UnitedHealth CEO: 'Decision to pay ransom was mine'

Updated UnitedHealth CEO Andrew Witty will tell US lawmakers Wednesday the cybercriminals who hit Change Healthcare with ransomware used stolen credentials to remotely access a Citrix portal that didn't have multi-factor authentication enabled.

Once they were into that management system, the miscreants were able to move through the network to steal people's sensitive data and deploy extortionware.

As well as that admission, Witty is also expected to confirm making a payment to the extortionists to presumably prevent a wider leak of that info, which reportedly cost the healthcare giant $22 million. 

"As chief executive officer, the decision to pay a ransom was mine," as Witty put it in written testimony [PDF] he will deliver to the House Energy and Commerce Committee on May 1. "This was one of the hardest decisions I've ever had to make. And I wouldn't wish it on anyone."

The House committee called Witty to explain himself as it is this week probing the Change Healthcare cyberattack. The US Senate Finance Committee is holding a hearing Wednesday along the same lines, and Witty will testify at both inquiries.

Plus, three US Senators on Monday sent a letter [PDF] to the US government's Cybersecurity and Infrastructure Security Agency (CISA) asking the infosec body to provide details about how it's helping Change Healthcare recover from the February IT breach, as well as the larger risk from ransomware.

Crims spent nine days snooping around

On February 12, ALPHV ransomware affiliates gained access to the healthcare org's IT systems using "compromised credentials to remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops," according to Witty's upcoming testimony.

"The portal did not have multi-factor authentication," Witty will testify during the House committee hearing. "Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data. Ransomware was deployed nine days later."

ALPHV criminals activated its malware on February 21, "encrypting Change's systems so we could not access them," according to the written testimony. 

And that's when hospitals and pharmacies across the US that use Change's insurance and billing services ground to a screeching halt, preventing patients from receiving much-needed medications and medical services under their health plans.

It took weeks for UnitedHealth, which owns Change Healthcare and Optum, to begin bringing electronic prescriptions back online in early March. 

The healthcare giant has said the ransomware infection has cost it $870 million so far, and that figure could hit $1.6 billion for the year.

More ransomware crews pile on

Upon discovering the ransomware infection, UnitedHealth "immediately severed connectivity with Change's datacenters" to prevent the malware from spreading, the testimony tells us. But by then, the crooks had already stolen a ton of protected health data and personally identifiable information covering "a substantial proportion of people in America."

In addition to the ALPHV affiliate, another criminal crew RansomHub later released alleged personal patient data from the break-in and also demanded a ransom.

And just last week, a third ransomware group —  Medusa — claimed to have cracked servers belonging to healthcare services network Northeast Ohio Neighborhood Health, and stolen almost 51GB of data. 

According to SuspectFile, which first reported this intrusion, many of the stolen records belong to patients associated with health insurance contracts at UnitedHealth.

UnitedHealth contacted the FBI "within hours" of the ransomware attack, according to Witty, and by the afternoon of February 21 it had a whole team of heavy-hitters working to secure the perimeter and rebuild Change's IT systems. This included incident responders from Mandiant and Palo Alto Networks, along with experts from Google, Microsoft, Cisco, Amazon, and others.

"The team replaced thousands of laptops, rotated credentials, rebuilt Change Healthcare's data center network and core services, and added new server capacity," Witty's testimony reads. "The team delivered a new technology environment in just weeks — an undertaking that would have taken many months under normal circumstances." 

• UnitedHealth admits IT security breach could 'cover substantial proportion of people in America'
• Change Healthcare's ransomware attack costs edge toward $1B so far
• Change Healthcare faces second ransomware dilemma weeks after ALPHV attack
• US to probe Change Healthcare's data protection standards as lawsuits mount

Also according to Witty, this ransomware attack wasn't an isolated event. UnitedHealth wards off attempted digital break-ins every 70 seconds, "thwarting more than 450,000 intrusions per year," he claimed. It really does depend on how you measure an intrusion, attempt or otherwise.

In light of these escalating attacks targeting hospitals and other critical infrastructure, Witty says he supports policy changes to mandate better cybersecurity practices among healthcare organizations.

"We support mandatory minimum security standards — developed collaboratively by the government and private sector — for the health-care industry," his testimony reads. "Importantly, these efforts must include funding and training for institutions that need help in making that transition, such as hospitals in rural communities."

UnitedHealth also supports other efforts to improve US cybersecurity including "greater notification to law enforcement and standardized and nationalized cybersecurity event reporting," Witty will tell lawmakers on Wednesday. ®

Updated to add on May 1

CEO Andrew Witty confirmed to senators today that UnitedHealth did indeed pay $22 million to the extortionists. Also, the biz has enabled multi-factor authentication, and past and present US military personnel likely had their info swiped during the intrusion, Congress heard.