The ransomware group responsible for the Feb. 21 cyberattack on UnitedHealthcare subsidiary Change Healthcare used stolen credentials to remotely access the company's systems, according to testimony from UnitedHealth CEO Andrew Witty.
Mr. Witty submitted the written testimony prior to a House subcommittee hearing on May 1 regarding the Change ransomware attack. In his testimony, Mr. Witty said hacking group ALPHV, also known as BlackCat, "used compromised credentials to remotely access a Change Healthcare Citrix portal." This occurred Feb. 12, according to Mr. Witty.
"The portal did not have multi-factor authentication. Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data," Mr. Witty wrote. "Ransomware was deployed nine days later."
Mr. Witty also said it was his call to pay the ransom to the hackers.
"As chief executive officer, the decision to pay a ransom was mine," he wrote. "This was one of the hardest decisions I've ever had to make. And I wouldn't wish it on anyone."
Mr. Witty said the organization is still working to understand the full "scope of impacted patient, provider and payer information" and that the process will take months.