In his upcoming testimony before a U.S. House committee, UnitedHealth Group CEO Andrew Witty will reveal that hackers were able to access Change Healthcare’s IT systems in February by using stolen credentials. This allowed them to log into a Citrix remote access portal with an account that did not have multi-factor authentication enabled.
The testimony, which was made public by the House Energy and Commerce Committee, confirms that criminals gained access to the Change Healthcare Citrix portal on February 12 through compromised credentials. They were then able to move within the systems and extract data, with ransomware being deployed nine days later.
This revelation aligns with a recent report by The Wall Street Journal, which initially pointed to a cybercrime group gaining access to Change Healthcare’s systems using stolen credentials on February 12. Citrix has been contacted for comment on the matter.
UnitedHealth Group disclosed last week that data of a significant number of Americans may have been compromised in the attack on Change Healthcare. They also admitted to paying a ransom to regain access to the systems, although the specific amount was not confirmed.
CEO Andrew Witty, who made the decision to pay the ransom, described it as one of the most difficult decisions he has had to make. The fallout from the attack, first reported on February 22, caused disruptions in processing claims and receiving payments for U.S.-based pharmacies, hospitals, and other healthcare facilities.
Experts from major tech companies were called in for support at the Change Central Command Operations Center following the attack. Witty expressed gratitude for their assistance in dealing with the situation.
The prepared testimony does not provide details on how the cybercriminals obtained the Citrix credentials used in the breach. The group behind the attack, AlphV and Blackcat, have taken responsibility, while another group, RansomHub, has tried to extort UnitedHealth into paying to prevent the disclosure of stolen data.
The mention of protected health information (PHI) and personally identifiable information (PII) in the data breach has prompted an investigation by the Department of Health and Human Services in relation to HIPAA rules. However, there is no evidence of complete medical records being exfiltrated so far.
Article Source
https://www.crn.com/news/security/2024/unitedhealth-compromised-citrix-credentials-behind-change-healthcare-hack