UHG CEO reveals Change Healthcare hackers used stolen credentials to access system without MFA, reports TechCrunch

UHG CEO reveals Change Healthcare hackers used stolen credentials to access system without MFA, reports TechCrunch

The recent ransomware attack on US healthcare technology company Change Healthcare was facilitated by the use of stolen credentials to gain remote access to the company’s systems that lacked multi-factor authentication (MFA). This revelation came from UnitedHealth Group (UHG) CEO Andrew Witty, who provided written testimony ahead of a House subcommittee hearing on the cyberattack that occurred in February. The attack resulted in significant disruptions across the US healthcare system and led to the leak of a substantial amount of health data from Change Healthcare’s systems.

According to Witty’s testimony, the hackers exploited compromised credentials to access a Change Healthcare Citrix portal, a tool used to enable remote access to work computers on internal networks. The lack of multi-factor authentication on this portal allowed the threat actors to move laterally through the systems and extract data in a more sophisticated manner. It remains unclear how the credentials were initially stolen, but the Wall Street Journal reported on the hacker’s use of compromised credentials in their attack.

The ransomware deployment occurred nine days after the initial breach, leading to UnitedHealth Group shutting down its network to prevent further unauthorized access. RansomHub, the group responsible for the cyberattack, demanded a ransom after posting a portion of the stolen data on the dark web. UnitedHealth Group ultimately paid the ransom, resulting in a cost of over $870 million in the first quarter of the year.

Change Healthcare processes billing and health insurance claims for a significant portion of the US population, making it a prime target for cybercriminals seeking to exploit sensitive data. The lack of multi-factor authentication on critical systems highlights a security vulnerability that may have contributed to the success of the attack. Investigations into how and why this security measure was not in place are likely to follow as authorities seek to understand potential weaknesses in the insurer’s infrastructure.

The significant financial impact of the ransomware attack on UnitedHealth Group underscores the potential consequences of inadequate cybersecurity measures in the healthcare industry. With the increasing frequency and sophistication of cyber threats, it is imperative for organizations to prioritize robust security protocols to safeguard sensitive information and maintain the trust of their customers.

Article Source
https://techcrunch.com/2024/04/30/uhg-change-healthcare-ransomware-compromised-credentials-mfa/