Christopher Snowbeck | Star Tribune (TNS)
A hugely disruptive cyberattack in February exposed clear technology flaws at a UnitedHealth Group subsidiary, lawmakers said Wednesday, and raised difficult questions about whether the Minnetonka-based health care giant has just gotten too big.
Andrew Witty, the UnitedHealth chief exeutive, offered an apology during testimony before the Senate Finance Committee as he disclosed that a hacked server at the company’s Change Healthcare unit lacked multifactor authentication protections.
This was a significant failure to comply with “cybersecurity 101,” said committee chair Sen. Ron Wyden, a Democrat from Oregon.
Sen. John Barrasso, a Republican from Wyoming, said he was “just not sure why you haven’t had this in place yet.”
Witty said he was “disappointed and frustrated” by the flaw, as well, explaining that UnitedHealth was in the process of upgrading security and systems after acquiring Change Healthcare in October 2022. While the CEO said the company’s massive size and scope has enabled a speedy response to the incident, Wyden promised further investigation both of the cyberattack and broader questions surrounding the company.
“The Change hack is a dire warning about the consequences of ‘too big to fail’ mega-corporations gobbling up larger and larger shares of the health care system,” Wyden said. “It is long past time to do a comprehensive scrub of UHG’s anti-competitive practices, which likely prolonged the fallout from this hack.”
UnitedHealth Group is Minnesota’s largest company by revenue and the fourth largest firm in the U.S. by the same measure. The company’s UnitedHealthcare division is the nation’s largest health insurer. It also owns a fast-growing health services division called Optum that employs or is affiliated with about 70,000 physicians.
The cyberattack has been a blow to the nation’s health care system because UnitedHealth Group — to contain the threat — had to shut…
Read the full article here
