A third of Americans could be affected by a Change Healthcare cyber attack

UnitedHealth Group Chief Executive Andrew Whitty told lawmakers on Wednesday that the data of about a third of Americans may have been compromised in the cyberattack on its Change Healthcare subsidiary and that the company paid a $22 million ransom to hackers.

Whitty testified before the Subcommittee on Oversight and Investigations, which falls under the House Energy and Commerce Committee. He said the investigation into the breach is still ongoing, so the exact number of people affected remains unknown. The one-third figure is a rough estimate.

UnitedHealth previously said the cyberattack likely affected “a significant portion of people in America,” according to the Release in April. The company confirmed that files containing protected health information and personal information were compromised in the breach.

It will likely be months before UnitedHealth is able to notify individuals given the “complexity of the data review,” the release said. The company offers free access to identity theft protection and credit monitoring for individuals concerned about their data.

Whitty also testified before the US Senate Finance Committee on Wednesday, when he confirmed for the first time that the company paid a $22 million ransom to the hackers who broke into Change Healthcare. At a hearing before House lawmakers later that afternoon, Whitty said the payment was made in bitcoin.

UnitedHealth disclosed that a cyber threat actor breached a portion of Change Healthcare’s information technology network in late February. The company disconnected the affected systems when the threat was discovered, and the disruption caused widespread repercussions across the US healthcare sector.

Whitty told the subcommittee in his written testimony that cyberattackers used “compromised credentials” to break into Change Healthcare’s systems on Feb. 12 and deployed ransomware that encrypted the network nine days later.

The portal that the bad actors initially accessed was not protected by multi-factor authentication, or MFA, which requires users to verify their identity in at least two different ways.

Whitty told both committees Wednesday that UnitedHealth now has MFA in all external systems.