During a Senate hearing, UnitedHealth Group CEO Andrew Witty announced that the company has implemented multi-factor authentication on all internet-exposed systems in light of the cyberattack on its subsidiary Change Healthcare.

The ransomware attack on Change Healthcare earlier this year affected pharmacies, hospitals, and doctors' offices in the United States due to the absence of multi-factor authentication. Multi-factor authentication, also known as MFA, is a fundamental cybersecurity measure that adds an extra layer of security by requiring a second code in addition to a password to access accounts or systems, thus preventing hackers from gaining unauthorized access.

In a written statement provided before two congressional hearings on Tuesday, Witty disclosed that hackers were able to gain unauthorized access to a Change Healthcare server using stolen login credentials. This server did not have multi-factor authentication in place. Once inside the server, the hackers were able to infiltrate other systems within the company to steal data, which they later encrypted with ransomware, according to Witty's statement.

During the first hearing, Witty was questioned by members of the Finance Committee about the cyberattack. When asked by Sen. Ron Wyden, Witty confirmed that all external-facing systems at UHG now have multi-factor authentication in place.

"We were in the middle of updating the technology we had obtained. Unfortunately, there was a server that did not have Multi-Factor Authentication (MFA) in place," Witty explained. "This was the server that allowed cybercriminals to access Change and launch a ransomware attack, which locked down and rendered large portions of the system unusable."

UnitedHealth has not yet informed individuals affected by the cyberattack, according to Witty's testimony. He stated that the company is still in the process of assessing the full scope of the breach and the specific information that was compromised. Currently, UnitedHealth has disclosed that hackers have accessed personal and health data belonging to a significant number of individuals in the United States.

In the previous month, UnitedHealth reported that it had given $22 million to the hackers who accessed the company's systems. Witty verified this payment during the Senate hearing.