Breach, Vulnerability Management

UnitedHealth Attack: Stolen Credentials, No MFA

Credit: Adobe Stock Images

Cyber operatives used stolen credentials to access a remote access tool that wasn't enabled with multifactor authentication (MFA) to break into UnitedHealth’s network last February.

The breach jump started a massive attack affecting thousands of medical facilities, practitioners, pharmacies and patients, UnitedHealth's chief executive told lawmakers in a House panel.

Andrew Witty presented written testimony before the House Energy and Commerce Committee on May 1 that the attack prompted weeks of operational and financial disruption across the healthcare industry.

The nearly $400 billion umbrella company has some 2,200 subsidiaries that interact with tens of millions of Americans. It ranks as the nation’s fourth-largest company by revenue this year, just behind Apple and ahead of Alphabet and Microsoft.

According to a copy of Witty’s prepared testimony posted on the House panel’s website, he said that on February 21 a cybercriminal gang, said to be AlphV/BlackCat, hijacked Change Healthcare's systems and demanded a ransom to unlock them.

$22 Million Bitcoin Ransom Paid

The ransom amount was $22 million in Bitcoin. Witty claims full responsibility for the decision to pay the ransom.

“This was one of the hardest decisions I’ve ever had to make. And I wouldn’t wish it on anyone,” he said.

Charge Healthcare is UnitedHealth’s insurer unit. It processes 50% of all medical claims in the United States.

Witty said that on February 12, “criminals used compromised credentials to remotely access a Change Healthcare portal, an application used to enable remote access to desktops. The portal did not have a multi-factor authentication feature. Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data. Ransomware was deployed nine days later.”

On the day of the cyber lockdown, experts from Google, Microsoft, Cisco, Amazon and others were “enroute to Change’s Nashville Central Command Operations Center,” where together they worked with teams from Mandiant and Palo Alto Networks, the testimony says.

“We have been working 24/7 from the day of the incident and have deployed the full resources of UnitedHealth Group on all aspects of our response and restoration efforts,” Witty said. “I want this Committee and the American public to know that the people of UnitedHealth Group will not rest, I will not rest, until we fix this.”

Substantial PII Compromised in Cyberattack

Witty said that UnitedHealth found files containing protected health information (PHI) and personally identifiable information (PII), which would “cover a substantial proportion of people.” He expects it will take “several months” to gather enough information to “identify and notify impacted customers and individuals, partly because the files containing that data were compromised in the cyber attack.”

He called the attack “unprecedented,” blaming the cyber actors who carried it out for causing “incredible disruption across the healthcare system. From pharmacists having to manually submit claims to the rural family medicine practice struggling to make payroll — the impacts of an attack by organized criminals, no matter how temporary, were real.”

$10 Million Reward Offered

On March 27, U.S. officials floated a $10 million reward for information on the Change Healthcare cyberattackers. Under the government’s Rewards for Justice program, officials seek “information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, engages in certain malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act.”

As of April 26, UnitedHealth had provided more than $6.5 billion in accelerated payments and no-interest, no-fee loans to thousands of health-care providers, according to Witty's testimony.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.