Change Healthcare hackers breached using stolen credentials – no MFA, says UHG CEO

The ransomware gang that breached US health tech giant Change Healthcare used a set of stolen credentials to remotely access the corporate’s systems that weren’t protected by multi-factor authentication, in response to the CEO of parent company UnitedHealth.

UnitedHealth CEO Andrew Witty gave written testimony ahead of Wednesday’s House subcommittee hearing on the February ransomware attack that caused months of disruption to the U.S. health care system.

For the primary time, the medical health insurance giant has assessed how hackers breached Change Healthcare’s systems, during which huge amounts of health data were extracted from its systems. Last week, UnitedHealth said hackers had stolen health data for “a significant portion of people in America.”

Change Healthcare processes medical health insurance claims and billing for about half of all U.S. residents.

According to Witty’s testimony, the hackers “used the compromised credentials to gain remote access to the Change Healthcare Citrix portal.” Organizations like Change use Citrix software to enable employees to remotely access work computers on internal networks.

Witty didn’t explain intimately how the credentials were stolen. Wall Street Journal was the primary to report the hacker’s use of compromised credentials last week.

Witty, nevertheless, said the portal “lacks multi-factor authentication,” which is a basic security feature that forestalls the misuse of stolen passwords by requiring a second code to be sent to an worker’s trusted device, comparable to a phone. It’s unclear why Change didn’t arrange multi-factor authentication on this technique, but it surely’s prone to be of interest to investigators trying to grasp potential deficiencies within the insurer’s systems.

“Once the attacker gained access, they moved around systems and extracted data in a more sophisticated way,” Witty said.

Witty said hackers deployed the ransomware nine days afterward Feb. 21, prompting the health care giant to shut down its network to contain the breach.

Last week, UnitedHealth confirmed that the corporate had paid a ransom to hackers who claimed responsibility for the cyberattack and subsequent theft of terabytes of stolen data. The hackers, generally known as RansomHub, are the second gang to say data theft after they posted among the stolen data on the dark web and demanded a ransom for not selling the data.

Earlier this month, UnitedHealth said a ransomware attack cost it greater than $870 million in the primary quarter through which the corporate had revenue of nearly $100 billion.