Change Healthcare hackers broke in using stolen credentials – and without an MFA, says UHG CEO

Change Healthcare hackers broke in using stolen credentials – and without an MFA, says UHG CEO

Image credits: Patrick Sison/AP

The ransomware gang that hacked US health tech giant Change Healthcare used a set of stolen credentials to remotely access the company’s systems that were not protected by multi-factor authentication (MFA), according to the CEO of its parent company, UnitedHealth Group (UHG ). ).

UnitedHealth CEO Andrew Witty provided the written testimony ahead of a House subcommittee hearing Wednesday on the February ransomware attack that caused months of disruption to the U.S. health care system.

This is the first time the health insurer has provided an assessment of how hackers broke into Change Healthcare’s systems, exfiltrating vast amounts of health data from its systems. UnitedHealth said last week that the hackers had stolen health data from a “substantial portion of the people in America.”

Change Healthcare processes health insurance and billing claims for approximately half of all US residents.

According to Witty’s testimony, the criminal hackers “used compromised credentials to remotely access a Change Healthcare Citrix portal.” Organizations like Change use Citrix software to give employees remote access to their work computers through their internal networks.

Witty did not elaborate on how the login details were stolen. The Wall Street Journal first reported the hacker’s use of compromised credentials last week.

However, Witty did say that the portal “did not have multi-factor authentication,” which is a basic security feature that prevents the misuse of stolen passwords by requiring a second code to be sent to an employee’s trusted device, such as their phone. It is unknown why Change has not set up multi-factor authentication on this system, but this will likely become a point of interest for researchers trying to understand potential flaws in the insurer’s systems.

“Once the threat actor gained access, they moved laterally within the systems and exfiltrated data in more sophisticated ways,” Witty said.

Witty said the hackers deployed ransomware nine days later, on Feb. 21, prompting the health giant to shut down its network to limit the breach.

UnitedHealth confirmed last week that the company has paid a ransom to the hackers who claimed responsibility for the cyberattack and subsequent theft of terabytes of stolen data. The hackers, known as RansomHub, are the second gang to claim data theft after posting some of the stolen data on the dark web and demanding ransoms not to sell the information.

UnitedHealth said earlier this month that the ransomware attack cost the company more than $870 million in the first quarter, during which the company earned nearly $100 billion in revenue.

Leave a Reply

Your email address will not be published. Required fields are marked *