The committee emphasized that MFA should be a fundamental expectation for an entity like Change Healthcare, given the vast amount of sensitive data it handles.

Witty explained that Change Healthcare, which merged into UnitedHealth towards the end of 2022, utilized older technologies that the company had been updating since its acquisition.

However, the timing proved critical as the ransomware attack compromised both the primary and backup systems, rendering the backups inoperable and exacerbating the impact of the breach.

The committee also highlighted a joint cybersecurity alert issued in December 2023 by the FBI, HHS, and the Cybersecurity Infrastructure Security Agency. This alert detailed the tactics of a sophisticated Russian hacker group known as Alpha 5 or Black Cat that targets critical infrastructure.

In response, Witty acknowledged that a server within Change Healthcare lacked the protective measures outlined in the alert, and he confirmed that an investigation into this oversight is underway.

The committee further expressed concerns about the potential national security implications if the personal records of federal employees were compromised in the breach. They emphasized the importance of UnitedHealth notifying them promptly if such a breach occurred, underscoring the gravity of the situation.