close
close
hsuses

Change Healthcare went without cyber insurance before the crippling ransomware attack

Theo

Congressional hearings have revealed that UnitedHealth had no cyber insurance coverage before a devastating ransomware attack on its subsidiary Change Healthcare.

During questions before the U.S. House Energy and Commerce Committee last week, UnitedHealth Group CEO Andrew Witty described the healthcare giant as “self-insured” by confirming that insurance covered the $22 million ransomware payment it made to cybercriminals had, did not cover.

When asked whether any portion of UnitedHealth was covered by cyber insurance, a representative from UnitedHealth CSOonline referred to Witty’s answer about self-insurance and added (referring to Witty’s recent statement) that UnitedHealth generates approximately $300 million per year spends on cybersecurity.

Anatomy of an attack

The ransomware gang known as ALPHV or BlackCat attacked Change Healthcare with a ransomware attack on February 21st. Technicians took Change Healthcare systems offline to contain the attack, rendering the nation’s largest healthcare payment system unavailable.

As a result of the attack, clinics, hospitals and pharmacies were unable to properly bill, manage and issue prescriptions and medical treatments. The resulting disruption has created a backlog of healthcare claims and payments, placing a tremendous financial burden on medical practices and patients.

UnitedHealth Group has provided more than $6.5 billion in accelerated payments and interest- and fee-free loans to thousands of providers.

In response to the attack, Change Healthcare’s technology infrastructure was rebuilt from the ground up. Change Healthcare’s data center network and core services have been rebuilt with additional server capacity and increased reliance on the cloud.

Questions about insurance reimbursements and the extent of the breach, which also exposed the personal and medical information of an estimated one in three U.S. residents, were the focus of two hearings with Witty last Wednesday the House Finance and Energy and Commerce Committees.

The vulnerable portal lacked MFA

During the hearings, Witty explained how on February 12, nine days before the ransomware attack, cybercriminals used compromised credentials to remotely access a Change Healthcare Citrix portal, an application that enables remote access to desktops.

“The portal did not have multi-factor authentication,” Witty admitted.

After gaining access to Change Healthcare’s systems, the cybercriminals moved laterally within the systems to expand the scope of the breach before exfiltrating data.

UnitedHealth Group completed its acquisition of Change Healthcare in October 2022. The healthcare company inherited an aging technology infrastructure with vulnerabilities that are all too obvious in hindsight.

(Related Reading: 5 Strategies to Manage Cybersecurity Risks in Mergers and Acquisitions)

Multi-factor authentication on external services was already UnitedHealth’s policy before the attack – but that policy had at least one gaping hole.

Without cyber insurance, UnitedHealth will bear the full cost of the attack; With insurance, not only the costs but perhaps also the attack itself could have been avoided.

According to industry experts, cyber insurance is not a panacea, but purchasing a security policy can help companies achieve greater cyber security maturity.

Demonstrating good cyber hygiene

The cost and scope of such insurance policies take into account the security infrastructure and processes that companies have in place. Insurance companies typically check whether a potential customer is following industry best practices in their environment.

“MFA is an established best practice that companies can and should follow in their applications. “So insurance providers should pay attention,” said Matt Middleton-Leal, Managing Director EMEA at Qualys.

Middleton-Leal added: “This may not be possible for every application or system. Therefore, for applications that do not support MFA, the security team should use other account security remediation methods.” However, it would be something one would (normally) expect on site.”

According to Netwrix’s 2024 Annual Security Report, 75% of insured organizations were required to have MFA in 2024, up from 63% in 2023. In addition to MFA, patch management and regular cybersecurity training for business users are the three most commonly required measures by insurers.

According to Kelly Indah, security analyst at Increditools, other common requirements include the availability of disaster recovery and business continuity plans. “Insurers want to see documented logs of how a company responds, minimizes downtime, and recovers in the event of a hacker attack.”

In addition, security awareness training is extremely important. “People remain the biggest vulnerability, so insurers are looking for evidence that employees are regularly educated about cyber threats such as phishing and social engineering,” Indah added.


When deciding on cyber insurance, a company’s risk tolerance is crucial. In UnitedHealth’s case, the company suffered financial and reputational damage by not having insurance for its Change Healthcare division, said Michael Adjei, director of systems engineering, EMEA, at security provider Illumio.

“It is important that companies view cyber insurance not as a way to transfer risk, but rather as an additional layer in case something unexpected happens,” Adjei said. “In reality, companies must purchase cyber insurance at least six months in advance and demonstrate that they meet the requirements, similar to how we provide financial information before taking out a mortgage.”

Related Posts