The ransomware gang that hacked into U.S. well being tech large Change Healthcare used a set of stolen credentials to remotely entry the corporate’s techniques that weren’t protected by multi-factor authentication, in response to the chief govt of its mother or father firm, UnitedHealth.
UnitedHealth CEO Andrew Witty supplied the written testimony forward of a Home subcommittee listening to on Wednesday into the February ransomware assault that precipitated months of disruption throughout the U.S. healthcare system.
That is the primary time the medical health insurance large has given an evaluation of how hackers broke into Change Healthcare’s techniques, throughout which large quantities of well being information have been exfiltrated from its techniques. UnitedHealth mentioned final week that the hackers stole well being information on a “substantial proportion of individuals in America.”
Change Healthcare processes medical health insurance and billing claims for round half of all U.S. residents.
In accordance with Witty’s testimony, the prison hackers “used compromised credentials to remotely entry a Change Healthcare Citrix portal.” Organizations like Change use Citrix software program to let staff entry their work computer systems remotely on their inner networks.
Witty didn’t elaborate on how the credentials have been stolen. The Wall Avenue Journal first reported the hacker’s use of compromised credentials final week.
Nevertheless, Witty did say the portal “didn’t have multi-factor authentication,” which is a primary safety characteristic that stops the misuse of stolen passwords by requiring a second code despatched to an worker’s trusted gadget, similar to their telephone. It’s not identified why Change didn’t arrange multi-factor authentication on this method, however it will doubtless change into a spotlight for investigators attempting to grasp potential deficiencies within the insurer’s techniques.
“As soon as the menace actor gained entry, they moved laterally inside the techniques in additional refined methods and exfiltrated information,” mentioned Witty.
Witty mentioned the hackers deployed ransomware 9 days afterward February 21, prompting the well being large to shut down its community to comprise the breach.
UnitedHealth confirmed final week that the corporate paid a ransom to the hackers who claimed duty for the cyberattack and the following theft of terabytes of stolen information. The hackers, often called RansomHub, are the second gang to put declare to the information theft after posting a portion of the stolen information to the darkish internet and demanding a ransom to not promote the knowledge.
UnitedHealth earlier this month mentioned the ransomware assault price it greater than $870 million within the first quarter, through which the corporate made near $100 billion in income.