Data stolen in Change Healthcare attack likely included U.S. service members, executive says | CyberScoop<\/title> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/change-healthcare-attack-stolen-data-ransom-andrew-witty-unitedhealth\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Data stolen in Change Healthcare attack likely included U.S. service members, executive says\"> <meta property=\"og:description\" content=\"UnitedHealth Group CEO Andrew Witty tells Senate committee that Change Healthcare didn\u2019t have MFA enabled on the server that was attacked in February, resulting in a $22 million ransom payment.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/change-healthcare-attack-stolen-data-ransom-andrew-witty-unitedhealth\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-05-01T18:11:26+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/data-stolen-in-change-healthcare-attack-likely-included-u-s-service-members-executive-says-2.jpg\"> <meta property=\"og:image:width\" content=\"1024\"> <meta property=\"og:image:height\" content=\"683\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"mbracken\"> <meta name=\"twitter:card\" content=\"summary_large_image\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1712700738g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress-next\/dist\/css\/related-posts-block-styles.min.css?m=1713212360g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1712858261g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=74528d75ce0daeb8628a\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/80311\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.5.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=80311\">\n<link rel=\"alternate\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fchange-healthcare-attack-stolen-data-ransom-andrew-witty-unitedhealth%2F\">\n<link rel=\"alternate\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fchange-healthcare-attack-stolen-data-ransom-andrew-witty-unitedhealth%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-80311 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/change-healthcare-attack-stolen-data-ransom-andrew-witty-unitedhealth\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.795131845842\">\n<div class=\"single-article__header-content\" readability=\"31.7125382263\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/news\/threats\/cybercrime\/\"> <span>Cybercrime<\/span> <\/a> <\/li>\n<\/ul>\n<p> UnitedHealth Group CEO Andrew Witty tells Senate committee that Change Healthcare didn\u2019t have MFA enabled on the server that was attacked in February, resulting in a $22 million ransom payment. <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"427\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/data-stolen-in-change-healthcare-attack-likely-included-u-s-service-members-executive-says.jpg?resize=640%2C427&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/data-stolen-in-change-healthcare-attack-likely-included-u-s-service-members-executive-says-2.jpg 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/data-stolen-in-change-healthcare-attack-likely-included-u-s-service-members-executive-says-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/data-stolen-in-change-healthcare-attack-likely-included-u-s-service-members-executive-says-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/data-stolen-in-change-healthcare-attack-likely-included-u-s-service-members-executive-says-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/data-stolen-in-change-healthcare-attack-likely-included-u-s-service-members-executive-says-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/data-stolen-in-change-healthcare-attack-likely-included-u-s-service-members-executive-says-2.jpg?resize=505,337 505w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/data-stolen-in-change-healthcare-attack-likely-included-u-s-service-members-executive-says-2.jpg?resize=1012,675 1012w\" sizes=\"(max-width: 1012px) 100vw, 1012px\"><figcaption> UnitedHealth CEO Andrew Witty testifies before the Senate Finance Committee on Capitol Hill on May 1, 2024 in Washington, D.C. (Photo by Kent Nishimura\/Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"60.901320132013\"><body readability=\"122.44621513944\"><\/p>\n<p>After warning that a <a href=\"https:\/\/cyberscoop.com\/stolen-change-healthcare-data-could-contain-information-on-a-substantial-portion-of-americans\/\">substantial portion<\/a> of Americans\u2019 data was compromised by a February ransomware attack on Change Healthcare, Andrew Witty, CEO of UnitedHealth Group, told lawmakers Wednesday that current and former U.S. military personnel are among those who were likely impacted. <\/p>\n<p>During an occasionally withering Senate Finance Committee <a href=\"https:\/\/www.finance.senate.gov\/hearings\/hacking-americas-health-care-assessing-the-change-healthcare-cyber-attack-and-whats-next\">hearing<\/a>, Chair Ron Wyden, D-Ore., pressed Witty on whether UnitedHealth leadership had determined that the Change Healthcare hackers accessed the data of federal employees, referencing national security concerns presented by the 2015 <a href=\"https:\/\/cyberscoop.com\/2015-breach-opm-overpaid-identify-theft-protections-report-finds\/\">Office of Personnel Management data breach<\/a> that exposed the personal information of more than 20 million U.S. government workers. <\/p>\n<p>\u201cWe do believe there will be members of the armed forces and \u2026 veterans\u201d whose data was stolen, Witty said, adding that he would make it a \u201ctop priority\u201d to deliver on Wyden\u2019s demand for an accounting, in writing, of the number of military personnel affected and UnitedHealth\u2019s \u201cbest assessment of who they are.\u201d<\/p>\n<p>Witty testified that UnitedHealth hasn\u2019t yet notified individuals whose data was stolen, going beyond the <a href=\"https:\/\/www.hhs.gov\/hipaa\/for-professionals\/breach-notification\/index.html\">60-day reporting window<\/a> required by the Health Insurance Portability and Accountability Act. The CEO said the company is working with U.S. regulators on \u201chow best to do that,\u201d but faced delays in accessing Change\u2019s original dataset.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Sen. Maggie Hassan, D-N.H., said UnitedHealth needs to \u201cat least send preliminary notifications to individuals so that they can take protective actions like monitoring their bank accounts, changing passwords and enrolling in the credit monitoring system that United Healthcare set up\u201d with Equifax.<\/p>\n<p>Wyden and other committee members, meanwhile, railed against Witty over the revelation that the Change Healthcare server <a href=\"https:\/\/cyberscoop.com\/extortion-group-threatens-to-sell-change-healthcare-data\/\">breached by an affiliate of the ALPHV ransomware gang<\/a> did not employ multi-factor authentication, allowing the hackers to gain remote access to the payment processor\u2019s systems with a set of stolen credentials.