The ransomware gang that hacked US health tech giant Change Healthcare used a set of stolen credentials to remotely access the company’s systems that were not protected by multi-factor authentication (MFA), according to the CEO of parent company UnitedHealth Group (UHG). ).
UnitedHealth CEO Andrew Witty provided the written testimony ahead of a House subcommittee hearing Wednesday on the February ransomware attack that disrupted the entire US health care system.
This is the first time the health insurance giant has given an assessment of how hackers breached Change Healthcare’s systems, in which massive amounts of health data were leaked from its systems. UnitedHealth said last week that hackers stole health data on “a significant percentage of people in America.”
Change Healthcare processes health insurance claims and billing for approximately half of US residents.
According to Witty’s testimony, the criminal hackers “used compromised credentials to remotely access a Change Healthcare Citrix portal.” Organizations like Change use Citrix software to allow employees to remotely access their work computers on their internal networks.
Witty did not specify how the credentials were stolen. The Wall Street Journal first reported that the hacker used compromised credentials Last week.
But Witty said the portal “lacked multi-factor authentication,” which is a key security feature that prevents stolen passwords from being misused by requiring a second code sent to an employee’s trusted device, such as their phone. It’s not known why Change didn’t build multi-factor authentication into that system, but it will likely be a focus for investigators trying to understand potential flaws in the insurer’s systems.
“Once the threat actor gained access, they moved laterally into the systems in more sophisticated ways and exfiltrated data,” Witty said.
Witty said the hackers deployed ransomware nine days later, on February 21, prompting the healthcare giant to shut down its network to contain the breach.
UnitedHealth confirmed last week that the company paid a ransom to the hackers who claimed responsibility for the cyberattack and the subsequent theft of terabytes of stolen data. The hackers, known as RansomHub, are the second gang to claim data theft after posting some of the stolen data on the dark web and demanding a ransom not to sell the information.
UnitedHealth earlier this month said the ransomware attack cost it more than $870 million in the first quarter, when the company had revenue close to $100 billion.
