Change Healthcare Cyberattack Linked to Absence of Multifactor Authentication, Says UnitedHealth CEO

By Sathish Raman

Updated: Wednesday, May 1, 2024, 23:21 [IST]

Add as a preferred source on Google

The recent cyberattack on Change Healthcare, a significant incident that disrupted healthcare systems across the United States, was a focal point of discussion during a U.S. Senate hearing. UnitedHealth CEO Andrew Witty revealed that the breach, which occurred in February, was facilitated through a server that lacked multifactor authentication—a basic yet crucial security measure. This oversight has drawn criticism from Senate Finance Committee members, highlighting the importance of fundamental cybersecurity practices.

During the hearing, Oregon Democratic Sen. Ron Wyden expressed his frustration, stating that this breach could have been prevented with what he termed "cybersecurity 101." Multifactor authentication, which requires users to provide two or more verification factors to gain access to an account, is widely regarded as an essential defense against unauthorized access, particularly for systems handling sensitive information.

The attack on Change Healthcare had far-reaching consequences, including the encryption and freezing of significant portions of the company's system through ransomware. This disruption severely impacted payment and claims processing nationwide, causing considerable strain on healthcare providers. In response to the attack, UnitedHealth was compelled to pay a $22 million ransom and undertook extensive efforts to rebuild its platform from scratch to eliminate any vulnerabilities that might have been exploited during the breach.

CEO Andrew Witty expressed his frustration upon discovering the absence of multifactor authentication within Change Healthcare's security measures, especially considering it is a standard practice across UnitedHealth. The company is now focused on upgrading its technology and ensuring such oversights are not repeated in the future.

In March, the Office for Civil Rights announced an investigation into the breach to determine if protected health information was compromised and whether Change Healthcare complied with patient privacy laws. Although there is no evidence suggesting the release of complete medical histories or doctor charts, personal information covering a substantial portion of the American population may have been exposed.

Change Healthcare plays a pivotal role in the healthcare industry, handling approximately 14 billion insurance claim transactions annually. The acquisition of Change Healthcare by UnitedHealth in a deal valued at roughly $8 billion in 2022 underscores its significance in healthcare processing and technology.

As UnitedHealth continues its recovery and system enhancement efforts post-attack, CEO Andrew Witty's apology to Senate members reflects a commitment to rectifying the security lapse and preventing future breaches. This incident serves as a stark reminder of the critical importance of implementing robust cybersecurity measures in protecting sensitive data within the healthcare sector.