Network Security, Ransomware, Identity

Change Healthcare incident caused by compromised Citrix credentials

Bunch of blue neon light glowing locks with an exceptional red one.


UnitedHealth Group CEO Andrew Witty will testify before Congress on May 1 that threat actors used compromised credentials to remotely access a Change Healthcare Citrix portal — a portal that lacked multifactor authentication (MFA), a basic tenet of cybersecurity.

The Change Healthcare case, in which Change Healthcare’s parent company UnitedHealth reportedly paid a $22 million ransom to ALPHV/BlackCat, has become the most wide-ranging cyberattack ever in the healthcare sector because Change Healthcare processes 15 billion healthcare transactions annually, affecting 1 in 3 patients. The public was first made aware of the ransomware attack on Feb. 21.

In a prepared statement Witty is set to formally deliver on May 1 to the House Energy and Commerce Committee Subcommittee on Oversight and Investigations, he said that once the threat actors gained access, they moved laterally within the systems in “sophisticated ways” and exfiltrated data. Ransomware was then deployed nine days later.

“The Change Healthcare attack demonstrates the growing need to fortify cybersecurity in health care,” said Witty in his statement. “As chief executive officer, the decision to pay a ransom was mine. This was one of the hardest decisions I’ve ever had to make. And I wouldn’t wish it on anyone.”

Looking towards the future, Witty said UnitedHealth supports mandatory minimum security standards for the healthcare industry — developed collaboratively by the government and private sector. Witty added that these efforts must include funding and training for institutions that need help in making that transition, such as hospitals in rural communities.

In a response to an SC Media inquiry, a Citrix spokesperson said they were aware of the United Health incident, but stressed that Witty did not say that access was gained by a flaw in its portal, but rather through compromised credentials.

"A flaw or vulnerability is very different than compromised credentials and no MFA," the spokesperson said.

[EDITOR'S NOTE: A reference in a previous version of this article citing undisclosed and unconfirmed research that implicated a technology firm as an attack vector for the Change Healthcare incident has been removed. SC Media strives for accuracy and reporting transparency and regrets when it fall short of that goal. 5/13/2024]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.