Breached Change Healthcare server lacked multifactor authentication, UnitedHealth CEO admits
The February ransomware attack on Change Healthcare disrupted provider reimbursement nationwide and resulted in data from nearly every American being posted for sale on the dark web. Now regulators have learned how hackers got access to servers in the first place—and it comes down to a lack of basic security.
Andrew Witty, CEO, UnitedHealth Group—the parent company of Change Healthcare—told the Senate Finance Committee that stolen login credentials were used to access a server that lacked multifactor authentication (MFA).
“We were in the process of upgrading the technology that we had acquired. But within there, there was a server, which I’m incredibly frustrated to tell you, was not protected by MFA,” Witty testified. “That was the server through which the cybercriminals were able to get into Change. And then they led off a ransomware attack, if you will, which encrypted and froze large parts of the system.”
The news is rather shocking, as MFA is a standard for nearly all externally accessible systems, including most online retailers and email services. After someone logs into an account, MFA provides a confirmation of the login through a code sent via phone number or an app.
Witty said the company is still investigating why this particular server did not have proper security. Meanwhile, he added, systems have been checked and built back “from scratch” to ensure the oversight doesn’t happen again.
The hearing lasted over two hours, where an apologetic Witty told Senators UnitedHealth and Change Healthcare face threat of cyberattacks “constantly.” In this case, phishing login credentials was enough for criminals to gain access, which seemed to shock Sen. Ron Wyden (D-Ore.)
“This hack could have been stopped with cybersecurity 101,” Wyden declared.
The extent of the data breach is still not clear. UnitedHealth said previously it will take months to learn exactly how many people were impacted and what records were stolen. However, Change Healthcare is responsible for processing the vast majority of insurance payments in the country.
As previously reported by the Washington Post, cyberthieves had access to Change Healthcare’s systems for nine days before they made themselves known with an initial ransomware attack.
Despite Change Healthcare paying $22 million to unlock its systems, data from members ended up for sale online anyway, as multiple hacker groups have demanded a ransom, each claiming responsibility for the initial breach.