Following a cyberattack on its subsidiary Change Healthcare earlier this year, UnitedHealth Group has enabled multi-factor authentication (MFA) on all of its systems exposed to the internet. This move comes in response to the fact that the lack of MFA was a key factor in the ransomware attack that hit Change Healthcare, impacting pharmacies, hospitals, and doctor’s offices across the United States.
In a written statement submitted to Congress ahead of two hearings, UnitedHealth Group CEO Andrew Witty revealed that hackers used a set of stolen credentials to access a Change Healthcare server that was not protected by MFA. From there, the hackers were able to move into other company systems, exfiltrating data and encrypting it with ransomware.
During the first of those hearings, Witty faced questions from senators on the Finance Committee about the cyberattack. In response to questions by Sen. Ron Wyden, Witty confirmed that “as of today, across the whole of UHG, all of our external facing systems have got multifactor authentication enabled.”
A UnitedHealth Group spokesperson confirmed Witty’s statement, emphasizing that the company has an enforced policy across the organization to have MFA on all external systems.
Witty attributed the lack of MFA on the breached Change Healthcare server to the fact that the company was still in the process of upgrading the technology after acquiring Change Healthcare in 2022. He expressed frustration that the server was not protected by MFA and acknowledged that it was through this server that the cybercriminals were able to access Change Healthcare’s systems and launch the ransomware attack.
Witty also stated that the company is still investigating why that particular server did not have MFA enabled. Sen. Wyden criticized the company for failing to fully implement its MFA policy, stating, “We heard from your people that you had a policy, but you all weren’t carrying it out. And that’s why we have the problem.”
UnitedHealth Group has not yet notified individuals who were impacted by the cyberattack, as the company is still working to determine the extent of the hack and the stolen information. As of now, the company has only said that hackers stole personal and health information data of “a substantial proportion of people in America.” Last month, UnitedHealth Group confirmed that it paid $22 million to the hackers who breached its systems, a payment that Witty confirmed during the Senate hearing.
