Amid strong calls for enhanced cybersecurity measures in healthcare, UnitedHealth is set to testify this week that, on February 12, hackers exploited compromised credentials to gain remote access to a Citrix portal used by its Change Healthcare unit.
In the written testimony before the House Energy and Commerce Committee, CEO Andrew Witty said after gaining access, the threat actor moved laterally within the systems using sophisticated methods and exfiltrated data.
On the morning of February 21, a cybercriminal known as ALPHV or BlackCat made a ransomware attack within Change Healthcare’s information technology environments. This attack encrypted the company’s systems, making them inaccessible.
“Our response was swift and forceful,” Witty said in the statement. “Not knowing the entry point of the attack at the time, we immediately severed connectivity with Change’s data centers to eliminate the potential for further infection. While shutting down many Change environments was extremely disruptive, it was the right thing to do.”
The company paid a ransom to the hackers to secure the decryption. The amount of the payment has not been disclosed, but a Reuters report suggests it could be $22 million.
“As chief executive officer, the decision to pay a ransom was mine,” Witty said in the statement. “This was one of the hardest decisions I’ve ever had to make. And I wouldn’t wish it on anyone.”
Calls for better response amid consolidation
Meanwhile, the ransomware attack on Change Healthcare has triggered demands for mandatory baseline security standards for healthcare providers. Earlier this month, UnitedHealth faced criticism for its handling of the attack during a three-hour session before the House Energy and Commerce Committee.
Significantly, the incident has brought concerns about healthcare consolidation. UnitedHealth, a conglomerate of health insurance enterprises, merged with Change Healthcare in 2022.
During the Congressional hearing, E&C Chair Cathy McMorris Rodgers cautioned that as the healthcare system consolidates, the effects of successful cyberattacks could become more widespread.
Sub-committee member Anna Eshoo characterized the healthcare sector as a “hackers’ playground,” noting that UnitedHealth is particularly vulnerable due to its size.
“The attack shows how UnitedHealth’s anticompetitive practices present a national security risk because its operations now extend through every point of our health care system,” Eshoo said. “The cyberattack laid bare the vulnerability of our nation’s healthcare infrastructure.”
Concerns about Citrix
This incident has also brought Citrix’s vulnerability under the scanner. In 2022, the NSA reported that a hacking group named APT5 — believed to be Chinese — exploited a vulnerability in Citrix networking gear to conduct espionage.
Earlier this year, Citrix alerted its NetScaler ADC and NetScaler Gateway customers about two critical zero-day vulnerabilities that were actively being exploited.
Experts have pointed out that the lack of adequate remote access authentication likely facilitated the attack. Crucially, the application was missing multi-factor authentication controls — contrary to industry best practices — exposing it to vulnerabilities.
The cybercriminals lingered within the health provider’s systems for nine days, during which they stole data and eventually launched a ransomware attack.