UnitedHealth CEO estimates one-third of Americans could be impacted by Change Healthcare cyberattack

UnitedHealth Group CEO Andrew Witty on Wednesday told lawmakers that data from an estimated one-third of Americans could have been compromised in the cyberattack on its subsidiary Change Healthcare, and that the company paid a $22 million ransom to hackers.

Witty testified in front of the Subcommittee on Oversight and Investigations, which falls under the House of Representatives’ Committee on Energy and Commerce. He said the investigation into the breach is still ongoing, so the exact number of people affected remains unknown. The one-third figure is a rough estimate.

UnitedHealth has previously said the cyberattack likely impacts a “substantial proportion of people in America,” according to an April release. The company confirmed that files containing protected health information and personally identifiable information were compromised in the breach. 

It will likely be months before UnitedHealth is able to notify individuals, given the “complexity of the data review,” the release said. The company is offering free access to identity theft protection and credit monitoring for individuals concerned about their data.

Witty also testified in front of the U.S. Senate Committee on Finance on Wednesday, when he confirmed for the first time that the company paid a $22 million ransom to the hackers that breached Change Healthcare. At the hearing before the House legislators later that afternoon, Witty said the payment was made in bitcoin.

UnitedHealth disclosed that a cyberthreat actor breached part of Change Healthcare’s information technology network late in February. The company disconnected the affected systems when the threat was detected, and the disruption has caused widespread fallout across the U.S. health-care sector.

Witty told the subcommittee in his written testimony that the cyberattackers used “compromised credentials” to infiltrate Change Healthcare’s systems on Feb. 12 and deployed a ransomware that encrypted the network nine days later.

The portal that the bad actors initially accessed was not protected by multifactor authentication, or MFA, which requires users to verify their identities in at least two different ways. 

Witty told both committees Wednesday that UnitedHealth now has MFA in place across all external-facing systems.