Connect with us

Hi, what are you looking for?


Incident Response

UnitedHealth CEO Says Hackers Lurked in Network for Nine Days Before Ransomware Strike

UnitedHealth Group’s CEO Andrew Witty shares details on the damaging cyberattack in testimony before a US Congress committee set for May 1, 2024.


The Alphv/BlackCat hackers lurked in Change Healthcare’s environment for nine days before deploying file-encrypting ransomware, the healthcare payment processor’s parent company UnitedHealth Group said.

The attack that crippled the US healthcare system for weeks was carried out using leaked credentials for a Citrix portal that was not properly secured, UnitedHealth Group’s CEO Andrew Witty is set to testify before a US Congress committee on May 1.

“On February 12, criminals used compromised credentials to remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops. The portal did not have multi-factor authentication,” reads Witty’s testimony (PDF), available on the House Committee on Energy and Commerce website.

“Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data. Ransomware was deployed nine days later,” the testimony continues.

According to Witty, a ransom was indeed paid, in an effort to “protect peoples’ personal health information”. However, after BlackCat pulled an exit scam, the hackers extorted UnitedHealth Group a second time, and it remains to be seen whether the healthcare giant paid out both times.

Witty’s testimony confirms once again that both personally identifiable information (PII) and protected health information (PHI) was compromised in the attack. The full extent of the data breach has yet to be determined, but the stolen information “could cover a substantial proportion of people in America”.

“Given the ongoing nature and complexity of the data review, it is likely to take several months of continued analysis before enough information will be available to identify and notify impacted customers and individuals, partly because the files containing that data were compromised in the cyberattack,” the testimony reads.

Upon discovering the attack on February 21, the healthcare giant disconnected Change Healthcare’s systems from the internet, severely impacting numerous services that thousands of pharmacies and hospitals across the US rely upon.

Advertisement. Scroll to continue reading.

The restoration operation began almost immediately and involved “safely and securely rebuilding Change Healthcare’s technology infrastructure from the ground up”, including replacing thousands of laptops, rotating credentials, rebuilding the data center network and core services, and expanding server capacity.

Prioritizing pharmacy, provider payments, and claims services, UnitedHealth Group continues “to make substantial progress in restoring” the affected systems.

As of April 26, the organization advanced more than $6.5 billion in advanced funding to thousands of providers. Last week, UnitedHealth Group disclosed costs of $872 million related to the ransomware attack, cautioning that they could grow to $1.6 billion by the end of the year.

Related: US Offering $10 Million Reward for Information on Change Healthcare Hackers

Related: 180k Impacted by Data Breach at Michigan Healthcare Organization

Related:530k Impacted by Data Breach at Wisconsin Healthcare Organization

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Fastly announced that Scott Lovett will join the company as Chief Revenue Officer, effective June 3, 2024.

Digital transformation consulting firm Synechron has hired Aaron Momin as CISO.

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

More People On The Move

Expert Insights