UnitedHealth: Compromised Citrix Credentials Behind Change Healthcare Hack

In testimony slated to be delivered before a U.S. House committee, UnitedHealth Group CEO Andrew Witty says that hackers used stolen credentials to log in to a Citrix remote access portal, using an account that didn’t have multifactor authentication enabled.

UnitedHealth Group disclosed that hackers broke into Change Healthcare IT systems in February using stolen credentials, which enabled them to log in to a Citrix remote access portal.

The credentials belonged to an account that didn’t have multifactor authentication enabled, according to the testimony slated to be delivered Wednesday by UnitedHealth CEO Andrew Witty to a U.S. House committee.

The 10-page testimony was posted online Monday by the House Committee on Energy and Commerce.

“On February 12, criminals used compromised credentials to remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops. The portal did not have multifactor authentication,” according to the transcript of Witty’s prepared testimony.

“Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data. Ransomware was deployed nine days later,” Witty said in the prepared testimony.

The testimony confirms a report last week from The Wall Street Journal, which indicated that the cybercrime group behind the attack initially gained access to Change Healthcare’s systems on Feb. 12 using stolen credentials.

CRN has reached out to Citrix for comment.

The confirmation also follows UnitedHealth’s disclosure last week that data belonging to a “substantial proportion” of Americans may have been stolen in the attack against prescription processor Change Healthcare, a unit of the insurer’s Optum subsidiary.

In addition, the insurance giant confirmed last week that it paid a ransom to regain access to Change Healthcare’s systems. UnitedHealth did not confirm the amount paid, which was previously pegged at $22 million by security researchers.

“As chief executive officer, the decision to pay a ransom was mine,” Witty said in the prepared testimony. “This was one of the hardest decisions I’ve ever had to make.”

The details on what led to the Change Healthcare hack are the latest development in the fallout from the widely felt attack, which was first revealed Feb. 22. The disruptions prevented many U.S.-based pharmacies and hospitals, as well as other health-care facilities and offices, from processing claims and receiving payments in the following weeks.

“By the afternoon of February 21, experts from Google, Microsoft, Cisco, Amazon and others were en route to Change’s Nashville Central Command Operations Center, where they joined security teams from Mandiant and Palo Alto Networks,” Witty said in the testimony. “We are exceedingly grateful for their support.”

No details are provided in Witty’s prepared testimony on how the Citrix credentials came into the hands of the cybercriminals behind the Change Healthcare attack. The cybercrime group known as AlphV and Blackcat has claimed responsibility for the attack, while a different threat group, RansomHub, has attempted to extort UnitedHealth for payment to prevent the release of data stolen in the breach.

The claim of stolen data has prompted the Department of Health and Human Services to launch an investigation into the incident in connection with HIPAA rules.

“As we have previously confirmed, based on initial targeted data sampling to date, we found files containing protected health information (PHI) and personally identifiable information (PII),” Witty said in the prepared testimony. “So far, we have not seen evidence of exfiltration of materials such as doctors’ charts or full medical histories among the data.”