In February, a loud cyber attack on Change Healthcare caused serious disruptions in the operations of US medical facilities. Now, it has been revealed how hackers managed to gain access to the systems.
According to CEO of Unitedhealth Group Andrew Whitti, the attack was caused by an inherent vulnerability known as Citrix Bleed (CVE-2023-4966, CVSS rating: 7.5) in Citrix software. Details about this vulnerability emerged during preparations for a hearing in the subcommittee on supervision and investigations scheduled for May 1.
The attack on February 12 paralyzed the accounting and payment systems of Unitedhealth Group, impacting hospitals, insurance companies, and pharmacies, halting their operations for nearly a month. The ALPHV/Blackcat group claimed responsibility for the attack, but has since ceased activities following an FBI operation.
Following the attack, another group known as Lockbit Haccracy actively exploited a similar vulnerability since July 2023. Although Citrix released an update in October to address the vulnerability, by then several companies, including Boeing and ICBC, had already fallen victim to cyber attacks.
The Director of Unitedhealth Group revealed that data for remote access to the Change Healthcare portal were compromised as a result of the attack. Immediate action was taken to disconnect from data processing centers to prevent further spread of the virus.
Whitti highlighted that the company experienced over 450,000 hacking attempts in the past year. During the Congressional hearing, he plans to discuss the company’s efforts in combating cyber threats, which include collaboration with the FBI and top cybersecurity firms.
As a result of the attack, UHG paid over $6.8 billion in advance payments and interest-free loans to affected medical institutions. Change Healthcare processes records for every third patient in the US, handling approximately 15 billion transactions annually.
The cyber attack prompted an investigation by the US Department of Health into possible violations of medical data protection regulations, potentially resulting in fines or legal action against Unitedhealth Group.
Change Healthcare continues to face repercussions from the incident. The situation is compounded by the fact that the Alphv extortionists disappeared shortly after receiving the ransom. Reportedly, the accomplices of the attacking group did not receive their share of the ransom, leading them to collaborate with the RansomHub group to blackmail Change Healthcare using the compromised data.