UnitedHealth CEO Admits Paying $22 Million to Change Healthcare Hackers

By Trisha Andrada

May 02 2024, 00:59 AM EDT

UnitedHealth's CEO Andrew Witty Testifies To Senate Finance Committee — UnitedHealth CEO Andrew Witty testifies before the Senate Finance Committee on Capitol Hill on May 1, 2024 in Washington, DC. Kent Nishimura/Getty Images

UnitedHealth Group CEO Andrew Witty acknowledged on Wednesday, May 1, that the company had paid a ransom of $22 million to the hackers who had breached its subsidiary Change Healthcare, causing months of disruption for medical facilities across the United States.

Recently, UnitedHealth admitted to paying a ransom to the hackers, but it did not reveal how much it had paid.

CEO Andrew Witty Testifies Before the Senate Committee on Finance

During his testimony before the Senate Committee on Finance, Witty claimed full responsibility for paying the multimillion-dollar ransom and said it was one of the hardest decisions he ever had to make, The Verge reported.

Witty testified that the Change Healthcare Citrix portal did not have multifactor authentication and that criminals had exploited hacked credentials to get remote access to computers using the portal.

Senator Ron Wyden of Oregon said that basic cybersecurity knowledge might have prevented the breach. After Witty verified that UnitedHealth would use multifactor authentication companywide moving forward, Wyden said that a major system hack should not have been necessary to execute this minimal security measure.

BlackCat Triggers the Worst Cyberattack in the US Healthcare Sector

In March, the business said the attack had been carried out by Russia-based ransomware gang BlackCat, also known as ALPHV.

The breach, which the gang said it conducted in February, resulted in more than six gigabytes of data. The ransomware group claimed that the data included sensitive medical information.

The hack has far-reaching consequences. Upon discovering the breach, UnitedHealth disabled the Change Healthcare system for one week, preventing hospitals, clinics, and pharmacies nationwide from receiving payments.

In his statement, Witty assured the Senate Committee that everything was normal. However, Witty was informed that healthcare providers, including hospitals, are still awaiting reimbursement. Wyden told Witty that some providers who submitted claims in February had been advised that they would not be compensated until June.