In February, a ransomware attack on a UnitedHealth Group subsidiary affected a third of Americans, according to CEO Andrew Witty. It may take several months for UnitedHealth to identify and notify those impacted as they continue to investigate the stolen data. The attack disrupted pharmacies across the US, resulting in billions of dollars in payments being cut off from health providers. The Department of Health and Human Services is investigating whether UnitedHealth complied with federal law in protecting patient data.
Witty testified in a hearing before Congress, apologizing to patients and doctors for the breach. He admitted that hackers accessed the subsidiary through a poorly protected server and authorized a $22 million ransom payment to the hackers. The incident is considered the most significant health care cyberattack in US history, prompting calls for cybersecurity regulations for health care companies. UnitedHealth has been rebuilding its computer systems and claims are now flowing to near-normal levels, but identifying and notifying impacted Americans remains a challenge.
In the hearing, lawmakers questioned UnitedHealth and Change Healthcare’s control over a significant portion of the US health sector, leaving it vulnerable to attacks and disruptions. Senators expressed concern about the company’s vulnerability and lack of necessary redundancies to prevent such attacks. The hack has been attributed to a criminal group called ALPHV, or BlackCat, known for ransomware attacks worldwide. UnitedHealth is one of several major US firms that have made multimillion-dollar ransom payments to recover stolen data or restore systems after ransomware attacks.
The FBI typically discourages victims from paying ransoms as it can lead to more attacks, but UnitedHealth justified the payment as a means to protect patient data from disclosure. Lawmakers have pledged to continue pressuring the company to reveal the extent of the stolen personal health information and ensure transparency for affected individuals. Senator Ron Wyden expressed frustration at Americans being kept in the dark about what sensitive information was compromised in the breach. The hack highlights the need for improved cybersecurity measures in the health care industry to safeguard patient data and prevent future attacks.
