cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

‘Maybe a third’ of Americans affected by Change Healthcare attack

The chief executive of UnitedHealth has revealed that the Change Healthcare data breach could have affected roughly one-third of US citizens.

user icon Daniel Croft
Thu, 02 May 2024
‘Maybe a third’ of Americans affected by Change Healthcare attack
expand image

In a statement released late last month, UnitedHealth said the Change Healthcare breach affected a “substantial proportion” of people in America, having found files containing both protected health information (PHI) and personally identifiable information (PII) covering a significant number of people.

Yesterday (1 May), during a hearing in front of a US House subcommittee, despite having a pre-written testimony, UnitedHealth CEO Andrew Witty was grilled for a specific answer on how many were affected by the breach.

After a serious push for a definitive answer, Witty told the House Energy and Commerce Committee that he believes “maybe a third [of Americans] or somewhere of that level” were affected.


Witty added that he was hesitant to give a number figure or a more specific answer as the investigation is still ongoing and the company is unsure how many people were affected by the breach.

UnitedHealth said it will still be several months before it would be able to identify all those affected and begin notifying them, despite the attack occurring on 21 February, over two months ago.

In his pre-written testimony published on the House Energy and Commerce Committee website prior to the 1 May hearing, Witty said UnitedHealth had determined that the threat actors gained access to Change Healthcare’s systems through the use of compromised credentials for a Citrix portal that had no multifactor authentication.

“On February 12, criminals used compromised credentials to remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops,” he said.

“The portal did not have multifactor authentication. Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data. Ransomware was deployed nine days later.”

While Witty did not specify which Citrix vulnerability was abused by the threat actors to access, a number of vulnerabilities were discovered last year and early this year, including several in Citrix NetScaler and a Bleed vulnerability that affected almost 36 million people.

In addition, Witty also took full responsibility for the payment of ransom to the threat actors, despite the fact the US$22 million payment was pocketed by ALPHV.

“As chief executive officer, the decision to pay a ransom was mine,” Witty added.

“This was one of the hardest decisions I’ve ever had to make. And I wouldn’t wish it on anyone.”

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.