The CEO of UnitedHealth Group on Wednesday defended his unilateral decision to pay ransom in the midst of a major cyberattack against the company earlier this year.
In February, a Russia-based hacker group infiltrated the computer system of UnitedHealth subsidiary Change Healthcare in an attack that shut down operations at hospitals and pharmacies for more than a week. In his written testimony prepared for Wednesday's hearing on Capitol Hill, UnitedHealth CEO Andrew Witty defended the health giant's decision to pay a ransom to the cybercriminals and explained how the attack began.
"Criminals used compromised credentials to remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops," Witty said, sharing details on what led to the massive data breach. "The portal did not have multifactor authentication. Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data. Ransomware was deployed nine days later."
UnitedHealth blamed the breach on ransomware gang ALPHV or BlackCat. The group itself claimed responsibility for the attack, alleging it stole more than six terabytes of data, including "sensitive" medical records, from Change Healthcare, which processes health insurance claims for patients who visit hospitals, medical centers or pharmacies.
Witty also confirmed in his testimony that UnitedHealth paid a ransom amount to BlackCat, a decision he stated in prepared remarks that he made on his own. The company has not disclosed the amount of ransom handed over to cybercriminals, but multiple media sources have reported that it paid $22 million in the form of bitcoin.
Deciding to pay the ransom "was one of the hardest decisions I've ever had to make and I wouldn't wish it on anyone," Witty said.
The scale of the attack — Change Healthcare processes 15 billion transactions a year, according to the American Hospital Association — meant that even patients who weren't customers of UnitedHealth were potentially affected. The attack has already cost UnitedHealth Group nearly $900 million, company officials said in reporting first-quarter earnings last week.
Ransomware attacks, which involve disabling a target's computer systems, have become increasingly common within the health care industry. The annual number of ransomware attacks against hospitals and other health care providers doubled from 2016 to 2021, according to a 2022 study published in JAMA Health Forum.
Khristopher J. Brooks is a reporter for CBS MoneyWatch. He previously worked as a reporter for the Omaha World-Herald, Newsday and the Florida Times-Union. His reporting primarily focuses on the U.S. housing market, the business of sports and bankruptcy.