Analysis: Change Healthcare Attack Shows What Happens When Cybersecurity Is Ignored In M&A

As UnitedHealth’s CEO gets grilled by a U.S. Senate committee, the folly of acquiring a company with outdated cybersecurity practices is on display.

Among the many lessons from the Change Healthcare cyberattack, one that’s come into clearer focus this week goes something like this: Companies that ignore cybersecurity as part of an M&A process, do so very much at their own peril.

And everyone else’s peril, too.

That’s one of my big takeaways, at least, from the hours-long grilling of UnitedHealth Group CEO Andrew Witty by a U.S. Senate committee Wednesday. The February ransomware attack against UnitedHealth-owned prescription processor Change Healthcare caused massive disruption in the U.S. health care system and likely compromised the data of millions of Americans.

During the hearing, I lost count of the number of times that Witty placed the blame on Change Healthcare’s apparently shoddy cybersecurity practices — repeatedly saying that the company had “only recently” come under the umbrella of UnitedHealth and was “in the process of being upgraded” to the insurer’s (allegedly) higher standards for security.

[Related: UnitedHealth: Compromised Citrix Credentials Behind Change Healthcare Hack]

The focal point, of course, was the lack of multifactor authentication on a Change Healthcare server that, according to UnitedHealth, is what enabled the attack to succeed. MFA has been considered a basic security measure for many years now, and U.S. Sen. Ron Wyden, a Democrat who chairs the Senate Finance Committee, rightly drew the attention to this misstep a number of times during the hearing. For instance, during this exchange:

Wyden: “We still need to know whether you knew that you didn't have MFA [on this server]. Did you know that?”

Witty: “Absolutely not.”

Wyden: “Why not?”

Witty: “As the company had only recently, relatively recently, come into the group, it was in the process of being upgraded.”

Wyden: “But why wasn't it the first thing you would do?”

Witty: “My understanding is that when Change came into the organization, there was [an] extensive amount of modernization required and unfortunately, and very frustratingly, this server had not had MFA deployed on it prior to the attack.”

Wyden isn’t wrong to frame the issue this way. A major healthcare platform that holds sensitive patient data and doesn’t have MFA on every server in 2024 is, indeed, pretty pathetic. And that’s not even considering the fact that UnitedHealth unit Optum had more than a year to bring Change Healthcare up to snuff, having completed its acquisition of the company back in October 2022.

But I’d go even further: If Change Healthcare’s security practices were so lackluster — requiring “extensive” upgrades, to use Witty’s phrase — why wasn’t that a red flag for UnitedHealth? Why did they go ahead with the acquisition in the first place, given the security risk?

These are questions that have pretty easy answers, actually: Because cybersecurity has rarely if ever been a meaningful part of these types of business-level conversations. It really doesn’t sound like Change Healthcare’s security practices were reviewed in any serious way during the M&A process — or if they were, the dollar signs in their eyes blinded the UnitedHealth acquirers from seeing the risk, I guess?

As one senator after another pointed out Wednesday, UnitedHealth — and maybe more importantly, a huge swath of health care providers and patients around the U.S. — have been paying the price for the insurer’s faulty risk calculus and slowness to move on security upgrades for Change Healthcare.

And so, for anyone following the Change Healthcare saga, the cybersecurity-related takeaways are both obvious (for the love of God, turn on MFA!) but also not-so-obvious. On the latter, one big lesson is clearly that when it comes to M&A — both while reviewing potential deals and then integrating the acquired companies — security must now be a far bigger priority than it typically has been in the past.

If doing the right thing for their company and fellow citizens isn’t enough of an incentive, those who ignore security in M&A should also now be aware that they just might find themselves, a year or two later, getting a major earful from Ron Wyden and Elizabeth Warren.