<- Back to Insights
May 8, 2024
Change Healthcare lacked safeguards even as it gave security advice
Roll Call
|
Contributed by: Drex DeFord
Summary
UnitedHealth Group Inc.'s acquisition of Change Healthcare Inc. has been marred by a significant cybersecurity breach that occurred due to a lack of multi-factor authentication on one of Change's web portals, contradicting the cybersecurity measures the company publicly advocated. Despite UnitedHealth's company-wide requirement for such protections, this oversight allowed hackers from the BlackCat/ALPHV group to infiltrate Change Healthcare's systems in February, leading to the exfiltration of data and a subsequent ransomware attack that disrupted the payment processes to healthcare providers. UnitedHealth CEO Andrew Witty disclosed to the Senate Finance Committee the payment of $22 million in ransom to restore services, amidst criticism that basic cybersecurity practices could have prevented the breach. The incident has highlighted the challenges of enforcing cybersecurity discipline within large organizations and has drawn attention to the need for improved security standards across the health care industry.
Explore Related Topics