Breached Change Healthcare server lacked multifactor authentication, UnitedHealth CEO admits

The February ransomware attack on Change Healthcare disrupted provider reimbursement nationwide and resulted in data from nearly every American being posted for sale on the dark web. Now regulators have learned how hackers got access to servers in the first place—and it comes down to a lack of basic security. 

Andrew Witty, CEO, UnitedHealth Group—the parent company of Change Healthcare—told the Senate Finance Committee that stolen login credentials were used to access a server that lacked multifactor authentication (MFA).

“We were in the process of upgrading the technology that we had acquired. But within there, there was a server, which I’m incredibly frustrated to tell you, was not protected by MFA,” Witty testified. “That was the server through which the cybercriminals were able to get into Change. And then they led off a ransomware attack, if you will, which encrypted and froze large parts of the system.”

The news is rather shocking, as MFA is a standard for nearly all externally accessible systems, including most online retailers and email services. After someone logs into an account, MFA provides a confirmation of the login through a code sent via  phone number or an app. 

Witty said the company is still investigating why this particular server did not have proper security. Meanwhile, he added, systems have been checked and built back “from scratch” to ensure the oversight doesn’t happen again. 

The hearing lasted over two hours, where an apologetic Witty told Senators UnitedHealth and Change Healthcare face threat of cyberattacks “constantly.” In this case, phishing login credentials was enough for criminals to gain access, which seemed to shock Sen. Ron Wyden (D-Ore.)

“This hack could have been stopped with cybersecurity 101,” Wyden declared. 

The extent of the data breach is still not clear. UnitedHealth said previously it will take months to learn exactly how many people were impacted and what records were stolen. However, Change Healthcare is responsible for processing the vast majority of insurance payments in the country. 

As previously reported by the Washington Post, cyberthieves had access to Change Healthcare’s systems for nine days before they made themselves known with an initial ransomware attack.

Despite Change Healthcare paying $22 million to unlock its systems, data from members ended up for sale online anyway, as multiple hacker groups have demanded a ransom, each claiming responsibility for the initial breach.

Chad Van Alstin Health Imaging Health Exec

Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.

Around the web

When drugs are on the FDA’s shortage list, outsourcing facilities can produce their own compounded versions. When the FDA removed tirzepatide from that list with no warning, it created a considerable amount of chaos both behind the scenes and in pharmacies all over the country. 

If passed, this bill would help clinician-led clinical registries explore Medicare data for research purposes. The Society of Thoracic Surgeons and American College of Cardiology both shared public support for the bipartisan legislation. 

Cardiologists and other physicians may soon need to provide much more information when ordering remote patient monitoring for Medicare patients.

Trimed Popup
Trimed Popup