The ransomware gang that hacked into US healthcare technology giant Change Healthcare used a series of stolen credentials to remotely access the company’s systems that were not protected by multi-factor authentication, according to its chief executive Parent company UnitedHealth.
UnitedHealth CEO Andrew Witty gave the written testimony before a House subcommittee hearing Wednesday on the February ransomware attack that caused months of disruption across the U.S. health care system.
This is the first time the health insurance giant has provided an assessment of how hackers broke into Change Healthcare’s systems and exfiltrated massive amounts of healthcare data from its systems. UnitedHealth said last week that the hackers had stolen health data from a “significant portion of the people of America.”
Change Healthcare processes health insurance and billing claims for approximately half of all U.S. residents.
According to Witty’s statement, the criminal hackers “used compromised credentials to remotely access a Change Healthcare Citrix portal.” Organizations like Change use Citrix software to allow employees to remotely access their work computers across their internal networks. Witty did not elaborate on how the credentials were stolen.
However, Witty said the portal “does not have multi-factor authentication,” a basic security feature that prevents misuse of stolen passwords by requiring a second code to be sent to an employee’s trusted device, such as their phone. It is unknown why Change did not set up multi-factor authentication in this system, but this will likely become a focus for investigators trying to understand possible flaws in the insurer’s systems.
“Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data,” Witty said.
Witty said the hackers deployed ransomware nine days later, on February 21, prompting the healthcare giant to shut down its network to contain the breach.
UnitedHealth confirmed last week that the company paid a ransom to the hackers who claimed responsibility for the cyberattack and the subsequent theft of terabytes of stolen data. The hackers, known as RansomHub, are the second gang to claim data theft after posting some of the stolen data on the dark web and demanding a ransom in exchange for not selling the information.
UnitedHealth said earlier this month the ransomware attack cost the company more than $870 million in the first quarter, in which the company had revenue of nearly $100 billion.