By Ahmed Aboulenein and Zeba Siddiqui
WASHINGTON (Reuters) – Hackers who breached UnitedHealth’s tech unit in February potentially stole a third of Americans’ data, the largest U.S. health insurer’s CEO told a Congressional committee on Wednesday.
Two Congressional panels grilled CEO Andrew Witty about the cyberattack on the company’s Change Healthcare unit, which processes around 50% of all medical claims in the U.S.
The breach has caused widespread disruptions in claims processing, impacting patients and providers across the country.
Witty fielded heated questions from Senators on the House Energy and Commerce Committee about the company’s failure to prevent the breach and contain its fallout.
Pressed for details on the data compromised, Witty said “maybe a third” of Americans’ protected health information and personally identifiable information was stolen.
“We continue to investigate the amount of data involved here,” he added. “We do think it’s going to be substantial.”
The cybercriminal gang AlphV hacked into Change on Feb. 12 using stolen login credentials on an older server that did not have multi-factor authentication, Witty said.
“It was … a platform which had only recently become part of the company was in the process of being upgraded,” Witty said, referring to UnitedHealth’s $13 billion acquisition of Change in 2022.
The platform also did not have the security measures prescribed in a joint alert issued by the FBI and U.S. cyber and health officials in December 2023 to specifically warn about AlphV, or BlackCat, targeting healthcare organisations.
UnitedHealth paid the gang around $22 million in bitcoin as ransom, Witty said, adding that however there was no guarantee that the breached data was secure and could not still be leaked. Another hacking group claiming to be an offshoot of AlphV said last month it had a copy of the data, though the company has not verified that claim.
The Senate Finance panel probed the outsized influence of UnitedHealth – which has a market capitalization of $445 billion and annual revenue of $372 billion – on American healthcare. But Witty said the company’s problems were not a threat to the broader economy.
Senator Bill Cassidy said senators on the panel “would have to ask, is the dominant role of United too dominant because it is into everything and messing up United messes up everybody?”
“My point is, the size of United becomes a it’s almost a too big to fail and sure, because if it fails, it’s going to bring down far more than it ordinarily would,” Cassidy said.
Witty said in response, “I don’t believe it is because actually despite our size, for example, we have no hospitals in America, we do not own any drug manufacturers.”
Yet, Change processes medical claims for around 900,000 physicians, 33,000 pharmacies, 5,500 hospitals and 600 laboratories in the U.S.
U.S. military members’ data was also stolen in the hack, Witty revealed, without saying how many of them were impacted.
Senate Finance Committee Chairman Ron Wyden called the hack a national security threat.
“I believe the bigger the company, the bigger the responsibility to protect its systems from hackers. UHG was a big target long before it was hacked,” he added.
“UnitedHealth Group has not revealed how many patients’ private medical records were stolen, how many providers went without reimbursement, and how many seniors are unable to pick up their prescriptions as a result of the hack,” said Wyden.
In letters to both congressional committees, the American Hospital Association said an internal survey of its members found that 94% of hospitals reported damage to cash flow, and more than half reported “significant or serious” financial damage due to Change’s inability to process claims.
Similarly, 90% of respondents to an American Medical Association survey of doctors said they continue to lose revenue because of the hack, according to the group’s written testimony to the Senate Finance Committee.
(Reporting by Ahmed Aboulenein, Editing by Nick Zieminski, Chris Sanders and Marguerita Choy)