UnitedHealthcare CEO says 'maybe a third' of US citizens were affected by recent hack

Two months after hackers broke into Change Healthcare systems stealing and then encrypting company data, itā€™s still unclear how many Americans were impacted by the cyberattack.

Last month, Andrew Witty, the CEO of Change Healthcareā€™s parent company UnitedHealth Group, said that the stolen files include the personal health information of ā€œa substantial proportion of people in America.ā€

On Wednesday, during a House hearing, when pushed to give a more definitive answer, Witty testified that the breach impacted ā€œI think, maybe a third [of Americans] or somewhere of that level.ā€

Contact Us

Do you have more information about the Change Healthcare ransomware attack? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.

ADVERTISEMENT

Witty said he was reluctant to give a more precise answer because the company is still investigating the breach and trying to figure out exactly how many people were affected.

UnitedHealthā€™s spokesperson Anthony Marusic did not immediately respond to a request for comment on Wittyā€™s estimate.

During a hearing in the Senate earlier on Wednesday, Witty said that it will likely take ā€œseveral months,ā€ before the company can begin notifying victims of the data breach.

In a written statement filed by Witty ahead of the two hearings, the CEO wrote that ā€œso far, we have not seen evidence of exfiltration of materials such as doctorsā€™ charts or full medical histories among the data.ā€

According to Wittyā€™s testimony, the hackers ā€œused compromised credentials to remotely access a Change Healthcare Citrix portal,ā€ which was not protected by multi-factor authentication, a basic cybersecurity measure that adds an extra step to log into accounts and systems.

ADVERTISEMENT

Had that portal had multi-factor authentication enabled, the breach may not have happened. Several Senators grilled Witty on that failure, asking him whether UnitedHealth and Change Healthcare systems are now protected with multi-factor authentication.

During the Senate hearing, Witty said: ā€œWe have an enforced policy across the organization to have multi-factor authentication on all of our external systems, which is in place.ā€