UnitedHealth confirms that Change Healthcare’s community was breached by the BlackCat ransomware gang, who used stolen credentials to log into the corporate’s Citrix distant entry service, which didn’t have multi-factor authentication enabled.
This was revealed in UnitedHealth CEO Andrew Witty’s written testimony revealed forward of a Home Vitality and Commerce subcommittee listening to scheduled for tomorrow.
The ransomware assault on Change Healthcare occurred in late February 2024, resulting in extreme operational disruptions on Optum’s Change Healthcare platform.
This impacted a variety of important providers utilized by healthcare suppliers throughout the U.S., together with cost processing, prescription writing, and insurance coverage claims, and prompted monetary damages estimated at $872 million.
Beforehand, the BlackCat ransomware gang claimed they’d acquired a $22 million ransom cost from UnitedHealth, which was stolen from the affiliate who performed the assault in an exit rip-off. Shortly after, the affiliate claimed to nonetheless have the info and partnered with RansomHub to provoke an further extortion demand by leaking allegedly stolen knowledge.
The healthcare org lately admitted that it paid a ransom to guard folks’s knowledge post-compromise, however no particulars concerning the assault or who carried it out have been formally disclosed.
RansomHub has since eliminated the Change Healthcare entry from its web site, indicating that an extra ransom was paid.
A simple break-in
In testimony by Andrew Witty, the CEO confirmed that the assault occurred on the morning of February 21 when the menace actors started encrypting methods and rendering them inaccessible to the group’s workers.
For the primary time, the corporate additionally formally confirmed BleepingComputer’s report that the ALPHV/BlackCat ransomware operation was behind the assault.
Whereas the precise public-facing assault occurred on February 21, Witty revealed that the attacker had entry to the corporate’s community for about ten days earlier than deploying their encryptors. Throughout this time, the menace actors unfold by the community and stole company and affected person knowledge that could be used of their extortion makes an attempt.
The investigations, that are nonetheless ongoing, revealed that the attackers first gained entry to Change Healthcare’s Citrix portal on February 12, 2024, utilizing stolen worker credentials. It’s unknown whether or not these credentials have been initially stolen through a phishing assault or information-stealing malware.
“On February 12, criminals used compromised credentials to remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops,” defined Witty.
“The portal did not have multi-factor authentication. Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data. Ransomware was deployed nine days later.”
The CEO additionally shared a private second, stating that the selection to pay a ransom was solely his and one of many hardest selections he needed to make.
“As chief executive officer, the decision to pay a ransom was mine. This was one of the hardest decisions I’ve ever had to make. And I wouldn’t wish it on anyone,” Witty wrote in his testimony.
Remediation efforts
Witty additional outlined their quick actions to safe their methods following the assault, characterizing them as “swift and forceful,” noting that the menace was efficiently contained by taking all the pieces down regardless of figuring out the influence this is able to have on folks.
Following the assault, the group’s IT staff changed hundreds of laptops, rotated credentials, and utterly rebuilt Change Healthcare’s knowledge middle community and core providers in just some weeks. Witty states such a job would often have taken a number of months.
Though knowledge samples that leaked on-line contained protected well being data (PHI) and personally identifiable data (PII), Witty notes that, thus far, they’ve seen no proof of exfiltration of supplies akin to medical doctors’ charts or full medical histories.
In regards to the standing of the impacted providers, pharmacy networks function at a fraction of a % under regular, medical claims move almost at regular ranges, and cost processing at roughly 86% of pre-incident ranges.