UnitedHealth’s CEO said the company is still investigating a security failure behind a massive cyberattack.
Testifying before the Senate Finance Committee Wednesday (May 1), Andrew Witty said the company has not yet determined why its computer systems were left open to a ransomware gang that crippled the U.S. healthcare system earlier this year.
According to a report by Bloomberg News, senators spent two hours questioning Witty about UnitedHealth’s defenses, which were breached when intruders accessed a server that wasn’t secured by multifactor authentication.
“We’re trying to dig through exactly why that server had not been protected,” Witty said. “I’m as frustrated as anybody about that fact.”
Lawmakers accused UnitedHealth of failing to establish basic security protocols and to prevent and recover from the breach, as its backup systems were also vulnerable.
“This company flunked both,” said Sen. Ron Wyden, D-Ore., chair of the Finance Committee.
In a written testimony posted earlier this week on the website of the House Energy & Commerce Committee, Witty offered more detail about the attack, which began when hackers broke into UnitedHealth’s Change Healthcare unit’s systems through the Citrix portal.
“On February 12, criminals used compromised credentials to remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops,” the testimony said. “The portal did not have multi-factor authentication. Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data. Ransomware was deployed nine days later.”
Change Healthcare first mentioned the breach when reporting connectivity issues Feb. 21, saying that “some applications are currently unavailable” and that it was triaging the issue. The problem spilled over into pharmacies and healthcare providers around the country, impacting their payments systems and leaving consumer data vulnerable to exposure.
UnitedHealthcare has said the breach could impact its profits by up to $1.6 billion this year. Witty said during a recent earnings call that the cyberattack cost UnitedHealth $872 million.
He added that the incident “was straight out an attack on the U.S. health system and designed to create maximum damage. I think we’ve got through that very well in terms of the remediation and the build back to functionality.”
Following the attack, a bill was introduced in the Senate that would offer financial incentives for healthcare providers and vendors to achieve minimum cybersecurity standards. The proposed legislation would speed Medicare payments to healthcare providers that have suffered a cyberattack, provided they and their vendors meet those standards.