The attack that crippled the US healthcare system for weeks was carried out using leaked credentials for a Citrix gateway that was not properly secured, according to UnitedHealth Group CEO Andrew Witty, who is scheduled to testify before a US congressional committee on May 1.
“On February 12, hackers exploited compromised credentials to remotely access a Change Healthcare Citrix gateway, which allows remote access to workstations. Witty’s testimony (PDF), which may be found on the House Committee on Energy and Commerce website, states that the portal did not include multi-factor authentication.
“Once the threat actor obtained access, they went laterally through the systems in more sophisticated methods, exfiltrating data. “Ransomware was deployed nine days later,” according to the testimony.
According to Witty, a ransom was paid in order to “protect peoples’ personal health information”. However, after BlackCat executed an exit fraud, the hackers extorted UnitedHealth Group again, and it is unclear whether the healthcare giant paid both times.
Witty’s testimony shows once further that both personally identifiable information (PII) and protected health information (PHI) were compromised during the assault. The precise scope of the data breach is unknown, but the stolen information “could cover a substantial proportion of people in America”.
“Given the ongoing nature and complexity of the data review, it is likely to take several months of continued analysis before enough information will be available to identify and notify impacted customers and individuals, partly because the files containing that data were compromised in the cyberattack,” according to the report.
When the healthcare giant discovered the hack on February 21, it unplugged Change Healthcare’s systems from the internet, substantially disrupting numerous services that thousands of pharmacies and hospitals in the United States rely on.
The restoration operation began almost immediately and involved “safely and securely rebuilding Change Healthcare’s technology infrastructure from the ground up”, which included replacing thousands of laptops, rotating credentials, rebuilding the data center network and core services, and expanding server capacity.
Prioritizing pharmacy, provider payments, and claims services, UnitedHealth Group continues “to make substantial progress in restoring” the affected systems.
As of April 26, the organization had provided more than $6.5 billion in upfront funding to thousands of providers. Last week, UnitedHealth Group revealed expenditures of $872 million for the ransomware assault, warning that they might rise to $1.6 billion by the end of the year.