Change Healthcare, Compromised By Stolen Credentials, Did Not Have MFA Turned On

Dive Brief:

• A ransomware group accessed Change Healthcare’s systems with compromised credentials, UnitedHealth Group CEO Andrew Witty said in written testimony prepared for a Wednesday hearing before the House Energy and Commerce Committee Subcommittee on Oversight and Investigations. 
• On Feb. 12, the AlphV ransomware group used those compromised credentials to “remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops,” Witty said in his prepared remarks. “The portal did not have multifactor authentication.” 
• “Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data. Ransomware was deployed nine days later,” Witty said.

Dive Insight:

The details about the source of the intrusion into Change Healthcare’s system, which UnitedHealth Group previously confirmed it identified on March 13, stress a consequential mistake the healthcare giant made in failing to protect a critical system: it did not turn on MFA.

“This underscores pure negligence on the part of UnitedHealth,” Tom Kellerman, SVP of cyber strategy at Contrast Security, said via email. “Negligence in cybersecurity led to systemic breaches across the U.S. healthcare industry. The long-term effects of this massive breach will be felt for years to come.”

Casey Ellis, founder and chief strategy officer at Bugcrowd, said MFA would have likely prevented the attack chain that led to the breach.

“Importantly, at first blush, it appears that the software itself wasn’t the initial access issue,” Ellis said via email. “It could have been any remote access software with no MFA and a leaked or guessed credential.”

The intrusion resulted in the most disruptive cyberattack on U.S. critical infrastructure to date. UnitedHealth Group discovered and disclosed the attack on Feb. 21 and its ensuing response and recovery efforts brought Change Healthcare’s medical claims and payment processing platform to a standstill for more than a month.

“By the afternoon of Feb. 21, experts from Google, Microsoft, Cisco, Amazon and others were enroute to Change’s Nashville Central Command Operations Center, where they joined security teams from Mandiant and Palo Alto Networks,” Witty said in the written testimony.

Change, which touches 1 in 3 patient records and was acquired by UnitedHealth Group for $13 billion in late 2022, is still recovering some operations following the attack.

The damage from the attack was swift and widespread, despite UnitedHealth Group’s decision to pay the ransom. The attackers stole data containing protected health information or personally identifiable information, “which could cover a substantial proportion of people in America,” the company said last week in a press release.

Witty apologized in his prepared remarks, addressing the weight of the cyberattack and its far-reaching impact on patients, pharmacists and healthcare providers struggling to make payroll.

“Our response and reaction to this attack has been grounded in three principles: to secure the systems; to ensure patient access to care and medication; and to assist providers with their financial needs,” Witty said.

Witty used his testimony to call for mandatory minimum security standards for the healthcare industry, including funding and training for institutions in need. Witty also said he supports efforts to strengthen national cybersecurity infrastructure with greater notification to law enforcement and standardized and nationalized cybersecurity event reporting.

“To all those impacted, let me be very clear: I am deeply sorry,” Witty said. “Fighting cybercrime is an enormous task and one that requires us all — industry, law enforcement and policymakers — to come together.”