UHG CEO Witty Admits Hack hit Third of US Citizens' Data

A third of US citizens face the prospect of having personal data exposed on the dark web following the ransomware attack on US health insurance giant UnitedHealth Group (UHG), a federal committee heard this week.

US government officials have urged both UHG and the wider insurance market to “mitigate harm” in the wake of the ransomware cyberattack on Change Healthcare.

UHG-owned Change Healthcare is one of the US’s largest insurance claim-processing hubs, handling data transfer between providers, payers, and consumers. 

The cyberattack earlier this year took down the company’s entire network, with hospitals, doctors’ offices, and pharmacies reduced to using phones and faxes to process claims and validate patients’ insurance.

It left hospitals unable to check the insurance benefits of in-patients, and unable to process authorisations for patient procedures and surgeries. Neither were they able to process billing for medical services. 

Change Healthcare data 'facing dark web threat'

But Change Healthcare’s operational headaches have been eclipsed by the shocking news that the hack resulted in a third of the US population suffering data compromise on the dark web.

That revelation came during a Congressional committee hearing, who this week grilled UHG CEO Andrew Witty about the cyberattack on the company's Change Healthcare unit, which processes around 50% of all medical claims in the US.

Witty fielded heated questions from Senators on the House Energy and Commerce Committee about the company's failure to prevent the breach and contain its fallout, Reuters reports.

Pressed for details on the compromised data, Witty said “maybe a third” of Americans' protected health information and personally identifiable information was stolen.

“We continue to investigate the amount of data involved here,” he added. “We think it's going to be substantial.”

The cybercriminal gang AlphV claimed responsibility for the February 12 hack, and Witty revealed they gained entry using stolen login credentials on an older server that lacked multi-factor authentication.

"It was a platform that had only recently become part of the company and was in the process of being upgraded," said Witty, referring to UnitedHealth's $13 billion acquisition of Change Healthcare in 2022.

UnitedHealth paid the gang around $22 million in bitcoin as ransom, Witty said, but added that there was “no guarantee” the breached data would not be leaked. US military members' data was also stolen in the hack, Witty also confessed

UnitedHealth hack 'is attack on entire US'

The Senate Finance panel probed the outsized influence of UnitedHealth - which has a market capitalization of $445 billion and annual revenue of $372 billion - on American healthcare. But Witty said the company's problems were not a threat to the broader economy.

Change Healthcare processes medical claims for around 900,000 physicians, 33,000 pharmacies, 5,500 hospitals and 600 laboratories in the US.

Senate Finance Committee Chairman Ron Wyden called the hack “a national security threat”.

He added: "I believe the bigger the company, the bigger the responsibility to protect its systems from hackers.”

A holding statement on the home page of UHG website declares: “We continue to make progress in mitigating the impact to consumers and care providers of the unprecedented cyberattack on the US health system and the Change Healthcare services, while continuing to expand financial assistance to affected providers.”

This will be of scant comfort to those whose data is now available to bad actors who might use the information to defraud them.