‘Perhaps a third’ of Americans affected by Change Healthcare attack
The CEO of UnitedHealth has revealed that the Change Healthcare data breach could have affected approximately one-third of US citizens.
In a statement released late last month, UnitedHealth said the Change Healthcare breach affected a “substantial proportion” of people in the United States, as it found files containing protected health information (PHI) and personally identifiable information ( PII) that covered a significant number of people.
Yesterday (May 1), during a hearing before a subcommittee of the United States House of Representatives, despite having pre-written testimony, UnitedHealth CEO Andrew Witty was questioned for a specific answer about how many They were affected by the violation.
After serious pressure for a definitive answer, Witty told the House Energy and Commerce Committee that he believes “maybe a third [of Americans] or somewhere on that level” were affected.
Witty added that he was hesitant to give a numerical figure or a more specific answer, as the investigation is still ongoing and the company is unsure how many people were affected by the breach.
UnitedHealth said it will still be several months before it can identify everyone affected and begin notifying them, despite the attack occurring on Feb. 21, more than two months ago.
In his prewritten testimony posted on the House Energy and Commerce Committee website ahead of the May 1 hearing, Witty said UnitedHealth had determined that threat actors gained access to Change Healthcare’s systems through the Using compromised credentials for a Citrix portal that did not have multi-factor authentication.
“On February 12, criminals used compromised credentials to remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops,” it said.
“The portal did not have multi-factor authentication. Once the threat actor gained access, they moved laterally within systems in more sophisticated ways and extracted data. The ransomware was deployed nine days later.”
While Witty did not specify which Citrix vulnerability threat actors abused to access, several vulnerabilities were discovered last year and earlier this year, including several in Citrix NetScaler and a Bleed vulnerability that affected nearly 36 million people.
Additionally, Witty also took full responsibility for paying the ransom to the threat actors, even though ALPHV pocketed the $22 million payment.
“As CEO, the decision to pay a ransom was mine,” Witty added.
“This was one of the most difficult decisions I have ever had to make. And I don’t wish it on anyone.”