UnitedHealth CEO tells Senate all systems now have multi-factor authentication after hack

UnitedHealth Group Chief Executive Officer Andrew Witty told senators on Wednesday that the company has now enabled multi-factor authentication on all the company’s systems exposed to the internet in response to the recent cyberattack against its subsidiary Change Healthcare.

The lack of multi-factor authentication was at the center of the ransomware attack that hit Change Healthcare earlier this year, which impacted pharmacies, hospitals and doctors' offices across the United States. Multi-factor authentication, or MFA, is a basic cybersecurity mechanism that prevents hackers from breaking into accounts or systems with a stolen password by requiring a second code to log in.

In a written statement submitted on Tuesday ahead of two congressional hearings, Witty revealed that hackers used a set of stolen credentials to access a Change Healthcare server, which he said was not protected by multi-factor authentication. After breaking into that server, the hackers were then able to move into other company systems to exfiltrate data, and later encrypt it with ransomware, Witty said in the statement.

Today, during the first of those two hearings, Witty faced questions about the cyberattack from senators on the Finance Committee. In response to questions by Sen. Ron Wyden, Witty said that “as of today, across the whole of UHG, all of our external-facing systems have got multi-factor authentication enabled."

“We have an enforced policy across the organization to have multi-factor authentication on all of our external systems, which is in place,” Witty said.

When asked to confirm Witty’s statement, UnitedHealth Group’s spokesperson Anthony ​​Marusic told TechCrunch that Witty “was very clear with his statement.”

Witty blamed the fact that Change Healthcare’s systems had not yet been upgraded after UnitedHealth Group acquired the company in 2022.

“We were in the process of upgrading the technology that we had acquired. But within there, there was a server, which I'm incredibly frustrated to tell you, was not protected by MFA,” Witty said. “That was the server through which the cybercriminals were able to get into Change. And then they led off a ransomware attack, if you will, which encrypted and froze large parts of the system.”

Contact Us

Do you have more information about the Change Healthcare ransomware attack? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.

Witty also said that the company is still working on understanding exactly why that server did not have multi-factor authentication enabled.

Wyden criticized the company’s failure to upgrade the server. “We heard from your people that you had a policy, but you all weren't carrying it out. And that's why we have the problem,” Wyden said.

UnitedHealth has yet to notify people that were impacted by the cyberattack, Witty said during the hearing, arguing that the company still needs to determine the extent of the hack and the stolen information. As of now, the company has only said that hackers stole personal and health information data of “a substantial proportion of people in America.”

Last month, UnitedHealth said that it paid $22 million to the hackers who broke into the company’s systems. Witty confirmed that payment during the Senate hearing.

On Tuesday afternoon, Witty also appeared in a House Energy and Commerce committee, where he revealed that "maybe a third" of Americans had their personal health information stolen by the hackers