cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Hackers accessed UnitedHealth through Citrix portal, says CEO

The chief executive of UnitedHealth has at long last revealed the methods through which threat actors breached Change Healthcare’s systems earlier this year.

user icon Daniel Croft
Tue, 30 Apr 2024
Hackers accessed UnitedHealth through Citrix portal, says CEO
expand image

UnitedHealth CEO Andrew Witty, who is set to testify in front of a US House subcommittee on 1 May 2024, has said that threat actors managed to breach Change Healthcare’s systems using compromised credentials to access a Citrix portal.

“On February 12, criminals used compromised credentials to remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops,” Witty said in a testimony posted by the House Energy and Commerce Committee, dated 1 May.

“The portal did not have multifactor authentication. Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data. Ransomware was deployed nine days later.”


While Witty did not specify which Citrix vulnerability was abused by the threat actors to access, a number vulnerabilities were discovered last year and early this year, including several in Citrix NetScaler and a Bleed vulnerability that affected almost 36 million people.

In addition, Witty also took full responsibility for the payment of ransom to the threat actors, despite the fact the US$22 million payment was pocketed by ALPHV.

“As chief executive officer, the decision to pay a ransom was mine,” Witty added.

“This was one of the hardest decisions I’ve ever had to make. And I wouldn’t wish it on anyone.”

The ransomware attack occurred on 21 February, resulting in the company’s systems being taken offline and leaving healthcare providers across the US without claims infrastructure, resulting in many of their operations coming to a standstill.

The attack was originally believed to have been by a Chinese state-sponsored actor but was then claimed by the now-defunct ALPHV (BlackCat).

UnitedHealth paid ALPHV US$22 million in ransom payments. However, ALPHV pocketed the money and went dark, leaving the ransomware affiliate behind the breach stranded without pay but with the stolen UnitedHealth data.

As a result, UnitedHealth was still in trouble, particularly when a second ransomware gang, RansomHub, claimed to have the data and threatened to publish it if it did not receive a ransomware payment. Not long after, the group published some data claiming the entirety of it was now for sale to the highest bidder.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.