<\/p>\n<p>Witty said all external systems across UnitedHealth Group have now enabled MFA, but Change Healthcare \u2014 which <a href=\"https:\/\/www.fiercehealthcare.com\/payers\/unitedhealth-closes-acquisition-change-healthcare\">UHG acquired in October 2022<\/a> \u2014 hadn\u2019t taken those precautions on this particular server as of February. <\/p>\n<p>\u201cMy understanding is that when Change came into the organization, there was [an] extensive amount of modernization required and, unfortunately, and very frustratingly, this server had not had MFA deployed on it prior to the attack,\u201d said Witty, who confirmed that he signed off on the <a href=\"https:\/\/cyberscoop.com\/alphv-steps-up-laundering-of-change-healthcare-ransom-payments\/\">$22 million ransom payment<\/a> made to the hacking group.<\/p>\n<p>In response to questioning from Sen. Thom Tillis, Witty said he was not aware of any internal or external audits of systems controls that identified non-MFA compliance as a security risk. The North Carolina Republican also prodded Witty on why redundancy protocols \u2014 keeping data in multiple places within a storage system \u2014 weren\u2019t employed, preventing a simpler process to restart systems.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Witty said Change was \u201cin the process\u201d of upgrading its systems when the hackers hit. \u201cThe attack itself implicated both the prime and the backup environments,\u201d he added. \u201cThat was partly due to the age of the technology and the fact that large amounts were not in the cloud. <\/p>\n<p>\u201cWith the elements which were in the cloud, we were able to bring back almost immediately. The elements which were in the older data centers, and had within them multi-layers of historical legacy technologies, that was the challenge on restart,\u201d the CEO said.<\/p>\n<p>Without minimum cybersecurity standards from the Department of Health and Human Services, some lawmakers expressed concern over the possibility of more attacks on health care providers. Sen. Mark Warner, D-Va., said the health care industry should be subject to baseline standards, just as the finance and energy industries are, and asked Witty for his feelings on that with respect to both UnitedHealth Group and Change Healthcare.<\/p>\n<p>Witty said the company is \u201csupportive\u201d of moving \u201ctoward minimum standards,\u201d noting that the industry currently suffers from a lack of clarity and \u201ca mix of different oversight agencies\u201d putting out guidance. <\/p>\n<p>\u201cAs you think about smaller and medium-size organizations across health care, it\u2019s difficult oftentimes to navigate some of those things,\u201d he said. \u201cSo I do think \u2026 minimum standards do make sense. We\u2019d be very, very happy to engage in any lessons learned from this review.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Beyond any future adoption of minimum standards, Witty said UnitedHealth Group has worked to strengthen the company\u2019s cybersecurity bona fides by adding Mandiant representation to its advisory board. The company also has \u201cdaily engagement\u201d with the Centers for Medicare & Medicaid Services to \u201csupport providers and to prioritize recovery of the system,\u201d Witty said, adding that the FBI continues to be its \u201cprime\u201d law enforcement partner.<\/p>\n<p>Wyden closed the hearing with additional calls for MFA and redundancy, telling Witty that UnitedHealth \u201clet the country down\u201d with Change\u2019s failures to implement both security practices. Going forward, the health care giant will need to be \u201cmuch more active and much more forthcoming\u201d on cyber issues, he added. <\/p>\n<p>\u201cWe don\u2019t even know what data was stolen. And I\u2019m not convinced that we are going to find that out anytime soon. We may never find it out,\u201d Wyden said. \u201cSo there\u2019s a lot of heavy lifting to do.\u201d <\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"4.5344506517691\">\n<div class=\"author-card\" readability=\"15\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/data-stolen-in-change-healthcare-attack-likely-included-u-s-service-members-executive-says-1.jpg?w=640&ssl=1\" alt=\"Matt Bracken\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Bracken<\/h4>\n<p> Matt Bracken is the managing editor of FedScoop and CyberScoop, overseeing coverage of federal government technology policy and cybersecurity. Before joining Scoop News Group in 2023, Matt was a senior editor at Morning Consult, leading data-driven coverage of tech, finance, health and energy. He previously worked in various editorial roles at The Baltimore Sun and the Arizona Daily Star. You can reach him at matt.bracken@scoopnewsgroup.com. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/change-healthcare-attack-stolen-data-ransom-andrew-witty-unitedhealth\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Data stolen in Change Healthcare attack likely included U.S. service<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[950,1603,282,46,1604],"tags":[955,1605,286,54,1606],"class_list":["post-3350","post","type-post","status-publish","format-standard","hentry","category-alphv","category-change-healthcare","category-cybercrime","category-ransomware","category-unitedhealth-group","tag-alphv","tag-change-healthcare","tag-cybercrime","tag-ransomware","tag-unitedhealth-group"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/alphv\/\" rel=\"category tag\">ALPHV<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/change-healthcare\/\" rel=\"category tag\">Change Healthcare<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ransomware\/\" rel=\"category tag\">ransomware<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/unitedhealth-group\/\" rel=\"category tag\">UnitedHealth Group<\/a>","tag_info":"UnitedHealth Group","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/3350","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=3350"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/3350\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=3350"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=3350"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=3350"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":3350,"date":"2024-05-01T13:11:26","date_gmt":"2024-05-01T18:11:26","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=80311"},"modified":"2024-05-01T13:11:26","modified_gmt":"2024-05-01T18:11:26","slug":"data-stolen-in-change-healthcare-attack-likely-included-u-s-service-members-executive-says","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/05\/01\/data-stolen-in-change-healthcare-attack-likely-included-u-s-service-members-executive-says\/","title":{"rendered":"Data stolen in Change Healthcare attack likely included U.S. service members, executive says"},"content":{"rendered":"