it triggered a mass consolidation in the healthcare industry, and this sentiment was echoed again in the May 1 hearing, with Senator Elizabeth Warren (D-Mass.) calling UnitedHealth “a monopoly on steroids.”

“The Change hack is a dire warning about the consequences of ‘too big to fail’ mega-corporations gobbling up larger and larger shares of the health care system,” said Wyden. He expressed frustration about the lack of transparency about the stolen data and emphasized sensitive medical data stolen about active military personnel posed a “clear national security threat.”

Witty admitted the corporation mishandled efforts to cover payments for affected providers, but senators quickly pointed out the company continues to fail victims. “Practically every provider I bump into is waiting to be paid,” Wyden said. Senator Marsha Blackburn (R-Tenn.) agreed, sharing that her office is still bombarded with calls from healthcare providers, some of whom are missing payments equal to a month’s revenue.

In March, the Office for Civil Rights said it also plans to investigate the incident to determine if Change Healthcare followed patient privacy protection laws and whether protected health information was exposed.


Click Here For The Original Source.

National Cyber Security