Remote Access Vulnerability Caused Change Healthcare Ransomware Attack
May 6, 2024
CSO’s John Leyden reports that the probable cause of the Change Healthcare ransomware attack was inadequate authentication on an application that allows staff to remotely access systems, contrary to cybersecurity best practices. Change Healthcare is a subsidiary of UnitedHealth Group and the largest clearing house for medical claims in the U.S.
The ransomware attack, which took place on or about February 12, has been blamed on the BlackCat/ALPHV ransomware group. The hackers lingered on the systems for more than a week before stealing data and launching the attack. In an update published on April 22, UnitedHealth Group admitted that protected health information and personally identifiable information were stolen.
UnitedHealth paid a $22m ransom to restore access to the affected systems according to solid evidence from transactions on the blockchain and chats in dark web forums.
A cybersecurity expert quoted in the article called the poorly secured remote access system scenario for the vulnerability “more than plausible.” He said the hackers probably left some traces that went unnoticed by the UnitedHealth IT security team, which extended the breach exposure time.
A second expert said it was also plausible that multi-factor identification not being enabled played a role in hackers being able to remotely access the systems at Change Healthcare. “Every organization needs to cultivate a robust cybersecurity environment, and that starts with a basic zero-trust strategy at its core,” he said. “Deploying MFA is non-negotiable. It’s the front line in ensuring that users are who they claim to be.”
There were calls to mandate baseline security standards for the healthcare sector at a Congressional hearing in April. Some elected officials and health industry security personnel are concerned that consolidation in healthcare is making the sector more vulnerable to breaches. Andrew Witty, the CEO of United Health Group, is due to testify about the breach in a Congressional hearing on May 1.
Critical intelligence for general counsel
Stay on top of the latest news, solutions and best practices by reading Daily Updates from Today's General Counsel.
Daily Updates
Sign up for our free daily newsletter for the latest news and business legal developments.