Citrix Portal With No Multi-Factor Authentication Led To UnitedHealth Cyber Attack

Giulio Saggin
Giulio Saggin
Tuesday 30 April 2024
Citrix Portal With No Multi-Factor Authentication Led To UnitedHealth Cyber Attack

UnitedHealth subsidiary Change Healthcare was hacked via a Citrix portal that did not have multi-factor authentication.

This revelation will be announced by UnitedHealth CEO Andrew Witty in testimony before the House Energy and Commerce Committee on May 1.

Once the Change Healthcare portal was breached, the criminals remotely accessed desktops nine days after the February 12 hack.

"On the morning of February 21, a cybercriminal calling themselves ALPHV or BlackCat deployed a ransomware attack inside Change Healthcare’s information technology environments, encrypting Change’s systems so we could not access them," said Witty in his testimony, which was posted on the committee's website.

Witty describes the cyberattack as unprecedented and causing disruption across the health care system: "From pharmacists having to manually submit claims to the rural family medicine practice struggling to make payroll – the impacts of an attack by organized criminals, no matter how temporary, (are) real."

UnitedHealth responded immediately to the attack and within hours of the ransomware being launched had contacted the FBI. At the same time, experts from Google, Microsoft, Cisco, Amazon, Mandiant, Palo Alto Networks and others were making their way to Change Healthcare's Central Command Operations Centre in Nashville. Once there, they began the process of rebuilding the company's technology infrastructure, working around-the-clock.

UnitedHealth also severed all connectivity with Change Healthcare’s data centres to prevent the chance of further infection.

"While shutting down many Change environments was extremely disruptive, it was the right thing to do," states Witty. "We secured the perimeter of the attack and prevented malware from spreading beyond Change to the broader health system."

These actions appear to have worked and there has been no evidence of infection beyond Change Healthcare and into the wider UnitedHealth Group of companies.

At the end of the day, Witty made the decision to pay the (undisclosed) ransom: "As CEO, the decision to pay ... was one of the hardest I’ve ever had to make. I wouldn’t wish it on anyone."

(Read Andrew Witty's testimony)

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.


SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203