WASHINGTON — In the months surrounding UnitedHealth Group Inc.’s $13 billion purchase of software company Change Healthcare Inc. in 2022, experts at Change published articles and policy papers extolling the need for cybersecurity measures in the health care industry.

While it dished out that advice, one of Change’s web portals used to provide remote access was not equipped with one of the most basic cybersecurity features it extolled: multi-factor authentication.

Change Healthcare “unfortunately and frustratingly” lacked such protection despite it being a company-wide requirement at UnitedHealth Group, UnitedHealth CEO Andrew Witty testified before the Senate Finance Committee last week.

Witty’s testimony has shed light on how even savvy businesses can fall prey to lax security processes if personnel lack the discipline to enforce such guidance.

The flaw allowed criminals to use “compromised credentials to remotely access a Change Healthcare Citrix portal,” and once they gained access, “they moved laterally within the systems in more sophisticated ways and exfiltrated data,” Witty told lawmakers at two hearings last week. “Ransomware was deployed nine days later.”

The attack on Change was carried out by a group called BlackCat/ALPHV in February, Witty said. The group is well known to law enforcement agencies, and security experts have identified it as primarily “Russian speaking” although members may also be in other nations.

Change operates the largest clearinghouse for payments to health care providers, processing billions of dollars of claims annually. The attack crippled the payments pipeline to doctors and hospitals, forcing the company to provide funding assistance.

Witty told lawmakers that to restore functions disrupted by the attackers, he authorized the payment of $22 million in ransom demanded by the attackers.

Sen. Ron Wyden, D-Ore., chair of the Senate Finance Committee, told Witty that “I think your company, on your watch, let the country down. … This hack could have been stopped with cybersecurity 101.”

That seemed obvious to the company’s own personnel.

...continued

©2024 CQ-Roll Call, Inc., All Rights Reserved. Visit cqrollcall.com. Distributed by Tribune Content Agency, LLC.