April 30, 2024 at 10:19AM
UnitedHealth confirmed that Change Healthcare’s network was breached by the BlackCat ransomware gang, causing severe operational disruptions and $872 million in financial damages. The company admitted to paying a ransom to protect people’s data post-compromise. CEO Andrew Witty’s testimony revealed the attack’s details and the remediation efforts taken after the breach.
From the meeting notes, it is evident that Change Healthcare’s network was compromised by the BlackCat ransomware gang. The breach enabled the threat actors to access the company’s Citrix remote access service using stolen credentials, as multi-factor authentication was not enabled. This led to severe operational disruptions, impacting critical healthcare services across the U.S. and causing estimated financial damages of $872 million.
The ransomware gang claimed to have received a $22 million payment from UnitedHealth, but the affiliate who conducted the attack allegedly stole the ransom payment. Subsequently, RansomHub was involved in an additional extortion attempt by leaking allegedly stolen data. Both UnitedHealth and Change Healthcare have confirmed making ransom payments to protect people’s data post-compromise.
CEO Andrew Witty disclosed that the attackers had access to Change Healthcare’s network for approximately ten days before deploying their encryptors. During this time, they stole corporate and patient data for extortion attempts. The initial access to the Citrix portal on February 12, 2024, was gained through compromised credentials, and it remains unknown how these credentials were originally stolen.
Witty also made the difficult decision to pay the ransom, and following the attack, the organization took swift and forceful remediation actions, including replacing thousands of laptops, rotating credentials, and completely rebuilding the data center network and core services in just a few weeks.
Despite the breach compromising protected health information (PHI) and personally identifiable information (PII), there has been no evidence of exfiltration of doctors’ charts or complete medical histories. The status of impacted services reveals that pharmacy networks operate at a fraction below normal, medical claims flow nearly at normal levels, and payment processing is at approximately 86% of pre-incident levels.
These clear takeaways provide valuable insight into the ransomware attack on Change Healthcare and UnitedHealth’s response to the breach.