Insurance company UnitedHealth Group is confirming a ransomware attack earlier this year affected the private data of over 100 million people. The number was published in the US Department of Health and Human Services Office of Civil Rights (OCR) Breach Report on Thursday, making it the largest healthcare data breach on the list.
Hacker group Blackcat, also known as ALPHV, claimed responsibility for the February attack on Change Healthcare that caused widespread disruptions for healthcare providers processing bills, claims, payroll, and prescriptions for weeks.
As reported by Bleeping Computer, UnitedHealth CEO Andrew Witty's written testimony (PDF) to a House committee said the threat actors got in by using stolen credentials for a Citrix remote access service that lacked multifactor authentication.
On February 12, criminals used compromised credentials to remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops. The portal did not have multi-factor authentication. Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data. Ransomware was deployed nine days later.
UnitedHealth paid the group a $22 million ransom. However, another operation threatened to continue leaking the data and may have secured a second ransom payment.