UnitedHealth Group (UHG) CEO Andrew Witty was on the hot seat May 1 at the Senate Finance Committee and during a mostly cordial two-hour hearing on the Change Healthcare ransomware incident Witty continually told a bi-partisan group of senators what’s become a standard refrain from CEOs following a cyberattack: UHG will offer consumers two years of free credit and identity theft protection.
Senate Finance Committee Chairman Ron Wyden, D-Ore., responded to Witty’s repeated offerings of credit support with this barb: “Credit monitoring is the ‘thoughts and prayers’ of data breaches, this is absolutely inefficient.”
Pressed by senators when UHG would notify consumers if they were breached in the attack, Witty told the senators that the company would notify consumers “as fast as we can.” The UHG CEO said it took investigators nearly a month to identify what data was exfiltrated and that they were working closely with regulators on how to present the information correctly to consumers.
Sen. Maggie Hassan, D-N.H., pointed out to Witty that the ransomware attack happened on Feb. 21 and UHG should have sent letters out to consumers by April 21 under requirements set out by the Health Insurance Portability and Accountability Act (HIPAA). Hassan said people need to know what’s going on in writing so they can monitor their bank accounts, change passwords, and take advantage of UGH’s no-interest loan program.
“It’s now May 1,” said Hassan. “Ten weeks is way too long for millions of Americans not to know that their records may be available to criminals on the dark web.”
In one of the hearing’s more tense moments, Wyden pressed Witty as to whether or not he personally knew that a Citrix server that was hacked lacked mutli-factor authentication (MFA). Here’s the exchange:
Wyden: You’ve been all over the map with respect to personal accountability. You have consistently downplayed your role in this. Your head of cybersecurity told us about this last week. We still need to know whether you knew the server didn’t have MFA.
Witty: On the server at Change?
Wyden: Yes.
Witty: Absolutely not.
Wyden: Why not?
Witty: As the company (Change Healthcare) had only recently come into the group it was in the process of being upgraded.
Wyden: Why wasn’t it the first thing you would do?
Witty: So, my understanding is that when Change came into the organization there was an extensive amount of modernization required and unfortunately – and very frustratingly – this server had not had MFA deployed on it prior to the attack.
Wyden: But you coming in would say, ‘we got to deal with this,” I mean this is the first server, this is not an abstract issue.”
Republican senators also pressed Witty on UHG’s response to the attack.
Sen. Thom Tillis, R-N.C., asked Witty if UHG’s internal or external audit teams identified the missing MFA as a major risk factor. Tillis wanted to know if there was record identified as an actionable matter and said it would be important if such a document exists to enter it into the official congressional record.
Tillis, who has experience working in the IT sector, also pressed Witty on redundancy, saying that the cutover from the old system to the new system was not smooth and that information should have been included in an audit.
“When I was on the Senate Armed Services I always brought the book ‘Hacking for Dummies,’ when we had a cyberattack, it covers some basics that were missed,” said Tillis. “Shame on internal audit and external audit and your systems folks tasked with redundancy. They’re not doing their job. And as a result we have a data breach.”
