UnitedHealth CEO Doesn’t Know Why Hacked Server Was Unprotected | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker

(Bloomberg) — UnitedHealth Group Inc. Chief Executive Officer Andrew Witty told lawmakers the company is still trying to determine why its computer systems were left vulnerable to hackers who perpetrated a devastating cyberattack.

Most Read from Bloomberg

Lawmakers zeroed in on the lax defenses during more than two hours of questioning by the Senate Finance committee Wednesday. The intruders got in through a server that didn’t have multifactor authentication — a basic cybersecurity measure used on consumer bank accounts — and got access to a hoard of health and personal data on a vast proportion of Americans.

“We’re trying to dig through exactly why that server had not been protected,” Witty told lawmakers in more than two hours of questioning. “I’m as frustrated as anybody about that fact.”

Some lawmakers said the company had neglected basic safeguards and failed both to prevent the attack and recover from it, with backup systems that were also vulnerable. “This company flunked both,” said Senator Ron Wyden, the Oregon Democrat who chairs the Finance Committee.

The largest US health insurer faced aggressive questions from some lawmakers over the February hacking incident, including concerns about whether its vast reach into myriad health-care operations concentrated risk that cybercriminals exploited. The hack snarled payments for doctors and hospitals.

The ransomware strike that wrecked systems at UnitedHealth’s Change Healthcare subsidiary will likely be the largest health-care data breach in the US to date, the company said. It’s also among the most costly hacks ever, denting UnitedHealth’s profit by as much as $1.6 billion this year.

Witty is the sole witness scheduled for hearings at the Senate Finance Committee Wednesday morning and the House Energy and Commerce Oversight and Investigations Subcommittee in the afternoon. Lawmakers from both parties expressed concern about UnitedHealth’s size at a separate House panel two weeks ago.

Senator Elizabeth Warren, the Massachusetts Democrat, called on regulators to break up the company during the Wednesday hearing. Even conservatives expressed concern about its corporate power.

“Is the dominant role of United too dominant, because it’s into everything, and messing up United messes up everybody?” said Senator Bill Cassidy, a Republican from Louisiana.

Witty said Change Healthcare’s footprint was the same as it was before UnitedHealth acquired it in 2022. The company UnitedHealth bought for almost $8 billion ran on legacy technology, he said, with some systems 40 years old. “We’ve been working to improve those,” he said.

UnitedHealth’s shares were up less than 1% at 11:56 a.m. in New York, after the Senate hearing concluded.

Read More: Hack That Paralyzed US Health Care Turns Up Scrutiny on Insurer

Lax Defense

Wyden said the committee is drafting legislation in response to the attack. He called again for standards for the industry, and said larger companies would have to meet tougher standards. “The bigger the company the more significant your responsibilities,” he said.

UnitedHealth faces constant attacks from intruders trying to crack digital defenses, with more than 450,000 attempts a year, according to Witty’s prepared testimony released ahead of the hearings. The exact nature of those attempts wasn’t immediately clear.

Despite the persistent threat, he said the intruders gained entry to Change Healthcare’s systems through a Citrix remote access portal that wasn’t protected by multifactor authentication, a common cyber defense meant to thwart hackers by requiring more than a password to verify that a login is legitimate.

Once they broke into the system on Feb. 12, attackers claiming to be the notorious cybercrime group BlackCat pilfered data undetected for more than a week. They deployed ransomware nine days later. Witty said he was at a board meeting when he learned of the attack on Feb. 21.

Wyden questioned whether UnitedHealth knew how much personal data of its users was stolen. “You don’t have the logs to show what data walked out the door,” he said.

The full extent of that breach will take months to assess, according to UnitedHealth, leaving Americans in the dark about what private medical data may have been exposed. The theft could cover a “substantial proportion” of Americans, the company has said. It’s set up a site to offer credit monitoring and other help.

Witty said he decided to pay a ransom to protect patient data, “one of the hardest decisions I’ve ever had to make.” He confirmed that the payment was $22 million, a figure that has previously been reported based on an analysis of cryptocurrency payments.

He also said the attackers locked up the company’s backup systems, delaying how long it took to restore Change Healthcare’s services. UnitedHealth rebuilt much of the infrastructure from scratch on cloud-based systems, he said.

He told the committee that UnitedHealth’s response was “swift and forceful,” by disconnecting Change’s systems from the rest of the health-care world. While that was “extremely disruptive,” he said it stopped the damage from spreading more widely.

The company said many systems are back online. It has advanced more than $6.5 billion in payments and interest-free loans to medical providers facing cash-flow interruptions.

Witty also said the company supports minimum security standards for health-care companies and improvements to the US’s cyber defenses, including standardized reporting of cybersecurity events.

–With assistance from Jamie Tarabay, Alexander Ruoff and Andrew Martin.

(Updates with additional information from Senate hearing throughout)

Most Read from Bloomberg Businessweek

©2024 Bloomberg L.P.


Click Here For The Original Story From This Source.


National Cyber Security