The CEO of UnitedHealth estimates that a 3rd of Americans may very well be affected by the Change Healthcare cyberattack

UnitedHealth Group CEO Andrew Witty told lawmakers Wednesday that an estimated one-third of Americans' data could have been compromised within the cyberattack on its Change Healthcare subsidiary and that the corporate paid a $22 million ransom to hackers.

Witty testified before the Subcommittee on Oversight and Investigations, which is under the House Energy and Commerce Committee. He said the investigation into the breach was still ongoing, so the precise number of individuals affected was not yet known. The figure of 1 third is a rough estimate.

UnitedHealth has previously said the cyberattack likely affected a “significant portion of the people of America,” in line with one April release. The company confirmed that the breach compromised files containing protected health information and private data.

It will likely be months before UnitedHealth is in a position to notify individuals given the “complexity of data review,” the discharge said. The company offers free access to identity theft protection and credit monitoring to people concerned about their data.

Witty also testified before the Senate Finance Committee on Wednesday, confirming for the primary time that the corporate had paid a $22 million ransom to the hackers who hacked Change Healthcare. At the hearing before House Democrats later that afternoon, Witty said the payment was made in Bitcoin.

UnitedHealth announced that a cyber threat breached a part of Change Healthcare's information technology network in late February. The company shut down the affected systems when the threat was identified, and the disruption has had far-reaching consequences across the U.S. healthcare sector.

Witty told the subcommittee in his written testimony that the cyberattackers used “compromised credentials” to infiltrate Change Healthcare's systems on Feb. 12 and nine days later deployed ransomware that encrypted the network.

The portal that the attackers originally accessed was not protected by multifactor authentication (MFA), which requires users to confirm their identity in at the least two alternative ways.

Witty told each committees Wednesday that UnitedHealth now has MFA in all external systems.

Don't miss these exclusives from CNBC PRO

image credit :