In a testimony to US lawmakers on May 1, UnitedHealth CEO Andrew Witty revealed new details about the ransomware attack on Change Healthcare and the subsequent financial ramifications. Witty informed the House Energy and Commerce Committee that cybercriminals gained access to Change Healthcare's systems using stolen credentials to remotely infiltrate a Citrix portal that lacked multi-factor authentication.

Once inside the management system, the attackers were able to move throughout the network, stealing sensitive data and deploying extortionware. Witty acknowledged the challenging decision he made as CEO to pay a ransom to the criminals, in an effort to prevent further leaks of information. The payment reportedly cost the healthcare giant $22 million.

Witty's testimony came as the House committee and the US Senate Finance Committee launched inquiries into the Change Healthcare cyberattack. Additionally, three US Senators wrote a letter to the Cybersecurity and Infrastructure Security Agency (CISA), seeking details on how the agency is aiding Change Healthcare's recovery from the breach and tackling the broader ransomware risk.

According to Witty's testimony, on February 12, ransomware affiliates known as ALPHV gained access to Change Healthcare's IT systems using compromised credentials for a Citrix portal. The lack of multi-factor authentication on the portal made it easier for the threat actors to infiltrate the system. Nine days later, on February 21, the ransomware was deployed, causing significant disruption to hospitals and pharmacies across the US that utilized Change Healthcare's services for insurance and billing.

UnitedHealth promptly severed connectivity with Change Healthcare's data centers upon discovering the ransomware infection in an attempt to prevent further spread. However, the criminals had already managed to steal a substantial amount of protected health data and personally identifiable information, affecting a considerable number of individuals in America.

In addition to the ALPHV affiliate, another criminal group known as RansomHub released alleged personal patient data from the breach and demanded a ransom. More recently, a third ransomware group called Medusa claimed to have breached servers belonging to healthcare services network Northeast Ohio Neighborhood Health and stolen approximately 51GB of data, many of which belonged to patients with health insurance contracts at UnitedHealth.

Witty emphasized that UnitedHealth promptly contacted the FBI upon discovering the attack and assembled a team of experts, including incident responders from Mandiant and Palo Alto Networks, as well as professionals from Google, Microsoft, Cisco, Amazon, and others. The team worked diligently to secure the perimeter and rebuild Change Healthcare's IT systems, successfully delivering a new technology environment within weeks.

The financial impact of the ransomware attack on UnitedHealth has been significant. The healthcare giant has estimated costs of $870 million so far, with projections indicating that the figure could reach $1.6 billion for the year.

The testimonies provided by Witty shed light on the severity of the cyberattack and the ongoing challenges of ransomware threats in the healthcare industry. The US lawmakers' hearings and the involvement of government agencies demonstrate the urgency in addressing cybersecurity vulnerabilities and fortifying measures to prevent future attacks.