UnitedHealth’s CEO says the company paid the hackers $22 million in ransom

UnitedHealth Group CEO Andrew Whitty confirmed for the first time that the company had paid a $22 million ransom to hackers who broke into its subsidiary Change Healthcare and caused widespread repercussions in the healthcare sector. Witty’s comments were made during a hearing Wednesday before the US Senate Finance Committee.

Change Healthcare provides payments, revenue management and other solutions such as e-prescription software. The company disconnected the affected systems when the threat was discovered, leaving many doctors temporarily unable to fill prescriptions or get paid for their services.

UnitedHealth told CNBC in April that it paid the ransom to try to protect patient data. Earlier reports had opened a transfer of 22 million dollars on the Bitcoin blockchain, but the company had not confirmed the figure until now.

“The decision to pay the ransom was mine,” Whitty said. “It was one of the hardest decisions I’ve ever had to make and I wouldn’t wish it on anyone.

UnitedHealth is one of the largest companies in the world with a market capitalization of about $450 billion. Its Optum business unit — which provides care to 103 million customers — and Change Healthcare — which touches one in three patient records — will merge in 2022.

Committee Chairman Sen. Ron WydenD-Ore., said in opening remarks that the Change Healthcare breach serves as a “dire warning of the consequences of too-big-to-fail mega-corporations.”

“Companies that are this big have an obligation to protect their customers and lead on this issue,” Wyden said.

Witty told the committee that cybercriminals gained access to Change Healthcare through a server that was not protected by multi-factor authentication, or MFA, which requires users to verify their identity in at least two different ways. He said UnitedHealth already has MFA in all external systems.

“As a result of this malicious cyberattack, patients and providers have experienced disruption and people are concerned about their personal health information,” Whitty said. “To all concerned, let me be very clear: I am deeply, deeply sorry.”

Sen. Tom Tillis, RN.C., held up a bright yellow copy of “Hacking for Dummies” during the hearing, saying the breach was UnitedHealth’s responsibility to fix.

“These are some basic things that were missed, so shame on internal audit, external audit and your systems people in charge of booking, they’re not doing their job,” Tillis said.

In a filing with the U.S. Securities and Exchange Commission, UnitedHealth discovered that a cyber threat actor had accessed a portion of Change Healthcare’s information technology network in late February.

Witty said Change Healthcare’s core systems are back online, although some of its secondary support functions are still being restored.

UnitedHealth said in February that the Blackcat ransomware group was behind the attack. Blackcat, which also goes by the names Noberus and ALPHV, steals sensitive data from institutions and threatens to publish it unless a ransom is paid, according to Release in December from the US Department of Justice.

UnitedHealth confirmed in April that files containing protected health information and personal information were compromised in the breach. The company said the data review is ongoing, so it could be months before the company can notify affected individuals.

Whitty said Wednesday that UnitedHealth is working with regulators to evaluate the breach and notify people if their information was compromised “as soon as possible.”

In early March, UnitedHealth launched a temporary funding assistance program to help providers who experienced cash flow disruptions due to the cyber attack. There are no fees, interest or other costs on top of payments, and providers have 45 days to repay the funds once their standard payment operations resume.

During the hearing, Witty said the company has not yet asked anyone to repay loans, and suppliers will determine when their operations are officially back to normal.

Witty did not directly say whether UnitedHealth would provide additional support to providers who may struggle with other loans and interest payments because of the breach.

Sen. Michael Bennett, D-Colo., pressed Witty to share how UnitedHealth is working to ensure that something like the Change Healthcare breach doesn’t happen again. Whitty said the company plans to share what it discovered about the breach with others, adding that it needs to focus on reducing the rate of cyberattacks in the healthcare sector.

“We’re obviously trying to take our responsibility in this attack. We’re also trying to learn from it,” he said.