UnitedHealth's 'egregious negligence' led to Change Healthcare ransomware infection

Interview The cybersecurity practices that led up to the stunning Change Healthcare ransomware infection indicate "egregious negligence" on the part of parent company UnitedHealth, according to Tom Kellermann, SVP of cyber strategy at Contrast Security.

During the attack, ALPHV aka BlackCat criminals made it into the medical corporation's IT systems, stole a ton of protected health data, and then brought hospitals and pharmacies' prescription and billing services to a standstill, preventing patients from receiving medications and treatment as expected.

Kellermann spoke to The Register about the snafu after UnitedHealth CEO Andrew Witty testified to US lawmakers about how ALPHV's affiliates used stolen credentials to remotely access a Citrix portal that didn't have multi-factor authentication enabled. You can replay our chat below.

"I'm blown away by the fact that they weren't using multi-factor authentication," Kellermann told The Register. "I'm blown away that the networks weren't segmented. And I'm blown away that they didn't conduct threat hunting robustly into that environment knowing that they had been compromised. I think it's egregious negligence, frankly."

UnitedHealth paid a ransom as Witty confirmed in his testimony. This cost the healthcare giant $22 million – and then more ransomware fiends reportedly started leaking sensitive data and extorting UnitedHealth for even more money.

Paying the ransom demand "was a massive mistake," according to Kellermann, who added that the US government should ban ransom payments altogether.

He likened paying extortion demands to "sanctions evasion." In addition to funding criminal activities, it also doesn't guarantee that stolen data won't be leaked, which UnitedHealth found out the hard way.

"CEOs should realize that, if you pay, they're going to come back for more as evidenced here," Kellermann said. ®