(Credit: Tada Images/Shutterstock.com)
An exploit in employee remote-access software from Citrix allowed the AlphV, or BlackCat, ransomware group to gain access to UnitedHealth subsidiary Change Healthcare's systems and, once inside, lock up 4TB of data for ransom, which the company paid.
That's according to prepared remarks from UnitedHealth CEO Andrew Witty, who will testify at a House Energy and Commerce Oversight hearing on Wednesday to provide more details about the February ransomware attack that temporarily stalled some pharmacy prescription services, crippled medical billing systems, and resulted in patient data leaks.
PCMag reached out to Citrix for comment, but US cybersecurity regulators have flagged issues with various Citrix systems prior to the attack.
In the wake of the attack, UnitedHealth contacted the FBI and disconnected Change Healthcare's data centers from the rest of its systems in an effort to isolate the malware and prevent it from moving to other systems, according to Witty, who says that effort was successful.
"Criminals used compromised credentials to remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops," Witty says. "The portal did not have multi-factor authentication. Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data. Ransomware was deployed nine days later."
The company hasn't yet disclosed any concrete numbers on how many Americans are at risk as a result. Witty has said that "a substantial proportion of people in America" are likely impacted, and later shared that "maybe a third" of Americans could be at risk. UnitedHealth says it hasn't yet seen any individuals' doctor charts or medical histories leaked, but admits some patients' personally identifiable information and health data was swiped as part of the breach. Witty didn't specify further what type of health data was leaked.
The CEO adds that he decided UnitedHealth would pay a ransom, calling that choice "one of the hardest decisions I've ever had to make." He didn't say how much was paid, but reports indicate that an initial $22 million payment was made, and a second group is now demanding more. Witty will likely be asked about that at tomorrow's hearing, which starts at 2 p.m. ET.
"We have been working 24/7 from the day of the incident and have deployed the full resources of UnitedHealth Group on all aspects of our response and restoration efforts," Witty adds. "I want this committee and the American public to know that the people of UnitedHealth Group will not rest—I will not rest—until we fix this."
Anyone whose data may have been impacted will get free access to credit monitoring and identity theft protection for the next two years through UnitedHealth. Individuals can contact UH staff addressing the aftermath by going to a dedicated page on UnitedHealth's website.
Unfortunately, the attack on Change Healthcare isn't an isolated incident. Ransomware attacks are an ongoing problem. UnitedHealth itself fights off over 450,000 cyberattacks or "intrusions" yearly, or about one every 70 seconds, according to the company.
Editor's Note: This story has been updated to include that "maybe a third" of Americans could be impacted.