The breach, which occurred earlier this year, caused significant disruptions to healthcare providers nationwide.

Witty described the decision to pay the ransom as one of the most challenging he has ever faced. Last month, UnitedHealth acknowledged that a ransom had been paid to the hackers who breached the Change Healthcare system, a subsidiary owned by UnitedHealth. However, the specific amount had not been disclosed until now.

The cyberattack on Change Healthcare was attributed to BlackCat, also known as ALPHV, the same entity responsible for the MGM casino hack in Las Vegas. BlackCat reportedly claimed to have obtained over six terabytes of "sensitive" medical records during the breach.

During the hearing, Witty revealed that criminals used compromised credentials to gain remote access to the Change Healthcare Citrix portal, an application that lacked multifactor authentication. Senator Ron Wyden (D-OR), chair of the committee, criticized UnitedHealth for not implementing basic cybersecurity measures, stating that "this hack could've been stopped with cybersecurity 101."

The impact of the hack was extensive, with UnitedHealth shutting down the Change Healthcare system for a week following its discovery. This disruption resulted in delayed payments to hospitals, clinics, and pharmacies nationwide. While Witty mentioned that the system is now largely back to normal, some senators raised concerns about healthcare providers still waiting on their overdue payments. Wyden highlighted instances where providers were informed that they would have to wait until June to receive payment for claims filed in February.

According to a March letter from the American Hospital Association to the Department of Health and Human Services, UnitedHealth manages more than one-third of all patient records in the United States and oversees one in ten doctors across the country. During his opening remarks, Wyden referred to UnitedHealth as a "healthcare leviathan" and described the cyberattack as a "dire warning" about the risks posed by large corporations.

To prevent future breaches, Witty confirmed that UnitedHealth will now require companywide implementation of multifactor authentication. While this move is welcomed, Wyden emphasized that such measures should not have required the worst cyberattack in the healthcare sector for action to be taken.

The incident serves as a stark reminder of the critical need for robust cybersecurity measures in the healthcare industry, where sensitive patient data is at risk. As investigations continue into the breach, authorities are working to strengthen cybersecurity frameworks to prevent similar incidents from occurring in the future.