UnitedHealth subsidiary Change Healthcare was hacked via a Citrix portal that did not have multi-factor authentication.
This revelation will be announced by UnitedHealth CEO Andrew Witty in testimony before the House Energy and Commerce Committee on May 1.
Once the Change Healthcare portal was breached, the criminals remotely accessed desktops nine days after the February 12 hack.
"On the morning of February 21, a cybercriminal calling themselves ALPHV or BlackCat deployed a ransomware attack inside Change Healthcare’s information technology environments, encrypting Change’s systems so we could not access them," said Witty in his testimony, which was posted on the committee's website.
Witty describes the cyberattack as unprecedented and causing disruption across the health care system: "From pharmacists having to manually submit claims to the rural family medicine practice struggling to make payroll – the impacts of an attack by organized criminals, no matter how temporary, (are) real."
UnitedHealth responded immediately to the attack and within hours of the ransomware being launched had contacted the FBI. At the same time, experts from Google, Microsoft, Cisco, Amazon, Mandiant, Palo Alto Networks and others were making their way to Change Healthcare's Central Command Operations Centre in Nashville. Once there, they began the process of rebuilding the company's technology infrastructure, working around-the-clock.
UnitedHealth also severed all connectivity with Change Healthcare’s data centres to prevent the chance of further infection.
"While shutting down many Change environments was extremely disruptive, it was the right thing to do," states Witty. "We secured the perimeter of the attack and prevented malware from spreading beyond Change to the broader health system."
These actions appear to have worked and there has been no evidence of infection beyond Change Healthcare and into the wider UnitedHealth Group of companies.
At the end of the day, Witty made the decision to pay the (undisclosed) ransom: "As CEO, the decision to pay ... was one of the hardest I’ve ever had to make. I wouldn’t wish it on anyone."
(Read Andrew Witty's testimony)