The committee emphasised that MFA needs to be a basic expectation for an entity like Change Healthcare, given the huge quantity of delicate knowledge it handles.
Witty defined that Change Healthcare, which merged into UnitedHealth in direction of the top of 2022, utilized older applied sciences that the corporate had been updating since its acquisition.
Nevertheless, the timing proved crucial because the ransomware assault compromised each the first and backup techniques, rendering the backups inoperable and exacerbating the impression of the breach.
The committee additionally highlighted a joint cybersecurity alert issued in December 2023 by the FBI, HHS, and the Cybersecurity Infrastructure Safety Company. This alert detailed the techniques of a classy Russian hacker group referred to as Alpha 5 or Black Cat that targets crucial infrastructure.
In response, Witty acknowledged {that a} server inside Change Healthcare lacked the protecting measures outlined within the alert, and he confirmed that an investigation into this oversight is underway.
The committee additional expressed considerations in regards to the potential nationwide safety implications if the non-public information of federal staff had been compromised within the breach. They emphasised the significance of UnitedHealth notifying them promptly if such a breach occurred, underscoring the gravity of the scenario.
