by Tim Rowan, Editor Emeritus

You know the routine. Everyone does. You log into your bank, airline account, or health insurance web portal, enter the correct password, and are directed to look on your smartphone UnitedHealth Grilled MFAfor a code to enter to fully authorize your login. The name for this is Multi-Factor Authentication, or MFA. Lack of MFA procedures leaves your company at risk, which UnitedHealth discovered when it was grilled by Congress about the cyberattack on Change Healthcare.

United Health Grilled by Congress

In his testimony to the House Energy and Commerce Committee Wednesday, UnitedHealth Group CEO Andrew Witty blamed the absence of MFA as the weak link that allowed a ransomware attack to cripple subsidiary Change Healthcare in February. The breach had ripple effects throughout healthcare, given Change’s role as fiscal intermediary for thousands of providers. Healthcare systems on every level were unable to file claims and receive payments.

Asked by the committee why Change Healthcare, which United acquired in late 2022, did not have MFA in place, Witty testified, “Change Healthcare was a relatively older company with older technologies, which we had been working to upgrade since the acquisition. But for some reason, which we continue to investigate, this particular server did not have MFA on it.”

CBS News reported that Change Healthcare processes 15 billion transactions a year. “The scale of the attack,” their report stated, “meant that even patients who weren’t customers of UnitedHealth were potentially affected. Personal information that could cover a ‘substantial portion of people in America’ may have been taken in the attack.” The breach has already cost UnitedHealth Group nearly $900 million, plus the $22 million ransom Witty decided to pay to the hackers.

The Russia-based ransomware gang, ALPHV, or “BlackCat,” claimed responsibility for the attack, bragging that it stole more than six terabytes of data, including “sensitive” medical records. The attack triggered a disruption of payment and claims processing around the country.

We followed up our initial report on the attack with CMS guidance on March 20, 2024 and an update on April 11, 2024, with reports that Change Healthcare was being blackmailed again by another ransomware gang, RansomHub, who claimed to have 4TB of data from Change Healthcare and demanded another ransom payment.

Walmart & Optum, UnitedHealth Trouble Spots?

UnitedHealth Group is also in headline news this week for two other reasons. The company’s Optum division, which owns home care giant CenterWell,UnitedHealth Grilled Optumformerly Kindred at Home, and which is awaiting government approval for its bid to acquire Amedisys, has quietly been executing a reduction in force. Reports are that the bulk of the layoffs are hitting “Optum Virtual Care,” the name given to naviHealth following its $1 billion acquisition in 2020. Following a surge in demand during the pandemic, the company is apparently abandoning telehealth services.

A planned 10-year collaboration between UnitedHealth and Walmart to provide virtual healthcare services ended Tuesday after only one year. On April 30, the retail giant announced that it will close its 51 health centers across five states due to the “challenging reimbursement environment” and rising operating costs, which have resulted in a lack of profitability. Like Optum Virtual Care, the centers were providing virtual services via telehealth.

A sign of the post-pandemic times? Perhaps. We will keep watching.


Tim Rowan, Editor EmeritusTim Rowan is a 30-year home care technology consultant who co-founded and served as Editor and principal writer of this publication for 25 years. He continues to occasionally contribute news and analysis articles under The Rowan Report’s new ownership. He also continues to work part-time as a Home Care recruiting and retention consultant. More information:

  ©2024 by The Rowan Report, Peoria, AZ. All rights reserved. This article originally appeared in Healthcare at Home: The Rowan One copy may be printed for personal use: further reproduction by permission only.