UnitedHealth Lacked Cyber Insurance, Paid $22 Million Ransom

In testimony before the US House Energy and Commerce Committee, UnitedHealth Group CEO Andrew Witty confirmed that his company paid the $22 million ransomware payment to BlackCat after its attack on Change Healthcare, and was “self-insured,” indicating that UnitedHealth lacked cyber insurance.

CSO reports that when it asked UnitedHealth whether any part of the sprawling organization was covered by cyber insurance, a representative referred back to Witty’s answer at the hearing, and then added that UnitedHealth spends approximately $300 million per year on cybersecurity.

When UnitedHealth Group acquired Change Healthcare in October 2022, it had an aging technology infrastructure along with the business, a weakness that became obvious in the February breach. The personal information and medical data of about one in three US citizens was exposed.

In his testimony before Congress, CEO Witty explained that hackers used compromised credentials to remotely access a Change Healthcare Citrix portal used to enable remote access to desktops nine days before the actual attack. He admitted that the portal did not have multi-factor authentication. Having multi-factor authentication on externally facing services was UnitedHealth’s policy prior to the attack, but it wasn’t Change Healthcare’s policy.

UnitedHealth Group has since advanced more than $6.5 billion in accelerated payments and no-interest, no-fee loans to providers. It has rebuilt its technology infrastructure, adding server capacity and Cloud reliance to its data center network and core services.

CSO notes that with insurance, the company might have avoided not only the cost of the ransom payment but the attack itself. Cyber insurers require their customers to demonstrate good cyber hygiene and will verify that they follow industry best practices.