Two months after hackers broke into Change Healthcare systems stealing and then encrypting company data, it’s still unclear how many Americans were impacted by the cyberattack.
Last month, Andrew Witty, the CEO of Change Healthcare’s parent company UnitedHealth Group, said that the stolen files include the personal health information of “a substantial proportion of people in America.”
On Wednesday, during a House hearing, when Witty was pushed to give a more definitive answer, testifying that the breach impacted “I think, maybe a third [of Americans] or somewhere of that level.”
Do you have more information about the Change Healthcare ransomware attack? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.
Witty said he was reluctant to give a more precise answer because the company is still investigating the breach and trying to figure out exactly how many people were affected.
UnitedHealth’s spokesperson Anthony Marusic did not immediately respond to a request for comment on Witty’s estimate.
During a hearing in the Senate earlier on Wednesday, Witty said that it will likely take “several months,” before the company can begin notifying victims of the data breach.
In a written statement filed by Witty ahead of the two hearings, the CEO wrote that “so far, we have not seen evidence of exfiltration of materials such as doctors’ charts or full medical histories among the data.”
According to Witty’s testimony, the hackers “used compromised credentials to remotely access a Change Healthcare Citrix portal,” which was not protected by multi-factor authentication, a basic cybersecurity measure that adds an extra step to log into accounts and systems.
Had that portal had multi-factor authentication enabled, the breach may not have happened. Several Senators grilled Witty on that failure, asking him whether UnitedHealth and Change Healthcare systems are now protected with multi-factor authentication.
During the Senate hearing, Witty said: “We have an enforced policy across the organization to have multi factor authentication on all of our external systems, which is in place.”