UnitedHealth confirms that Change Healthcare’s community was breached by the BlackCat ransomware gang, who used stolen credentials to log into the corporate’s Citrix distant entry service, which didn’t have multi-factor authentication enabled.
This was revealed in UnitedHealth CEO Andrew Witty’s written testimony revealed forward of a Home Vitality and Commerce subcommittee listening to scheduled for tomorrow.
The ransomware assault on Change Healthcare occurred in late February 2024, resulting in extreme operational disruptions on Optum’s Change Healthcare platform.
This impacted a variety of vital companies utilized by healthcare suppliers throughout the U.S., together with fee processing, prescription writing, and insurance coverage claims, and prompted monetary damages estimated at $872 million.
Beforehand, the BlackCat ransomware gang claimed that they had obtained a $22 million ransom fee from UnitedHealth, which was stolen from the affiliate who carried out the assault in an exit rip-off. Shortly after, the affiliate claimed to nonetheless have the info and partnered with RansomHub to provoke an extra extortion demand by leaking stolen information.
The healthcare org lately admitted that it paid a ransom to guard individuals’s information post-compromise, however no particulars in regards to the assault or who carried it out have been formally disclosed.
RansomHub has since eliminated the Change Healthcare entry from its website, indicating that an extra ransom was paid.
A simple break-in
In testimony by Andrew Witty, the CEO confirmed that the assault occurred on the morning of February 21 when the risk actors started encrypting techniques and rendering them inaccessible to the group’s workers.
For the primary time, the corporate additionally formally confirmed BleepingComputer’s report that the ALPHV/BlackCat ransomware operation was behind the assault.
Whereas the precise public-facing assault occurred on February 21, Witty revealed that the attacker had entry to the corporate’s community for about ten days earlier than deploying their encryptors. Throughout this time, the risk actors unfold by means of the community and stole company and affected person information that could be used of their extortion makes an attempt.
The investigations, that are nonetheless ongoing, revealed that the attackers first gained entry to Change Healthcare’s Citrix portal on February 12, 2024, utilizing stolen worker credentials. It’s unknown whether or not these credentials have been initially stolen through a phishing assault or information-stealing malware.
“On February 12, criminals used compromised credentials to remotely entry a Change Healthcare Citrix portal, an utility used to allow distant entry to desktops,” defined Witty.
“The portal didn’t have multi-factor authentication. As soon as the risk actor gained entry, they moved laterally throughout the techniques in additional refined methods and exfiltrated information. Ransomware was deployed 9 days later.”
The CEO additionally shared a private second, stating that the selection to pay a ransom was solely his and one of many hardest selections he needed to make.
“As chief govt officer, the choice to pay a ransom was mine. This was one of many hardest selections I’ve ever needed to make. And I would not want it on anybody,” Witty wrote in his testimony.
Remediation efforts
Witty additional outlined their fast actions to safe their techniques following the assault, characterizing them as “swift and forceful,” noting that the risk was efficiently contained by taking all the things down regardless of realizing the affect this could have on individuals.
Following the assault, the group’s IT workforce changed 1000’s of laptops, rotated credentials, and utterly rebuilt Change Healthcare’s information middle community and core companies in only a few weeks. Witty states such a job would often have taken a number of months.
Though information samples that leaked on-line contained protected well being info (PHI) and personally identifiable info (PII), Witty notes that, up to now, they’ve seen no proof of exfiltration of supplies similar to docs’ charts or full medical histories.
Regarding the standing of the impacted companies, pharmacy networks function at a fraction of a p.c beneath regular, medical claims circulate almost at regular ranges, and fee processing at roughly 86% of pre-incident ranges.
