iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
The chief executive of UnitedHealth has revealed that the Change Healthcare data breach could have affected roughly one-third of US citizens.
In a statement released late last month, UnitedHealth said the Change Healthcare breach affected a “substantial proportion” of people in America, having found files containing both protected health information (PHI) and personally identifiable information (PII) covering a significant number of people.
Yesterday (1 May), during a hearing in front of a US House subcommittee, despite having a pre-written testimony, UnitedHealth CEO Andrew Witty was grilled for a specific answer on how many were affected by the breach.
After a serious push for a definitive answer, Witty told the House Energy and Commerce Committee that he believes “maybe a third [of Americans] or somewhere of that level” were affected.
Witty added that he was hesitant to give a number figure or a more specific answer as the investigation is still ongoing and the company is unsure how many people were affected by the breach.
UnitedHealth said it will still be several months before it would be able to identify all those affected and begin notifying them, despite the attack occurring on 21 February, over two months ago.
In his pre-written testimony published on the House Energy and Commerce Committee website prior to the 1 May hearing, Witty said UnitedHealth had determined that the threat actors gained access to Change Healthcare’s systems through the use of compromised credentials for a Citrix portal that had no multifactor authentication.
“On February 12, criminals used compromised credentials to remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops,” he said.
“The portal did not have multifactor authentication. Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data. Ransomware was deployed nine days later.”
While Witty did not specify which Citrix vulnerability was abused by the threat actors to access, a number of vulnerabilities were discovered last year and early this year, including several in Citrix NetScaler and a Bleed vulnerability that affected almost 36 million people.
In addition, Witty also took full responsibility for the payment of ransom to the threat actors, despite the fact the US$22 million payment was pocketed by ALPHV.
“As chief executive officer, the decision to pay a ransom was mine,” Witty added.
“This was one of the hardest decisions I’ve ever had to make. And I wouldn’t wish it on anyone.”
Be the first to hear the latest developments in the cyber industry.
