The Alphv/BlackCat hackers lurked in Change Healthcare’s environment for nine days before deploying file-encrypting ransomware, the healthcare payment processor’s parent company UnitedHealth Group said.
The attack that crippled the US healthcare system for weeks was carried out using leaked credentials for a Citrix portal that was not properly secured, UnitedHealth Group’s CEO Andrew Witty is set to testify before a US Congress committee on May 1.
“On February 12, criminals used compromised credentials to remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops. The portal did not have multi-factor authentication,” reads Witty’s testimony (PDF), available on the House Committee on Energy and Commerce website.
“Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data. Ransomware was deployed nine days later,” the testimony continues.
According to Witty, a ransom was indeed paid, in an effort to “protect peoples’ personal health information”. However, after BlackCat pulled an exit scam, the hackers extorted UnitedHealth Group a second time, and it remains to be seen whether the healthcare giant paid out both times.
Witty’s testimony confirms once again that both personally identifiable information (PII) and protected health information (PHI) was compromised in the attack. The full extent of the data breach has yet to be determined, but the stolen information “could cover a substantial proportion of people in America”.
“Given the ongoing nature and complexity of the data review, it is likely to take several months of continued analysis before enough information will be available to identify and notify impacted customers and individuals, partly because the files containing that data were compromised in the cyberattack,” the testimony reads.
Upon discovering the attack on February 21, the healthcare giant disconnected Change Healthcare’s systems from the internet, severely impacting numerous services that thousands of pharmacies and hospitals across the US rely upon.
The restoration operation began almost immediately and involved “safely and securely rebuilding Change Healthcare’s technology infrastructure from the ground up”, including replacing thousands of laptops, rotating credentials, rebuilding the data center network and core services, and expanding server capacity.
Prioritizing pharmacy, provider payments, and claims services, UnitedHealth Group continues “to make substantial progress in restoring” the affected systems.
As of April 26, the organization advanced more than $6.5 billion in advanced funding to thousands of providers. Last week, UnitedHealth Group disclosed costs of $872 million related to the ransomware attack, cautioning that they could grow to $1.6 billion by the end of the year.
Related: US Offering $10 Million Reward for Information on Change Healthcare Hackers
Related: 180k Impacted by Data Breach at Michigan Healthcare Organization
Related:530k Impacted by Data Breach at Wisconsin Healthcare Organization
