Securing Healthcare Data: Lessons from UnitedHealth Group's Cyberattack and the Role of MFA and Threat Detection

UnitedHealth Group's subsidiary, Change, handles more than 15 billion medical transactions every year, which is about a third of all U.S. patient records. Due to a ransomware attack in February costing $22 million, UnitedHealth's Optum unit closed the data clearinghouse that serves most U.S. medical providers, 131 million patients, and nearly 67,000 pharmacies.

According to UnitedHealth disclosures, the cyberattack cost the insurance giant a whopping $870 million in Q1 2024, with nearly $600 million for system restoration and response effort direct costs, and the rest related to revenue loss and business interruption. CFO John Rex estimated full year costs will total $1.4-$1.6 billion. Even after Two months of hackers invading the Change Healthcare systems stealing and then encrypting company’s data, it’s still unclear how many Americans were impacted by the cyberattack.

Screenshot taken by Testimony of Andrew Witty Chief Executive Officer, UnitedHealth Group , May 1 2024

According to Witty's testimony, the hackers accessed the Change Healthcare citrix portal using compromised credentials. This portal lacked multi-factor authentication, a cybersecurity measure which adds up an extra layer of security during logins. If mfa had been enabled on the portal, the breach might have been prevented. 

About Unosecur and how it highlights the importance of MFA to customers 

Unosecur, an Identity Threat Detection and Response System, can provide capability in  preventing and mitigating ongoing threats in your cloud environments. It monitors API calls in real time and detects malicious activity based on the MITRE Attack framework while also providing remediation in order to mitigate the threats. It provides alerts based on suspicious activities such as unexpected bucket listings, unusual data retrieval, tampering security controls like security hub and config, etc. Real-time notifications facilitate immediate investigation and remediation, supported by detailed audit logs for post-incident analysis.

At Unosecur we also highlight the importance of security best practices including multi factor authentication (MFA) and recommend the identities to have MFA in use if not yet active (screenshot shown below) through our findings. 

Multi-factor authentication is a widely prescribed layer of security that prevents hackers from using stolen passwords to break into systems. It's unclear why the change healthcare portal did not have this security measure, and a UnitedHealth spokesperson did not respond to questions about it. It protects against various attacks including credential theft, phishing, remote access and most importantly it prevents unauthorized access. 

Screenshot taken from our Unosecur Product which shows a list of Identities with MFA not in use, Few Details have been blurred out for our customer’s privacy.  

Preventing this major breach as per the incident timeline with Unosecur

The timeline covers the incident starting from unauthorized access to ransomware:

Feb 12 2024: Criminal hacking affiliate of ALPHV broke into Change Healthcare’s network using stolen credentials for a system cause of the lack of security measures like MFA. 

• Unosecur would have ensured that MFA is Active for all the identities present in the environment by showcasing the list of users with inactive mfa on which the respective team would take the necessary actions upon. 

Down the line activities like Lateral Movement and Exfiltration by the bad actor were confirmed 

Screenshot taken from articles about the recent breach at UnitedHealthCare Which confirms sensitive data was exfiltrated   

• Unosecur's Identity Threat Detection and Response (ITDR) plays a crucial role in identifying and mitigating cloud lateral movement and exfiltration activities by detecting and alerting as per MITRE ATTACK framework with the help of tracking API calls in real time. It identifies suspicious activities that are performed by any user or identity present in the environment. 

Along with threat detection, Unosecur also provides remediations for respective threats in order to eradicate/contain the bad actor. Hence detecting and halting down the ongoing exfiltration for over a week was possible with Unosecur in case of recent UnitedHealthCare CyberAttack. 

Feb 21 2024: The cybercriminal gang AlphV, aka BlackCat, locked up Change Healthcare's systems and demanded a ransom to unlock them, Witty said the company had paid the hackers a ransom to ensure the decryption of Change Healthcare's systems, although the size of the payment is not known.

• At this point it was too late for the organization and Andrew Witty CEO to revert or stop the bad actor and they did end up paying a huge sum of ransom to the hackers. If Unosecur was present, we wouldn’t have reached this point. Yet alone get ransomware. 

Necessary actions were taken by Andrew Witty and the team to limit the impact as much as possible. They ensured the bad actors didn't spread their reach to other healthcare’s Network from Change. They also did a great job at making sure that the mistakes aren’t repeated by having strict policies in place, etc in order to safeguard healthcare data. 

Conclusion 

The recent cyberattack on UnitedHealthCare which resulted in exposure of protected health information (PHI) and personally identifiable information (PII), which belonged to millions of people in America underscores the need for cybersecurity measures like multi-factor authentication. Unosecur's approach to threat detection and response mitigates the devastating impact of such breaches, highlighting the importance of investing in security solutions to safeguard sensitive data and mitigate financial losses.