The ransomware gang that hacked into U.S. well being tech large Change Healthcare used a set of stolen credentials to remotely entry the corporate’s techniques that weren’t protected by multi-factor authentication, in keeping with the chief govt of its mum or dad firm, UnitedHealth.
UnitedHealth CEO Andrew Witty offered the written testimony forward of a House subcommittee listening to on Wednesday into the February ransomware assault that brought on months of disruption throughout the U.S. healthcare system.
This is the primary time the medical insurance large has given an evaluation of how hackers broke into Change Healthcare’s techniques, throughout which large quantities of well being knowledge had been exfiltrated from its techniques. UnitedHealth mentioned final week that the hackers stole well being knowledge on a “substantial proportion of people in America.”
Change Healthcare processes medical insurance and billing claims for round half of all U.S. residents.
According to Witty’s testimony, the felony hackers “used compromised credentials to remotely access a Change Healthcare Citrix portal.” Organizations like Change use Citrix software program to let workers entry their work computer systems remotely on their inner networks. Witty didn’t elaborate on how the credentials had been stolen.
However, Witty did say the portal “did not have multi-factor authentication,” which is a primary safety function that stops the misuse of stolen passwords by requiring a second code despatched to an worker’s trusted system, resembling their telephone. It’s not identified why Change didn’t arrange multi-factor authentication on this technique, however this can possible grow to be a spotlight for investigators attempting to grasp potential deficiencies within the insurer’s techniques.
“Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data,” mentioned Witty.
Witty mentioned the hackers deployed ransomware 9 days in a while February 21, prompting the well being large to close down its community to comprise the breach.
UnitedHealth confirmed final week that the corporate paid a ransom to the hackers who claimed accountability for the cyberattack and the next theft of terabytes of stolen knowledge. The hackers, referred to as RansomHub, are the second gang to put declare to the information theft after posting a portion of the stolen knowledge to the darkish internet and demanding a ransom to not promote the knowledge.
UnitedHealth earlier this month mentioned the ransomware assault price it greater than $870 million within the first quarter, by which the corporate made near $100 billion in income.
