Christopher Snowbeck | Star Tribune (TNS)
A hugely disruptive cyberattack in February exposed clear technology flaws at a UnitedHealth Group subsidiary, lawmakers said Wednesday, and raised difficult questions about whether the Minnetonka-based health care giant has just gotten too big.
Andrew Witty, the UnitedHealth chief exeutive, offered an apology during testimony before the Senate Finance Committee as he disclosed that a hacked server at the company’s Change Healthcare unit lacked multifactor authentication protections.
This was a significant failure to comply with “cybersecurity 101,” said committee chair Sen. Ron Wyden, a Democrat from Oregon.
Sen. John Barrasso, a Republican from Wyoming, said he was “just not sure why you haven’t had this in place yet.”
Witty said he was “disappointed and frustrated” by the flaw, as well, explaining that UnitedHealth was in the process of upgrading security and systems after acquiring Change Healthcare in October 2022. While the CEO said the company’s massive size and scope has enabled a speedy response to the incident, Wyden promised further investigation both of the cyberattack and broader questions surrounding the company.
“The Change hack is a dire warning about the consequences of ‘too big to fail’ mega-corporations gobbling up larger and larger shares of the health care system,” Wyden said. “It is long past time to do a comprehensive scrub of UHG’s anti-competitive practices, which likely prolonged the fallout from this hack.”
UnitedHealth Group is Minnesota’s largest company by revenue and the fourth largest firm in the U.S. by the same measure. The company’s UnitedHealthcare division is the nation’s largest health insurer. It also owns a fast-growing health services division called Optum that employs or is affiliated with about 70,000 physicians.
The cyberattack has been a blow to the nation’s health care system because UnitedHealth Group — to contain the threat — had to shut down Change Healthcare systems used widely to process payment claims for U.S. health care providers. Those systems are now getting back to normal, Witty said, but senators grilled the CEO for not yet being able to specify how many and which patients have had their data compromised.
A substantial proportion of Americans may have been impacted, the company says, and Witty said it will take more time to understand exactly who was impacted, including members of the U.S. armed forces. UnitedHealth last week offered credit monitoring and identity theft protection for two years, but this amounts to “cold comfort,” Wyden said.
“This corporation is a health care leviathan,” he said. “I believe the bigger the company, the bigger the responsibility to protect its systems from hackers. … Americans are still in the dark about how much of their sensitive information was stolen.”
Witty told the committee that on Feb. 12 criminals used compromised credentials to access the Citrix portal at Change Healthcare. This portal was used for remote access of desktops, the CEO said.
It was company policy at the time, Witty said, to have multifactor authentication — called MFA for short — on all externally facing systems. He told Wyden that all these systems are now protected in this way.
“To all those impacted, let me be clear: I’m deeply, deeply sorry…,” Witty said. “We will not rest — I will not rest — until we fix this.”
Barrasso said he didn’t understand the oversight, considering he knows how even a small, financially struggling hospital in his home state has been able to implement MFA technology. UnitedHealth Group, meanwhile, is one of the nation’s most financially successful health care companies, with about $22 billion in profits last year alone.
“Did you lack the financial resources to implement a multifactoral authentication system?” Barasso asked.
Wyden said the comments showed there was bipartisan support for the committee to further investigate the issue.
“We’ve just heard excuse after excuse from Mr. Witty,” Wyden said. “The fact is, that first server that was hacked did not have multifactor authentication and Mr. Witty’s head of cybersecurity knew about it.”
Brett Callow, an analyst with the cybersecurity firm Emsisoft, said multifactor authentication can stop a significant number of attacks and is a “basic defense mechanism I’d have expected to be implemented.” At the same time, Callow said it’s not absolutely certain that this technology would have blocked the attack.
“Locking your door doesn’t guarantee that a burglar won’t get it, it just makes it less likely,” he said in an email. “Same here.”
The slow timeline for restoring services after the cyberattack shows a clear lack of system redundancy within Change Healthcare, said Sen. Thom Tillis, R-N.C. While holding up a copy of the book “Hacking for Dummies,” Tillis told Witty: “This was some basic stuff that was missed.”
The CEO responded by stressing the relatively short duration of time since UnitedHealth Group acquired Change Healthcare in October 2022. “It’s very frustrating that there wasn’t a quick redundancy switchover,” Witty said.
Witty was scheduled to testify before a House committee Wednesday afternoon. While the hearings were scheduled in response to the cyberattack, the Washington Post reported Tuesday that there’s growing concern in the nation’s capital about the company’s enormous size is an economic and security liability.
“UnitedHealth is a monopoly on steroids,” Sen. Elizabeth Warren, D-Mass., said during the committee hearing.
Last week, Minnesota Attorney General Keith Ellison and 21 other state attorneys general sent a letter pushing UnitedHealth Group to provide more help for affected health care providers and patients.
In remarks prepared for the House committee, Witty said UnitedHealth Group has advanced more than $6.5 billion in accelerated payments and no-interest, no-fee loans to thousands of health care providers. About one-third of these loans, Witty said, have gone to safety net hospitals and federally qualified health centers that help high-risk patients and communities.
Minnesota health care providers, including small mental health clinics, were critical in the first few weeks after the cyberattack of the company’s initial financial assistance offers. One clinic in Roseville told the Star Tribune that UnitedHealth Group initially offered just $90 per week.
The company rolled out a second program designed to provide more help.
“While some of our early estimates of providers’ potential gaps did not address their full need given our lack of visibility into their claims flow, we quickly adjusted,” Witty said.
©2024 StarTribune. Visit at startribune.com. Distributed by Tribune Content Agency, LLC.