PYMNTS Intelligence Banner June 2024

UnitedHealth Group CEO Said Hackers Struck Via Citrix Portal

UnitedHealth Group CEO Andrew Witty will testify Wednesday (May 1) that hackers broke into its Change Healthcare unit’s systems through the Citrix portal.

“On February 12, criminals used compromised credentials to remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops,” Witty said in testimony posted on the website of the House Energy & Commerce Committee.

“The portal did not have multi-factor authentication,” Witty said in the testimony. “Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data. Ransomware was deployed nine days later.”

Citrix did not immediately reply to PYMNTS’ request for comment.

It’s not clear which vulnerability was used by the hackers to access the Change Healthcare systems, but U.S. officials issued warnings about security loopholes in Citrix tools last year, Reuters reported Monday.

UnitedHealth Group has been working with the FBI and cybersecurity firms to investigate the hack, and worked with security experts from Google, Microsoft, Cisco and Amazon and teams from Mandiant and Palo Alto Networks to secure the systems after the breach, according to the report. 

“We are working tirelessly to uncover and understand every detail we can, which we will use to make our cyber defenses stronger than ever,” Witty said in the posted testimony. “We are committed to sharing accurate answers safely, appropriately and responsibly.”

Witty will testify before two Congressional committees — one in the House and one in the Senate — on Wednesday to address the cyberattack.

The cyberattack was one of the costliest ever and could reduce UnitedHealth Group’s profit by $1.6 billion this year.

When announcing the upcoming House hearing, House Energy and Commerce Committee Chair Cathy McMorris Rodgers (R-Wash.) and Subcommittee on Oversight and Investigations Chair Morgan Griffith (R-Va.) said in an April 19 press release that they “look forward to learning more on what happened in the lead up to, and in the weeks following, the attack.”

The federal government is offering a $10 million reward to help identify the people behind the hacker group known as ALPHV BlackCat that attacked Change Healthcare and other targeted systems.