Change Healthcare cyberattack was due to a lack of multifactor authentication, UnitedHealth CEO says

abcnews.go.com:

The beginning of the Change Healthcare cyberattack happened when hackers entered a server that lacked multifactor authentication

The Change Healthcare cyberattack that disrupted health care systems nationwide earlier this year started when hackers entered a server that lacked a basic form of security: multifactor authentication.

UnitedHealth CEO Andrew Witty said Wednesday in a U.S. Senate hearing that his company, which owns Change Healthcare, is still trying to understand why the server did not have the additional protection.

His admission did not sit well with Senate Finance Committee members who spent more than two hours questioning the CEO about the attack and broader health care issues.

“This hack could have been stopped with cybersecurity 101,” Oregon Democratic Sen. Ron Wyden told Witty.

Multifactor authentication adds a second layer of security to password-protected accounts by having users enter an auto-generated code. It’s common on apps protecting sensitive data like bank accounts and meant to guard against hackers guessing passwords.

Change Healthcare provides technology used to submit and process billions of insurance claims a year. Hackers gained access in February and unleashed a ransomware attack that encrypted and froze large parts of the company’s system, Witty said.

He told a separate House Energy and Commerce committee hearing Wednesday that hackers used “compromised credentials” that may have included stolen passwords to enter Change’s system.

The attack triggered a disruption of payment and claims processing around the country, stressing doctor’s offices and health care systems by interfering with their ability to file claims and get paid.

UnitedHealth quickly disconnected the affected systems