UnitedHealth CEO tells lawmakers the company paid hackers a $22 million ransom

Senators questioned UnitedHealth Group CEO Andrew Witty on Wednesday about a cyberattack on its subsidiary Change Healthcare.

UnitedHealth CEO tells lawmakers the company paid hackers a $22 million ransom

UnitedHealth CEO Andrew Witty testifies before the Senate Finance Committee on Capitol Hill on May 1, 2024 in Washington, DC. 

Kent Nishimura | Getty Images

UnitedHealth Group CEO Andrew Witty confirmed for the first time that the company paid a $22 million ransom to hackers who breached its subsidiary Change Healthcare and caused widespread fallout across the health-care sector. Witty's comments were made during a Wednesday hearing before the U.S. Senate Committee on Finance.

Change Healthcare provides payment, revenue management and other solutions like e-prescription software. The company disconnected affected systems when the threat was detected, leaving many doctors temporarily unable to fill prescriptions or get paid for their services.

UnitedHealth told CNBC in April that it paid a ransom to try and protect patient data. Earlier reports had discovered a $22 million transfer on Bitcoin's blockchain, but the company had not confirmed the figure until now.

"The decision to pay a ransom was mine," Witty said. "This was one of the hardest decisions I've ever had to make, and I wouldn't wish it on anyone."

UnitedHealth is one of the largest companies in the world, with a roughly $450 billion market cap. Its business unit Optum — which provides care to 103 million customers — and Change Healthcare — which touches one in three patient records — merged in 2022.

Committee Chairman Sen. Ron Wyden, D-Ore., said in his opening remarks that the Change Healthcare breach serves as a "dire warning about the consequences of too-big-to-fail mega-corporations."

"Companies that are so big have an obligation to protect their customers and to lead on this issue," Wyden said.

Witty told the committee that cybercriminals accessed Change Healthcare through a server that was not protected by multi-factor authentication, or MFA, which requires users to verify their identity in at least two different ways. He said UnitedHealth now has MFA in place across all external-facing systems.

"As a result of this malicious cyberattack, patients and providers have experienced disruptions and people are worried about their private health data," Witty said. "To all those impacted, let me be very clear: I am deeply, deeply sorry."

Sen. Thom Tillis, R-N.C., held up a bright yellow copy of "Hacking for Dummies" during the hearing, saying the breach is UnitedHealth's responsibility to fix.

"This is some basic stuff that was missed, so shame on internal audit, external audit and your systems folks tasked with redundancy, they're not doing their job," Tillis said.

A filing with the U.S. Securities and Exchange Commission said that UnitedHealth discovered that a cyber threat actor accessed part of Change Healthcare's information technology network in late February.

Witty said Change Healthcare's core systems are back online, though some of its secondary support functions are still being restored.

UnitedHealth said in February that the ransomware group Blackcat was behind the attack. Blackcat, which also goes by the names Noberus and ALPHV, steals sensitive data from institutions and threatens to publish it unless a ransom is paid, according to a December release from the U.S. Department of Justice.

UnitedHealth confirmed in April that files containing protected health information and personally identifiable information were compromised in the breach. The company said a data review is ongoing, so it could be months before the company can notify affected individuals.

Witty said Wednesday that UnitedHealth is working with regulators to assess the breach and to inform people if their information has been compromised "as soon as possible."

Early in March, UnitedHealth launched a temporary funding assistance program to help support providers that have experienced cash flow disruptions due to the cyberattack. There are no fees, interest or other costs on top of the payments, and providers have 45 days to repay the funds once their standard payment operations resume. 

During the hearing, Witty said the company has not yet asked anyone for loan repayments, and it will be up to providers to determine when their operations have officially returned to normal.

Witty did not directly disclose whether UnitedHealth will provide additional support to providers who may be contending with other loans and interest payments because of the breach.

Sen. Michael Bennet, D-Colo., pressed Witty to share how UnitedHealth is working to ensure something like the Change Healthcare breach will not happen again. Witty said the company plans to share what it discovers about the breach with others, adding that there's a need to focus on reducing the rate of cyberattacks on the health-care sector.

"We are clearly trying to take our responsibility in this attack. We are also trying to learn from it," he said.

Don’t miss these exclusives from CNBC PRO