UnitedHealthcare CEO Confirms Extent of Cyberattack Impact
Two months have passed since hackers compromised Change Healthcare systems, encrypting company data and causing widespread concern. However, the full extent of this cyberattack and its impact on Americans remains unclear. UnitedHealth Group, the parent company of Change Healthcare, has been working tirelessly to assess the damage.
Assessing the Impact of the Breach
Last month, UnitedHealth Group’s CEO, Andrew Witty, revealed that the stolen files contained personal health data of a significant number of Americans. This week, during a House hearing, Witty provided a more specific estimate. According to the CEO, the breach may have affected “maybe a third” of American citizens.
However, Witty was reluctant to provide a more precise figure. The company is still investigating the breach and trying to gauge how many people were truly affected. UnitedHealth’s spokesperson, Anthony Marusic, did not immediately respond to requests for clarification on Witty’s estimate.
Next Steps for UnitedHealth
During a Senate hearing earlier this week, Witty disclosed that victim notification would likely take several months. He also clarified that no evidence of exfiltrated materials, such as doctors’ charts or full medical histories, has been found among the data.
Avoiding Future Breaches
Witty’s testimony revealed that the hackers gained access to a Change Healthcare Citrix portal through compromised credentials. This portal was not protected by multi-factor authentication, a basic yet crucial cybersecurity measure. Had this been in place, the breach might have been prevented.
Senators grilled Witty on this failure, inquiring whether UnitedHealth and Change Healthcare systems now have multi-factor authentication. During the Senate hearing, Witty confirmed that the company has implemented multi-factor authentication across all external systems.
As the dust begins to settle, this incident underscores the importance of robust cybersecurity measures in protecting sensitive data. As healthcare firms continue to digitize their operations, ensuring security should remain a priority. The lessons learned from the UnitedHealth breach will, hopefully, result in strengthened defenses against future cyberattacks.