UnitedHealth data breach caused by lack of multifactor authentication, CEO says
Hackers breached the computer system of a UnitedHealth Group subsidiary and released ransomware after stealing someone's password, CEO Andrew Witty testified Wednesday on Capitol Hill. The cybercriminals entered through a portal that didn't have multifactor authentification (MFA) enabled.
During an hourslong congressional hearing, Witty told lawmakers that the company has not yet determined how many patients and health care professionals were impacted by the cyberattack on Change Healthcare in February. The hearing focused on how hackers were able to gain access to Change Healthcare, a separate division of UnitedHealth that the company acquired in October 2022. Members of the House Energy and Commerce Committee asked Witty why the nation's largest health care insurer did not have the basic cybersecurity safeguard in place before the attack.
"Change Healthcare was a relatively older company with older technologies, which we had been working to upgrade since the acquisition," Witty said. "But for some reason, which we continue to investigate, this particular server did not have MFA on it."
