UnitedHealth has confirmed that Change Healthcare’s network was breached by the BlackCat ransomware gang, who used stolen credentials to access the company’s Citrix remote access service without multi-factor authentication enabled. This information was disclosed in written testimony from UnitedHealth CEO Andrew Witty prior to a House Energy and Commerce subcommittee hearing.
The ransomware attack on Change Healthcare occurred at the end of February 2024, resulting in significant disruptions to Optum’s Change Healthcare platform. This disruption impacted critical services such as payment processing, prescription writing, and insurance claims, causing an estimated financial loss of $872 million.
The BlackCat ransomware gang claimed to have received a ransom payment of $22 million from UnitedHealth, but the funds were stolen in an exit scam. Subsequently, the affiliate threatened to leak the stolen data and demanded additional extortion payments.
UnitedHealth later admitted to paying a ransom to protect data after the compromise, but did not disclose details of the attack or the perpetrators. RansomHub, the platform used by the attackers, removed the Change Healthcare entry after an additional ransom was paid.
CEO Andrew Witty confirmed that the ransomware attack occurred on February 21, with threat actors encrypting systems and stealing data for nearly ten days before implementing their demands. The attackers initially gained access to Change Healthcare’s Citrix portal on February 12 using stolen employee credentials, although the method of obtaining these credentials is still unknown.
Witty described the decision to pay the ransom as one of the most difficult choices he has made as CEO, emphasizing the impact it had on the organization and its employees. Following the attack, remediation efforts included replacing thousands of laptops, rotating credentials, and rebuilding core services within a few weeks.
While leaked data samples contained protected health and personally identifiable information, there is no evidence of complete medical records or histories being compromised. Services are slowly returning to normal levels, with pharmacy networks operating slightly below normal and medical claims flowing at near-normal rates.
An update revealed that on February 8, Hudson Rock detected a Change Healthcare employee’s Citrix credentials stolen via ransomware malware. These stolen credentials were associated with the remote application URL and are believed to be linked to the ransomware attack on Change Healthcare.
In conclusion, the ransomware attack on Change Healthcare by the BlackCat gang highlighted vulnerabilities in remote access security and reiterated the importance of implementing multi-factor authentication. The impact of the attack on critical healthcare services and the millions of dollars in financial losses underscore the need for robust cybersecurity measures in the healthcare industry. The response and remediation efforts by UnitedHealth demonstrated the challenges faced during a cyberattack and the importance of swift and decisive action to protect data and systems.
Article Source
https://www.bleepingcomputer.com/news/security/change-healthcare-hacked-using-stolen-citrix-account-with-no-mfa/