NATIONAL NEWS

A third of Americans could have had data stolen in big health care hack

May 1, 2024, 5:40 PM

UnitedHealth CEO Andrew Witty testifies before the Senate Finance Committee on Capitol Hill in Wash...

UnitedHealth CEO Andrew Witty testifies before the Senate Finance Committee on Capitol Hill in Washington, DC, on May 1, 2024. In February, hackers stole health and personal data of what UnitedHealth says is "potentially a substantial proportion" of patient information from its systems. (Kent Nishimura, Getty Images via CNN Newsource)

(Kent Nishimura, Getty Images via CNN Newsource)

(CNN) — A third of Americans may have had their personal data swept up in a February ransomware attack on a UnitedHealth Group subsidiary that disrupted pharmacies across the US, UnitedHealth CEO Andrew Witty estimated in testimony to Congress on Wednesday.

It will likely take “several months” before UnitedHealth is able to identify and notify Americans impacted by the hack because the company is still combing through the stolen data, Witty said in written testimony.

In hours of hearings in the Senate and House Wednesday, Witty apologized to patients and doctors, admitted that hackers broke into the subsidiary through a poorly protected computer server and confirmed that he authorized a $22 million ransom payment to the hackers.

The testimony shows that the scope of what experts consider to be the most significant health care cyberattack in US history is even bigger than previously known. And the hacking incident has led some lawmakers to call for cybersecurity regulations for health care companies.

The February ransomware attack paralyzed computers that Change Healthcare, the UnitedHealth subsidiary, uses to process medical claims across the country. Health providers were cut off from billions of dollars in payments, according to one hospital association, and some health clinics told CNN they were close to running out of money. The Department of Health and Human Services is investigating whether UnitedHealth complied with federal law in protecting patient data.

Identifying and notifying Americans

More than two months since the ransomware attack, Witty touted the company’s recovery by rebuilding computer systems and getting insurance claims flowing to “near-normal” levels. But, he said the process for identifying and notifying Americans affected by the hack was cumbersome partly because data files were compromised in the incident.

In the hearing, multiple lawmakers asked if UnitedHealth and Change Healthcare, which processes about 15 billion health care transactions annually, controlled an outsized portion of the US health sector, leaving the sector vulnerable to hacks and other disruptions.

“Your revenues are bigger than some countries’ GDP,” Sen. Marsha Blackburn, a Tennessee Republican, told Witty.  “And how in heaven’s name did you not have the necessary redundancies so that you did not experience this attack and find yourself so vulnerable?”

UnitedHealth has blamed its hack on a notorious criminal group called ALPHV, or BlackCat, that the Justice Department says has been responsible for ransomware attacks on victims around the world.

The FBI generally discourages victims to pay a ransom because it can fuel more ransomware attacks. But UnitedHealth is one of multiple major US firms that have made multimillion-dollar ransom payments to try to recover stolen data or get systems back online. Colonial Pipeline, a pipeline operator that transports fuel to the East Coast, paid a $4.4 million ransom in 2021 after a Russian-speaking ransomware group disrupted the pipeline operations for days.

UnitedHealth has said it paid the ransom “as part of the company’s commitment to do all it could to protect patient data from disclosure.”

But lawmakers on Wednesday said they would keep the pressure on the company to get to the bottom of what personal health information was accessed.

“Americans are still in the dark about how much of their sensitive information was stolen,” Sen. Ron Wyden, an Oregon Democrat who chairs the finance committee, lamented.

KSL 5 TV Live

National News

Nicholas Umphenour, 29, appears on court where was sentenced to life in prison, Friday, Oct. 4, 202...

Rebecca Bone, Associated Press

Man charged with helping Idaho inmate escape during a hospital ambush sentenced to life

An Idaho man who ambushed and shot correctional officers at a Boise hospital to help a fellow white supremacist gang member escape was sentenced to life behind bars.

4 hours ago

Video captured the moment when fire was seen underneath a Frontier flight as it landed at Harry Rei...

Sarah Dewberry and Cindy Von Quednow, CNN

Authorities are investigating after a Frontier Airlines plane lands with fire in one engine

Federal authorities say they're investigating the emergency landing of a Frontier Airlines plane in Las Vegas.

4 hours ago

FILE - Idaho Sen. Dan Foreman, R-Moscow, waits for the State of the State address inside the house ...

Associated Press

Idaho state senator tells Native American candidate ‘go back where you came from’

An Idaho state senator is reported to have told a Native American candidate to “go back where you came from” during a candidate forum this week.

4 hours ago

This image released by Warner Bros. Pictures shows Joaquin Phoenix, foreground center, and Brendan ...

Lindsey Bahr, AP Film Writer

‘Joker 2’ stumbles at box office amid poor reviews from audiences and critics

“Joker: Folie à Deux” is the No. 1 movie at the box office but is not destined for a happy ending.

4 hours ago

In this combination of photos taken in Pennsylvania, Democratic presidential nominee Vice President...

David Wright and Alex Leeds Matthews, CNN

How Harris and Trump are shifting their TV advertising in sprint to Election Day

The campaigns of Kamala Harris and Donald Trump made strategic adjustments to the content of their TV advertising between August and September

6 hours ago

FILE - The Supreme Court is seen at sundown in Washington, Nov. 6, 2020. (AP Photo/J. Scott Applewh...

John Fritze, CNN

Supreme Court returns to work with an eye on a post-election fight

The Supreme Court returns to its bench Monday with an agenda that includes cases on guns, pornography and transgender medical care.

7 hours ago

Sponsored Articles

abstract vector digital social network technology background...

Les Olson

Protecting yourself against social engineering attacks

Learn more about the common types of social engineering to protect your online or offline assets from an attack.

family having fun at home...

Lighting Design

Discover the impact of lighting on your mood

From color temperature to lighting saturation, we tackle how different lighting design setups can impact your day-to-day mood.

Laptops in a modern technology store. Department of computers in the electronics store. Choosing a ...

PC Laptops

How to choose the best laptop for college students

Finding the right laptop for college students can be hard, but with this guide we break down what to look for so you can find the best one.

young male technician is repairing a printer at office...

Les Olson

Unraveling the dilemma between leasing and buying office technology

Carefully weigh these pros and cons to make an informed decision that best suits your business growth and day-to-day operation. 

A kitchen in a modern farmhouse....

Lighting Design

A room-by-room lighting guide for your home

Bookmark this room-by-room lighting guide whenever you decide to upgrade your lighting or style a new home.

Photo courtesy of Artists of Ballet West...

Ballet West

The rising demand for ballet tickets: why they’re harder to get

Ballet West’s box office is experiencing demand they’ve never seen before, leaving many interested patrons unable to secure tickets they want.

A third of Americans could have had data stolen in big health care hack