In the months surrounding UnitedHealth Group Inc.’s $13 billion purchase of software company Change Healthcare Inc. in 2022, experts at Change published articles and policy papers extolling the need for cybersecurity measures in the health care industry.
While it dished out that advice, one of Change’s web portals used to provide remote access was not equipped with one of the most basic cybersecurity features it extolled: multi-factor authentication.
Change Healthcare “unfortunately and frustratingly” lacked such protection despite it being a company-wide requirement at UnitedHealth Group, UnitedHealth CEO Andrew Witty testified before the Senate Finance Committee last week.
Witty’s testimony has shed light on how even savvy businesses can fall prey to lax security processes if personnel lack the discipline to enforce such guidance.
The flaw allowed criminals to use “compromised credentials to remotely access a Change Healthcare Citrix portal,” and once they gained access, “they moved laterally within the systems in more sophisticated ways and exfiltrated data,” Witty told lawmakers at two hearings last week. “Ransomware was deployed nine days later.”
The attack on Change was carried out by a group called BlackCat/ALPHV in February, Witty said. The group is well known to law enforcement agencies, and security experts have identified it as primarily “Russian speaking” although members may also be in other nations.
Change operates the largest clearinghouse for payments to health care providers, processing billions of dollars of claims annually. The attack crippled the payments pipeline to doctors and hospitals, forcing the company to provide funding assistance.
Witty told lawmakers that to restore functions disrupted by the attackers, he authorized the payment of $22 million in ransom demanded by the attackers.
Sen. Ron Wyden, D-Ore., chair of the Senate Finance Committee, told Witty that “I think your company, on your watch, let the country down. … This hack could have been stopped with cybersecurity 101.”
That seemed obvious to the company’s own personnel.
In an August 2022 article titled “Healthcare’s Most Dangerous Cybersecurity Threat,” published on the Change Healthcare website, author William Gregg Bridgeman, who’s listed as health information technology security and risk manager, warned that “Healthcare providers face a tsunami of cybersecurity threats.” It went on to list the potential damages, including millions of dollars in financial costs to the loss of personally identifiable information that could be stolen by hackers.
Another article on Change’s website from August 2021 called for establishing “a culture of health IT security” and advising that “leaders must rally around data security as a corporate value.”
And a third article from November 2023 advised radiology departments to focus on cybersecurity because it’s “particularly vulnerable to cyberattacks, especially ransomware.” It advised clients to “establish security best practices” focused on a so-called “zero-trust framework,” which requires that no user is to be trusted by default and every instance of access needs to be verified.
BlackCat bites back
Eric Hausman, a spokesman for UnitedHealth Group, did not respond to questions seeking clarifications on the published articles and why the company didn’t have basic standards despite offering advice on the matters to others.
Witty told lawmakers that Change Healthcare’s compliance with standard cybersecurity practices couldn’t be verified prior to United buying Change.
“Change Healthcare is a good example of a company that came into our organization with older technologies,” Witty told the Senate Finance Committee. Change was a “40-year-old company with many different technology generations within it.”
Although UnitedHealth Group paid $13 billion in the deal, Witty told lawmakers the cybersecurity practices at Change were “very typical of many small to medium-sized organizations in our health care environment.”
The BlackCat group had already drawn the attention of law enforcement. In December, the Justice Department announced that the FBI had taken electronic control of some of the group’s computers and several websites, helping as many as 500 victim organizations restore functions without having to pay a ransom.
Over the past 18 months, BlackCat/ALPHV has emerged as the second most prolific ransomware-as-a-service variant in the world based on the hundreds of millions of dollars in ransoms paid by victims around the world, the Justice Department said in the December statement. The ransomware group is known by several names, including BlackCat, ALPHV and Noberus.
Soon after the Justice Department’s action, SC Media, a group that provides information to cybersecurity professionals, reported that the BlackCat group had regained access to some of the computers seized by the FBI and had vowed to retaliate against the United States by targeting health care companies.
In late February the Cybersecurity and Infrastructure Security Agency, along with the FBI and the Department of Health and Human Services, issued a warning that BlackCat had tweaked its tactics and was using sophisticated methods to obtain credentials from inside health care companies.
SC Media reported that BlackCat attackers were posing as IT technicians and help desk staff to trick employees into giving up their credentials.
Companies across the world have switched to multi-factor authentication, which requires a second step of verification that is typically available only to authorized employees, to prevent stolen credentials from being used by attackers.
CISA warned in late February that the “healthcare sector has been the most commonly victimized,” adding that BlackCat attackers were encouraging other attackers and affiliates to go after U.S. hospitals and health care companies in retaliation for the FBI’s action last December.
The attack on Change had already unfolded on Feb. 21, and it resulted in potentially millions of health records of Americans being stolen.
Nearly 10 weeks after the attack, UnitedHealth CEO Witty told lawmakers the company has yet to identify how many individuals’ data was stolen and has yet to begin the process of notifying victims.
Witty told the Senate Finance Committee that the stolen records included protected health and personally identifiable information and that it would take several more weeks before the company is able to notify Americans of the loss, although U.S. law requires health care companies to notify the public of such a breach within 60 days.
“So as we sit here today, there are many patients who do not know their health care information has been compromised,” Sen. Catherine Cortez Masto, D-Nev., told Witty. “So they can’t put protections in place to protect themselves against identity theft.”