4/30/24: Update added below about Change Healthcare Citrix credentials previously stolen by information-stealing malware.

UnitedHealth has confirmed that Change Healthcare’s network was breached by the BlackCat ransomware gang. The attackers used stolen credentials to log into the company’s Citrix remote access service, which did not have multi-factor authentication enabled.

UnitedHealth CEO Andrew Witty shared this information in written testimony published ahead of a House Energy and Commerce subcommittee hearing scheduled for tomorrow.

The ransomware attack on Change Healthcare occurred in late February 2024, leading to severe operational disruptions on Optum’s Change Healthcare platform.

This impacted a wide range of critical services used by healthcare providers across the U.S., including payment processing, prescription writing, and insurance claims, and caused financial damages estimated at $872 million.

Previously, the BlackCat ransomware gang claimed they had received a $22 million ransom payment from UnitedHealth. However, the payment was stolen from the affiliate who conducted the attack in an exit scam. Shortly after, the affiliate claimed to still have the data and partnered with RansomHub to initiate an additional extortion demand by leaking stolen data.

The healthcare organization recently admitted that it paid a ransom to protect people’s data post-compromise, but no details about the attack or who carried it out were officially disclosed.

RansomHub has since removed the Change Healthcare entry from its site, indicating that an additional ransom was paid.

An easy break-in

In testimony by Andrew Witty, the CEO confirmed that the attack occurred on the morning of February 21 when the threat actors began encrypting systems and rendering them inaccessible to the organization’s employees.

For the first time, the company also officially confirmed that the ALPHV/BlackCat ransomware operation was behind the attack.

While the actual public-facing attack occurred on February 21, Witty revealed that the attacker had access to the company’s network for approximately ten days before deploying their encryptors. During this time, the threat actors spread through the network and stole corporate and patient data that would be used in their extortion attempts.

The investigations, which are still ongoing, revealed that the attackers first gained access to Change Healthcare’s Citrix portal on February 12, 2024, using stolen employee credentials. It is unknown whether those credentials were initially stolen via a phishing attack or information-stealing malware.

“On February 12, criminals used compromised credentials to remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops,” explained Witty.

“The portal did not have multi-factor authentication. Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data. Ransomware was deployed nine days later.”

The CEO also shared a personal moment, stating that the choice to pay a ransom was entirely his and one of the hardest decisions he had to make.

“As chief executive officer, the decision to pay a ransom was mine. This was one of the hardest decisions I’ve ever had to make. And I wouldn’t wish it on anyone,” Witty wrote in his testimony.

Remediation efforts

Witty further outlined UnitedHealth’s immediate actions to secure their systems following the attack, characterizing them as “swift and forceful.” He noted that the threat was successfully contained by taking everything down despite knowing the impact this would have on people.

Following the attack, the organization’s IT team replaced thousands of laptops, rotated credentials, and completely rebuilt Change Healthcare’s data center network and core services in just a few weeks. Witty states such a task would usually have taken several months.

Although data samples that leaked online contained protected health information (PHI) and personally identifiable information (PII), Witty notes that, so far, they have seen no evidence of exfiltration of materials such as doctors’ charts or complete medical histories.

Concerning the status of the impacted services, pharmacy networks operate at a fraction of a percent below normal, medical claims flow nearly at normal levels, and payment processing at approximately 86% of pre-incident levels.

Update 4/30/24: After publishing our story, Hudson Rock CTO Alon Gal told us that on February 8, the company’s threat intelligence platform detected a Change Healthcare employee’s Citrix credentials stolen through information-stealing malware.

The stolen credentials are associated with the URL remoteapps[.]changehealthcare[.]com/vpn/index.htm, and while that site is no longer accessible, we have confirmed it to be the URL for Change Healthcare’s Citrix Gateway login page.

It is unknown if these are the credentials used to gain access to Change Healthcare’s networks and conduct the ransomware attack.

