UnitedHealth CEO apologizes for data breach, admits server lacked security basics

UnitedHealth CEO Andrew Witty apologized once again for the data breach that affected its Change Healthcare subsidiary, revealing that the hacked server lacked multi-factor authentication protections. "To all those impacted, let me be clear: I'm deeply, deeply sorry..." Witty said in front of the Senate Finance Committee. The hacking incident has raised difficult questions about whether the health care giant has grown too big, with Senator Ron Wyden stating that "The Change hack is a dire warning about the consequences of 'too big to fail' mega-corporations gobbling up larger and larger shares of the health care system."

The company has yet to specify the extent of patient data compromised or count the number of patients affected, stating that it will take time to figure this out.

UnitedHealth Group is Minnesota's largest company by revenue and the fourth largest in the US by the same measure. The company's UnitedHealthcare division is the nation's largest health insurer.

The February cyberattack on UnitedHealth's Change Healthcare division exposed significant technology flaws at the company and raised questions about whether the company has grown too big for its own good. Hackers stole health and personal data of what UnitedHealth says is "potentially a substantial proportion" of patient information. UnitedHealth Group shut down Change Healthcare systems used to process payment claims for US health providers to contain the threat. These systems are now back online, but the company cannot yet specify the extent of the breach in terms of how many and which patients have had their data compromised. "The bigger the company, the bigger the responsibility to protect its systems from hackers," Wyden said.

Witty stated that the company is upgrading its cybersecurity and systems, having acquired Change Healthcare in October 2022. Although the company's massive size enabled a swift response to the incident, Wyden promised further investigation of the cyberattack and the company's broader business practices. "The time is long past for a comprehensive scrub of UHG's anti-competitive practices, which likely prolonged the fallout from this hack," he said.

The company has advanced more than $6.5 billion in accelerated payments and no-interest, no-fee loans to thousands of health care providers. About one-third of these loans have gone to safety net hospitals and qualified health centers that assist high-risk patients and communities. According to a letter sent by Minnesota Attorney General Keith Ellison and 21 other state attorneys general, UnitedHealth must provide more assistance for affected health care providers and patients.

Read more