UnitedHealth Group CEO Andrew Witty acknowledged on Wednesday, May 1, that the company had paid a ransom of $22 million to the hackers who had breached its subsidiary Change Healthcare, causing months of disruption for medical facilities across the United States.

Recently, UnitedHealth admitted to paying a ransom to the hackers, but it did not reveal how much it had paid.

CEO Andrew Witty Testifies Before the Senate Committee on Finance

During his testimony before the Senate Committee on Finance, Witty claimed full responsibility for paying the multimillion-dollar ransom and said it was one of the hardest decisions he ever had to make, The Verge reported.

Witty testified that the Change Healthcare Citrix portal did not have multifactor authentication and that criminals had exploited hacked credentials to get remote access to computers using the portal.

Senator Ron Wyden of Oregon said that basic cybersecurity knowledge might have prevented the breach. After Witty verified that UnitedHealth would use multifactor authentication companywide moving forward, Wyden said that a major system hack should not have been necessary to execute this minimal security measure.

READ NEXT: UnitedHealth Admits Paying Off Hackers After 'Substantial' Patient Data Was Compromised in Change Healthcare Cyberattack

BlackCat Triggers the Worst Cyberattack in the US Healthcare Sector

In March, the business said the attack had been carried out by Russia-based ransomware gang BlackCat, also known as ALPHV.

The breach, which the gang said it conducted in February, resulted in more than six gigabytes of data. The ransomware group claimed that the data included sensitive medical information.

The hack has far-reaching consequences. Upon discovering the breach, UnitedHealth disabled the Change Healthcare system for one week, preventing hospitals, clinics, and pharmacies nationwide from receiving payments.

In his statement, Witty assured the Senate Committee that everything was normal. However, Witty was informed that healthcare providers, including hospitals, are still awaiting reimbursement. Wyden told Witty that some providers who submitted claims in February had been advised that they would not be compensated until June.

READ MORE: UnitedHealth Reports Losses of $872 Million to Change Healthcare Cyberattack