The ransomware group that hacked U.S. medical technology giant Change Healthcare used a set of stolen credentials that were not protected by multi-factor authentication, according to the CEO of parent company UnitedHealth. Accessed the company's systems remotely.
UnitedHealth CEO Andrew Whitty wrote ahead of Wednesday's House subcommittee hearing on the February ransomware attack that caused months of disruption across the U.S. health care system. I testified in
This is the first time a major health insurance company has assessed how hackers infiltrated Change Healthcare's systems and exfiltrated large amounts of medical data from those systems. UnitedHealth announced last week that hackers had stolen the health data of a “significant percentage of people in the United States.”
Change Healthcare processes health insurance and claims for approximately half of U.S. residents.
According to Witty's testimony, criminal hackers “used compromised credentials to remotely access the Change Healthcare Citrix portal.” Organizations like Change use Citrix software to give employees remote access to work computers on their internal networks.
Whitty did not elaborate on how the credentials were stolen. The Wall Street Journal first reported on hackers' use of compromised credentials last week.
However, Whitty said the portal “didn't have multi-factor authentication.” Multi-factor authentication is a basic security feature that prevents stolen passwords from being misused by requiring an employee to send her second code to a trusted device, such as a mobile phone. It's unclear why Change didn't set up multi-factor authentication on this system, but it will likely be a focus for investigators trying to understand potential flaws in the insurer's system.
“Once the threat actors gained access, they used more sophisticated methods to move laterally within the system and steal data,” Whitty said.
The hackers deployed the ransomware nine days later, on February 21, and the healthcare giant took down its network to stop the breach, Whitty said.
UnitedHealth acknowledged last week that the company paid a ransom to hackers who claimed responsibility for the cyberattack and subsequent theft of multiterabytes of data. This hacker, known as RansomHub, is his second gang to claim data theft after posting some of the stolen data on the dark web and demanding a ransom not to sell the information.
UnitedHealth announced earlier this month that ransomware attacks caused more than $870 million in losses in the first quarter, and the company generated nearly $100 billion in revenue.