Stolen Credentials Used to Breach Change Healthcare

Andrew Witty, CEO of UnitedHealth Group, revealed how hackers penetrated Change Healthcare by using stolen credentials and taking advantage of a lack of multifactor authentication (MFA) in a troubling testimony before the House Energy and Commerce Committee.

Large volumes of private health information were made public by this incident. According to Witty's testimony, the breach commenced when cybercriminals accessed Change Healthcare's systems using stolen credentials via a Citrix portal. "The portal did not have multifactor authentication," Witty explained, showcasing the ease with which the attackers navigated the company’s defenses.

This lapse allowed the hackers to remain undetected for nine days, during which they exfiltrated a substantial amount of data and ultimately deployed ransomware, causing widespread disruption across the US healthcare system.

The financial ramifications of the cybersecurity breach at Change Healthcare were profound and multifaceted. UnitedHealth Group, the parent company, reported staggering losses exceeding $870 million in the first quarter alone due to the breach.

As highlighted in our previous reporting, the initial attack also led UnitedHealth to pay $22 million to the ransomware gang ALPHV in a bid to secure the stolen data and prevent public leaks. However, the cybersecurity challenges did not end with this payment. A second ransomware gang, known as RansomHub, extorted the company further using the same set of stolen data.

The Change Healthcare breach is just one of many recent incidents targeting the healthcare industry. A similar cyberattack on LA County Health Services also led to a substantial data breach, for instance. The success rate of these cybercriminal gangs point to serious security vulnerabilities across the industry — the absence of multifactor authentication mentioned in Witty's testimony is just one example.