No evidence suggests patients' medical histories and personal data were accessed during a February ransomware attack, UnitedHealth Group CEO Andrew Witty told the Senate Finance Committee Wednesday.

Sen. Ron Wyden, D-Ore., chairs and led the committee hearing regarding the potential severity of the ransomware attack on Change Healthcare, which is a subsidiary of Minnesota-based UnitedHealth Group.

Wyden said UnitedHealth Group generated $324 billion in revenue in 2023, which makes it the nation's fifth-largest company.

He said UnitedHealth Group "touches 152 million individuals" across all of its business lines, including insurance, medical practices, home healthcare and pharmacy services.

Wyden said UnitedHealth Group has purchased dozens of other healthcare companies and is the nation's largest buyer of physician practices.

"This corporation is a healthcare leviathan," he said. "The bigger the company, the bigger the responsibility to protect its systems from hackers."

The FBI says the nation's healthcare industry is the top target for ransomware, and Change Healthcare annually processes about 15 billion healthcare transactions, Witty said.

Those records account for about a third of the nation's patient records and include information of people's "sensitive diagnoses,treatments and medical histories that reveal everything from abortions to mental health disorders," Wyden said.

Data on many military personnel are among those records, which Wyden said is a "clear national security threat."

Witty addressed the committee and its concerns regarding the potential breach of individuals' personal and private medical health data.

"Our response to this attack has been grounded in three principles," Witty told the committee, "to secure the systems, to ensure patient access to care and medication, and to assist providers with their financial needs."

Witty said cyber experts continue to investigate the attack that occurred on Feb. 21 when cyber criminals breached a Change Healthcare portal, removed data and deployed ransomware.

He said the portal wasn't protected by multi-factor authentication.

"To contain infection, we immediately severed connectivity and secured the perimeter of the attack to prevent malware from spreading," Witty said. "It worked. There is no evidence of spread beyond Change Healthcare."

He said corporate officials then contacted the FBI and continue to share information with federal investigators to help bring the perpetrators to justice.

"My overarching priority has been to do everything possible to protect people's personal health information," Witty told the committee, adding that the decision to pay a ransom was his.

Witty said nothing indicates anyone's doctors charts or personal medical histories were accessed during the ransomware attack, but the investigation will continue for several months.

Identifying and notifying people whose health and personal information was accessed during the cyberattack won't be possible until the investigation is completed, he said, because the files containing that information were compromised in the attack.

Witty told the committee UnitedHealth Group is current on all payment processing, has waived payment deadlines and is willing to compensate those negatively impacted by the ransomware attack as needed.

Witty said UnitedHealth Group is providing concerned customers with free credit monitoring and identity theft protection for two years and support services.

Concerned individuals also can visit ChangeCyberSupport.com to learn more about the available services.

They also can call 866-262-5342 to sign up for the free credit monitoring and identity theft protections.

UnitedHealth Group officials in April announced the health insurance and services provider paid an undisclosed ransom to protect patients' data following a ransomware attack on its Change Healthcare technology company.

UnitedHealth Group officials in February identified the BlackCat ransomware gang as the one that committed the cyberattack.

Federal law enforcement opened an investigation into the matter in March.

TWIW gallery

Copyright 2024 United Press International, Inc. (UPI). Any reproduction, republication, redistribution and/or modification of any UPI content is expressly prohibited without UPI's prior written consent., source US Top News