UnitedHealth CEO grilled by Senate panel for cybersecurity failings in massive hack
The Senate committee criticized UnitedHealth CEO Andrew Witty, who "months in can’t figure out how many people have had their data stolen,” and for the company server not requiring “multifactor authentication” for access.
Members of the Senate Finance Committee finally had their opportunity on Wednesday to grill UnitedHealth Group CEO Andrew Witty about the cyberattack on the company’s Change Healthcare subsidiary. Senators from both parties demanded answers about why the attack happened – and what Witty is doing about it.
“The failures of CEOs like Mr. Witty, who months in can’t figure out how many people have had their data stolen, validate the FBI’s warning,” said Sen. Ron Wyden, D-Ore., who chairs the committee.
Republican Sen. Thom Tillis of North Carolina also was aggressive in his remarks: “I got a notice on possibly being involved in a data breach, and it was kind of interesting, saying, ‘We will help you with your problem,’” he said. “And I’m thinking, ‘No, I will help you with your problem.’ But you’re not going to make this difficult for consumers, and we’ll be keeping track. It’s got to be your problem to fix.”
Witty told a separate House Energy and Commerce committee hearing on Wednesday that hackers used “compromised credentials” that may have included stolen passwords to enter Change’s system. The hacked server did not require multifactor authentication for access, which adds a second layer of security to password-protected accounts by having users enter an auto-generated code.
“This hack could have been stopped with cybersecurity 101,” Wyden said. Witty committed to requiring this type of authentication companywide and deploying the same standards used for federal agencies within the next six months.
“That is one element, but it’s only one element of the defense,” said Witty. “For example, in addition to our normal corporate-wide scanning of our technology environment, we’ve now brought external third parties to do double- or triple-scanning across our systems.”
Sen. Elizabeth Warren, D-Mass., criticized the size of UnitedHealth Group. “You’re now in a position to jack up prices, squeeze competitors, hide revenues and pressure doctors to put profits ahead of patients,” she said. “UnitedHealth is a monopoly on steroids.”
When pressed on the scope of the cyberattack, Witty said consumers likely won’t know whether they have been affected for some time. “It will take several months before enough information will be available to identify and notify impacted customers and individuals,” he said, “partly because the files contained in that data were compromised in the attack.”
Related: House hearing on Change Healthcare hack: Providers testify – UnitedHealth a no-show
The company is offering free credit monitoring and identity theft protections for two years to affected customers and interest-free loans to health-care providers.
“We have advanced more than $6.5 billion in accelerated payments and no-interest, no-fee loans to thousands of providers,” Witty said. “Most of these funds are for claims for non UHG health plans, and about 34% of the loans have gone to safety-net hospitals and federally qualified health centers. We will provide this assistance for as long as it takes to get providers claims and payments flowing up to pre-incident levels.”
Witty told senators that UnitedHealth is “consistently” under attack and that his company repels an attempted intrusion every 70 seconds.