UnitedHealth CEO: Decision to pay Change ransom was mine

In written testimony provided ahead of two scheduled May 1 congressional hearings, UnitedHealth Group CEO Andrew Witty said it was his decision to pay ransom in an attempt to protect patient data stolen during the February cyberattack against one of its subsidiaries, Change Healthcare.

"As we have addressed the many challenges in responding to this attack, including dealing with the demand for ransom, I have been guided by the overriding priority to do everything possible to protect people's personal health information," Mr. Witty said in the written testimony. "As chief executive officer, the decision to pay a ransom was mine. This was one of the hardest decisions I've ever had to make. And I wouldn't wish it on anyone."

Here are six things to know from Mr. Witty's testimony:

1. Mr. Witty said UnitedHealth "repels an attempted intrusion every 70 seconds," thwarting more than 450,000 attempts per year. 

2. He said cybersecurity experts are continuing to investigate the Change breach. He shared that on Feb. 12, criminals used compromised credentials to remotely access a Change Citrix portal. The portal did not have multi-factor authentication. Once the criminals gained access, they "moved laterally within the systems in more sophisticated ways and exfiltrated data. Ransomware was deployed nine days later. 

3. So far UnitedHealth has not seen evidence of exfiltration of materials such as physicians' charts or full medical histories among the data.

4. It is likely to take months of analysis before enough information will be available to identify and notify affected customers and individuals, "partly because the files containing that data were compromised in the cyberattack," he said. 

5. Mr. Witty said UnitedHealth will comply with legal requirements and provide notice to affected individuals and the company is working closely with HHS' Office of Civil Rights to "make sure our notice is effective, useful and complies with the law."

6. As of April 26, UnitedHealth Group has advanced more than $6.5 billion in accelerated payments and no-interest loans. About 34% of the loans went to safety-net hospitals and federally qualified health centers. 

Read his full testimony here

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.


Top 40 articles from the past 6 months