The CEO of UnitedHealth Group on Wednesday defended his unilateral decision to pay ransom in the midst of a major cyberattack against the company earlier this year.
In February, a Russia-based hacker group infiltrated the computer system of UnitedHealth subsidiary Change Healthcare in an attack that shut down operations at hospitals and pharmacies for more than a week. In his written testimony prepared for Wednesday's hearing on Capitol Hill, UnitedHealth CEO Andrew Witty defended the health giant's decision to pay a ransom to the cybercriminals and explained how the attack began.
"Criminals used compromised credentials to remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops," Witty said, sharing details on what led to the massive data breach. "The portal did not have multifactor authentication. Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data. Ransomware was deployed nine days later."
UnitedHealth has pointed fingers at a ransomware gang known as ALPHV or BlackCat for the recent breach. The group took credit for the attack, claiming to have stolen over six terabytes of data, including sensitive medical records, from Change Healthcare. This company processes health insurance claims for individuals seeking medical assistance from hospitals, medical centers, or pharmacies.
During his testimony, Witty confirmed that UnitedHealth indeed paid a ransom to BlackCat. He mentioned that this decision was made independently and was one of the most difficult choices he had to make. While the exact ransom amount remains undisclosed by the company, reports suggest that it totaled $22 million in bitcoin.
The impact of the breach was significant, considering that Change Healthcare processes 15 billion transactions annually, as reported by the American Hospital Association. This cyberattack potentially affected not only UnitedHealth customers but also other individuals. The financial toll on UnitedHealth Group has already reached nearly $900 million.
Ransomware attacks, which involve disabling a target's computer systems, have been on the rise in the health care sector. The number of such attacks on hospitals and health care providers doubled from 2016 to 2021, according to a study published in JAMA Health Forum in 2022.
