UnitedHealth Group CEO Andrew Witty told senators Wednesday that the company has now enabled multi-factor authentication on all of the company’s internet-connected systems in response to the recent cyberattack on its subsidiary Change Healthcare.
The lack of multi-factor authentication was at the heart of the ransomware attack that hit Change Healthcare earlier this year, affecting pharmacies, hospitals and doctor’s offices across the United States. Multi-factor authentication (MFA) is a fundamental cybersecurity mechanism that prevents hackers from breaking into accounts or systems with a stolen password by requiring a second code to log in.
In a written statement filed Tuesday before two congressional hearings, Witty revealed that hackers used a series of stolen credentials to access a Change Healthcare server that he said was not protected by multi-factor authentication . After breaking into that server, the hackers were able to break into other companies’ systems to exfiltrate data and later encrypt it with ransomware, Witty said in the statement.
Today, during the first of those two hearings, Witty faced questions about the cyberattack from senators on the Finance Committee. In response to questions from Senator Ron Wyden, Witty said: “As of today, multi-factor authentication is enabled in all of our external-facing systems across UHG.”
“We have an enforced policy across the organization of multi-factor authentication on all of our external systems, which is also in place,” Witty said.
When asked to confirm Witty’s statement, UnitedHealth Group spokesman Anthony Marusic told TechCrunch that Witty “was very clear with his statement.”
Witty blamed Change Healthcare’s systems for not having been updated following the company’s acquisition by UnitedHealth Group in 2022.
“We were in the process of modernizing the technology we had acquired. “But there was a server inside, and I’m incredibly frustrated to tell you that it wasn’t protected by MFA,” Witty said. “This was the server through which the cybercriminals were able to break into Change. And then they launched a ransomware attack, if you will, that encrypted and froze large portions of the system.”
Witty also said that the company is still working to understand exactly why this server does not have multi-factor authentication enabled.
Wyden criticized the company’s failure to update the server. “We heard from your people that you had a policy but you all failed to implement it. And that’s why we have the problem,” Wyden said.
UnitedHealth has not yet notified those affected by the cyberattack, Witty said during the hearing, arguing that the company has yet to determine the extent of the hack and the stolen information. So far, the company has only said that hackers stole personal and health information from “a significant portion of the people of America.”
Last month, UnitedHealth said it had paid $22 million to hackers who broke into the company’s systems. Witty confirmed this payment during the Senate hearing.