UnitedHealth Hackers Exploited Citrix Vulnerability

On February 12 this year, hackers gained access to UnitedHealth’s tech unit by exploiting the vulnerability in software from a private IT company, Citrix. The software provided by Citrix gave employees remote access to their desktop computers. UnitedHealth, which is the largest health insurer in the United States, is expected to testify before a House panel this week. 

The testimony by UnitedHealth CEO Andrew Witty before the House Energy and Commerce Committee is scheduled for Wednesday, May 1, 2024. The hacking of the insurer’s Change Healthcare unit led to weeks of disruption to American healthcare.

On February 21, the cybercriminal gang AlphV (also called BlackCat) locked Change Healthcare’s systems and demanded a ransom to unlock them. According to a copy of Witty’s written testimony, he is expected to say this to the House panel. 

“Not knowing the entry point of the attack at the time, we immediately severed connectivity with Change’s data centers to eliminate the potential for further infection,” read the testimony.

How AlphV infiltrated the insurer’s network

According to Witty’s testimony, the hackers gained remote access to the Change Healthcare Citrix portal using compromised login credentials that had no multi-factor authentication enabled. However, what is yet unclear is what security flaws within Citrix the hackers exploited. 

Late last year, United States officials issued multiple warnings regarding security loopholes in Citrix tools. Some of the vulnerability was used in the breach of healthcare groups. The Wednesday hearing before the panel’s subcommittee on oversight and investigation will dwell mostly on the impact of the cyberattack on providers and patients.

Since the aftermath of the hack, UnitedHealth has been working with cybersecurity firms and the FBI to investigate the extent of the damage. Security experts from Microsoft, Cisco, Google, and Amazon have also worked with teams from Mandiant and Palo Alto Networks to secure Change Healthcare’s systems. 

Change Healthcare paid ransom to the hackers

Witty confirmed last week that the company paid ransom to the hackers to secure the decryption of Change Healthcare’s systems. However, the size of the ransom payment was not revealed. Since the incident, the company has been scampering to contain the impact on healthcare payment processing across the country. Change Healthcare processes around half of all medical claims in the United States.

According to Witty’s testimony, UnitedHealth Group has provided over $6.5 billion in accelerated payments and no-interest, no-fee loans to thousands of healthcare providers as of April 26.