A hugely disruptive cyberattack in February exposed clear technology flaws at a UnitedHealth Group subsidiary, lawmakers said Wednesday, and raised difficult questions about whether the Minnetonka-based health care giant has just gotten too big.

Andrew Witty, the UnitedHealth chief exeutive, offered an apology during testimony before the Senate Finance Committee as he disclosed that a hacked server at the company's Change Healthcare unit lacked multifactor authentication protections.

This was a significant failure to comply with "cybersecurity 101," said committee chair Sen. Ron Wyden, a Democrat from Oregon.

Sen. John Barrasso, a Republican from Wyoming, said he was "just not sure why you haven't had this in place yet."

Witty said he was "disappointed and frustrated" by the flaw, as well, explaining that UnitedHealth was in the process of upgrading security and systems after acquiring Change Healthcare in October 2022. While the CEO said the company's massive size and scope has enabled a speedy response to the incident, Wyden promised further investigation both of the cyberattack and broader questions surrounding the company.

"The Change hack is a dire warning about the consequences of 'too big to fail' mega-corporations gobbling up larger and larger shares of the health care system," Wyden said. "It is long past time to do a comprehensive scrub of UHG's anti-competitive practices, which likely prolonged the fallout from this hack."

UnitedHealth Group is Minnesota's largest company by revenue and the fourth largest firm in the U.S. by the same measure. The company's UnitedHealthcare division is the nation's largest health insurer. It also owns a fast-growing health services division called Optum that employs or is affiliated with about 70,000 physicians.

The cyberattack has been a blow to the nation's health care system because UnitedHealth Group — to contain the threat — had to shut down Change Healthcare systems used widely to process payment claims for U.S. health care providers. Those systems are now getting back to normal, Witty said, but senators grilled the CEO for not yet being able to specify how many and which patients have had their data compromised.

A substantial proportion of Americans may have been impacted, the company says, and Witty said it will take more time to understand exactly who was impacted, including members of the U.S. armed forces. UnitedHealth last week offered credit monitoring and identity theft protection for two years, but this amounts to "cold comfort," Wyden said.

"This corporation is a health care leviathan," he said. "I believe the bigger the company, the bigger the responsibility to protect its systems from hackers. ... Americans are still in the dark about how much of their sensitive information was stolen."

...continued

©2024 StarTribune. Visit at startribune.com. Distributed by Tribune Content Agency, LLC.