Lawmakers zeroed in on lax defenses during more than two hours of questioning by the Senate Finance Committee, in the first of two congressional hearings about the breach on Wednesday. The intruders got in through a server that didn’t have multifactor authentication — a basic cybersecurity measure used on consumer bank accounts — and got access to a hoard of health and personal data. Witty said the trove might cover one-third of Americans.
“We’re trying to dig through exactly why that server had not been protected,” Witty told lawmakers. “I’m as frustrated as anybody about that fact.”
Some lawmakers said the company had neglected basic safeguards and failed both to prevent the attack and recover from it, with backup systems that were also vulnerable. “This company flunked both,” said Senator
The largest US health insurer faced aggressive questions from some lawmakers over
The ransomware strike that wrecked systems at UnitedHealth’s Change Healthcare subsidiary will likely be the largest health-care data breach in the US to date, the company said. It’s also among the
Witty was the sole witness to appear in the hearings, which also included an afternoon session with a subcommittee of the
Senator
“Is the dominant role of United too dominant, because it’s into everything, and messing up United messes up everybody?” said Senator
Witty said Change Healthcare’s footprint was the same as it was before UnitedHealth acquired it in 2022. The company UnitedHealth bought for almost $8 billion ran on legacy technology, he said, with some systems 40 years old. “We’ve been working to improve those,” he said.
UnitedHealth’s shares closed almost unchanged Wednesday, a sign that Witty’s grilling in Washington had little impact for investors.
Read More:
Lax Defense
Wyden said the committee is drafting legislation in response to the attack. He called again for standards for the industry, and said larger companies would have to meet tougher standards. “The bigger the company the more significant your responsibilities,” he said.
UnitedHealth faces constant attacks from intruders trying to crack digital defenses, with more than 450,000 attempts a year, according to Witty’s prepared testimony released ahead of the hearings. The exact nature of those attempts wasn’t immediately clear.
Despite the persistent threat, he said the intruders gained entry to Change Healthcare’s systems through a Citrix remote access portal that wasn’t protected by multifactor authentication, a common cyberdefense meant to thwart hackers by requiring more than a password to verify that a login is legitimate.
Once they broke into the system on Feb. 12, attackers claiming to be the notorious cybercrime group BlackCat pilfered data undetected for more than a week. They deployed ransomware nine days later. Witty said he was at a board meeting when he learned of the attack on Feb. 21.
Wyden questioned whether UnitedHealth knew how much personal data of its users was stolen. “You don’t have the logs to show what data walked out the door,” he said.
Witty estimated that the data breach could affect about one-third of all Americans — which would be more than 100 million people — though he said the number was uncertain. Facing a House panel in the afternoon, he said he couldn’t guarantee that hackers hadn’t copied stolen the data to distribute online.
The full extent of that breach will take months to assess, according to UnitedHealth, leaving Americans in the dark about what private medical data may have been exposed. The company has set up a site to offer credit monitoring and other help.
Witty said he decided to pay a ransom to protect patient data, “one of the hardest decisions I’ve ever had to make.” He confirmed that the payment was $22 million, a figure that has previously been reported based on an analysis of cryptocurrency payments.
He also said the attackers locked up the company’s backup systems, delaying how long it took to restore Change Healthcare’s services. UnitedHealth rebuilt much of the infrastructure from scratch on cloud-based systems, he said.
He told the committee that UnitedHealth’s response was “swift and forceful,” by disconnecting Change’s systems from the rest of the health-care world. While that was “extremely disruptive,” he said it stopped the damage from spreading more widely.
The company said many systems are back online. It has advanced more than $6.5 billion in payments and interest-free loans to medical providers facing cash-flow interruptions.
Witty also said the company supports minimum security standards for health-care companies and improvements to the US’s cyber defenses, including standardized reporting of cybersecurity events.
(Updates with additional details about data breach and the closing share price, starting in second paragraph)
--With assistance from
To contact the reporter on this story:
To contact the editors responsible for this story:
Anne Cronin, Andrew Martin
© 2025 Bloomberg L.P. All rights reserved. Used with permission.
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.