U.S. News

UnitedHealth CEO: No evidence personal data was accessed during ransomware attack

By Mike Heuer   |   May 1, 2024 at 4:03 PM
UnitedHealth Group CEO Andrew Witty said there's no evidence so far that patients' medical and personal information was accessed before the Senate Finance Committee hearing "to examine hacking America's health care, focusing on assessing the Change Healthcare cyber attack and what's next" at the Dirksen Senate office building in Washington, D.C., on Wednesday. Photo by Annabelle Gordon/UPI Sen. Ron Wyden, D-Ore. and chair of the U.S. Senate Committee on Finance (pictured), on Wednesday spoke with CEO of UnitedHealth Group Andrew Witty during a hearing in the Dirksen Senate office building in Washington, D.C. Photo by Annabelle Gordon/UPI Sen. Elizabeth Warren, D-Mass., described UnitedHealth Group as a "monopoly on steroids" and asked if it's under federal investigation for allegedly cheating taxpayers out of $3.7 billion in 2017 through illegal billing for medical services paid by taxpayers, which Witty declined to answer. Photo by Annabelle Gordon/UPI

May 1 (UPI) -- No evidence suggests patients' medical histories and personal data were accessed during a February ransomware attack, UnitedHealth Group CEO Andrew Witty told the Senate Finance Committee Wednesday.

Sen. Ron Wyden, D-Ore., chairs and led the committee hearing regarding the potential severity of the ransomware attack on Change Healthcare, which is a subsidiary of Minnesota-based UnitedHealth Group.


Wyden said UnitedHealth Group generated $324 billion in revenue in 2023, which makes it the nation's fifth-largest company.

He said UnitedHealth Group "touches 152 million individuals" across all of its business lines, including insurance, medical practices, home healthcare and pharmacy services.

Wyden said UnitedHealth Group has purchased dozens of other healthcare companies and is the nation's largest buyer of physician practices.

"This corporation is a healthcare leviathan," he said. "The bigger the company, the bigger the responsibility to protect its systems from hackers."

The FBI says the nation's healthcare industry is the top target for ransomware, and Change Healthcare annually processes about 15 billion healthcare transactions, Witty said.

Those records account for about a third of the nation's patient records and include information of people's "sensitive diagnoses,treatments and medical histories that reveal everything from abortions to mental health disorders," Wyden said.

Data on many military personnel are among those records, which Wyden said is a "clear national security threat."

Witty addressed the committee and its concerns regarding the potential breach of individuals' personal and private medical health data.

"Our response to this attack has been grounded in three principles," Witty told the committee, "to secure the systems, to ensure patient access to care and medication, and to assist providers with their financial needs."

Witty said cyber experts continue to investigate the attack that occurred on Feb. 21 when cyber criminals breached a Change Healthcare portal, removed data and deployed ransomware.

He said the portal wasn't protected by multi-factor authentication.

"To contain infection, we immediately severed connectivity and secured the perimeter of the attack to prevent malware from spreading," Witty said. "It worked. There is no evidence of spread beyond Change Healthcare."

He said corporate officials then contacted the FBI and continue to share information with federal investigators to help bring the perpetrators to justice.

"My overarching priority has been to do everything possible to protect people's personal health information," Witty told the committee, adding that the decision to pay a ransom was his.

Witty said nothing indicates anyone's doctors charts or personal medical histories were accessed during the ransomware attack, but the investigation will continue for several months.

Identifying and notifying people whose health and personal information was accessed during the cyberattack won't be possible until the investigation is completed, he said, because the files containing that information were compromised in the attack.

Witty told the committee UnitedHealth Group is current on all payment processing, has waived payment deadlines and is willing to compensate those negatively impacted by the ransomware attack as needed.

Witty said UnitedHealth Group is providing concerned customers with free credit monitoring and identity theft protection for two years and support services.

Concerned individuals also can visit ChangeCyberSupport.com to learn more about the available services.

They also can call 866-262-5342 to sign up for the free credit monitoring and identity theft protections.

UnitedHealth Group officials in April announced the health insurance and services provider paid an undisclosed ransom to protect patients' data following a ransomware attack on its Change Healthcare technology company.

UnitedHealth Group officials in February identified the BlackCat ransomware gang as the one that committed the cyberattack.

Federal law enforcement opened an investigation into the matter in March.

TWIW gallery