Data Stolen in the Change Healthcare Attack Likely Included US Service Members

United Health Group CEO Andrew Witty testified before the Senate Finance Committee regarding the February ransomware attack on Change Healthcare, which significantly impacted the American healthcare industry. During his testimony, Witty disclosed that current and former U.S. military personnel are among those likely affected by the breach.

Witty committed to providing a detailed report on the number of military personnel affected and an assessment of their identities. However, he noted that United Health has not yet notified individuals whose data was compromised, exceeding the 60-day reporting window mandated by the Health Insurance Portability and Accountability Act (HIPAA). He explained that delays in accessing the original dataset have hindered this process.

The CEO also outlined how the attackers accessed Change Healthcare systems, highlighting a lack of multi-factor authentication as a key vulnerability. Since the attack, United Health Group has taken measures to bolster its cybersecurity, including adding Mandiant representation to its advisory board. The company is actively cooperating with the Centers for Medicare and Medicaid Services to prioritize recovery and maintain support for providers. Witty emphasized the ongoing partnership with the FBI as their primary law enforcement collaborator in addressing the incident.

The Daily Scoop Podcast is available every Monday-Friday afternoon.
If you want to hear more of the latest from Washington, subscribe to The Daily Scoop Podcast on Apple Podcasts, Google Podcasts and Spotify.