Uh-oh, another data breach! This time, it’s the Financial Business and Consumer Solutions (FBCS), a nationally licensed debt collection agency in the U.S., that’s grabbing headlines. They’ve recently warned nearly 2 million impacted individuals that their systems were compromised, and unauthorized access was detected.

What happened at FBCS?

FBCS specializes in collecting unpaid debts from various sectors, including consumer credit, healthcare, commercial, auto loans and leases, student loans, and utilities. In late February 2024, they discovered that unauthorized actors had breached their network and had access to sensitive data since February 14, 2024. The intrusion lasted for nearly two weeks before being detected.

What data was exposed?

During the breach, the unauthorized actor had the ability to view or acquire certain information on the FBCS network. The exposed data includes:

• Full name
• Social Security Number (SSN)
• Date of birth
• Account information
• Driver’s license number or ID card

This is some pretty sensitive stuff! With access to this information, individuals are at a higher risk of falling victim to phishing, fraud, and social engineering attacks. That’s why FBCS is providing those affected with instructions to enroll in 12 months of credit monitoring through Cyex, hoping to prevent any further damage.

What’s being done to prevent this from happening again?

As an IT Services company, we understand that such incidents can have severe consequences for the victims. FBCS has taken steps to implement additional security measures in a newly built environment to prevent similar incidents from occurring in the future.

What can you do if you’re affected?

If you’re one of the unlucky recipients of the data breach notifications, it’s crucial to remain vigilant against unsolicited communications and monitor your account statements and credit reports for suspicious activity. At the time of writing, no ransomware groups have claimed responsibility for the attack at FBCS, but it’s always better to stay cautious.

Stay informed and stay protected

As cybersecurity experts, we know that staying informed is the best defense against cyber threats. That’s why we encourage you to keep coming back to learn more about the ever-evolving world of cybersecurity. Together, we can make the digital world a safer place for everyone.

Imagine going to the doctor, only to find out that your private information has been leaked to third-party companies. That’s exactly what happened to millions of people in the United States when healthcare service provider Kaiser Permanente disclosed a data security incident.

Kaiser Permanente is a huge name in the world of healthcare, operating as an integrated managed care consortium and one of the largest nonprofit health plans in the U.S. With 40 hospitals and 618 medical facilities across the nation, it’s a big deal when they report a security breach.

So, just how many people were affected by this breach? Approximately 13.4 million current and former members and patients had their information leaked to third-party trackers installed on Kaiser’s websites and mobile applications.

What Information Was Leaked?

According to Kaiser Permanente, the leaked data may include IP addresses, names, information that could indicate a member or patient was signed into a Kaiser Permanente account or service, details showing how a member or patient interacted with and navigated through the website and mobile applications, and search terms used in the health encyclopedia.

Now, you might be thinking, “That doesn’t sound too bad.” But here’s the thing: information collected by online trackers is often shared with an extensive network of marketers, advertisers, and data brokers. So, your private health information could be in the hands of people you never intended to share it with.

Thankfully, the data exposed in this incident does not include usernames, passwords, Social Security Numbers (SSNs), financial account information, or credit card numbers.

What Is Kaiser Permanente Doing About It?

After discovering the trackers through a voluntary internal investigation, Kaiser Permanente removed them and implemented additional measures to prevent similar incidents from happening in the future.

While they are not aware of any cases of the exposed information being misused, they will notify individuals who accessed their sites and used their mobile apps out of an abundance of caution.

This isn’t the first time Kaiser Permanente has dealt with a data breach. In June 2022, they disclosed a breach that exposed the health information of 69,000 people, caused by unauthorized access to an employee’s email account.

What Can You Do to Protect Yourself?

Data breaches are becoming more and more common, and it’s essential to stay informed and proactive in protecting your personal information. If you’re concerned about your data privacy, consider reaching out to us at IT Services. We’re here to help you navigate the ever-changing landscape of cybersecurity and ensure your private information stays private.

Don’t wait until it’s too late. Contact us today and let us help you safeguard your digital life.