The committee emphasised that MFA must be a elementary expectation for an entity like Change Healthcare, given the huge quantity of delicate knowledge it handles.
Witty defined that Change Healthcare, which merged into UnitedHealth in direction of the top of 2022, utilized older applied sciences that the corporate had been updating since its acquisition.
Nevertheless, the timing proved vital because the ransomware assault compromised each the first and backup programs, rendering the backups inoperable and exacerbating the affect of the breach.
The committee additionally highlighted a joint cybersecurity alert issued in December 2023 by the FBI, HHS, and the Cybersecurity Infrastructure Safety Company. This alert detailed the techniques of a complicated Russian hacker group often known as Alpha 5 or Black Cat that targets vital infrastructure.
In response, Witty acknowledged {that a} server inside Change Healthcare lacked the protecting measures outlined within the alert, and he confirmed that an investigation into this oversight is underway.
The committee additional expressed issues concerning the potential nationwide security implications if the private data of federal staff had been compromised within the breach. They emphasised the significance of UnitedHealth notifying them promptly if such a breach occurred, underscoring the gravity of the scenario.
