Threat actors breached the US healthcare giant UnitedHealth by exploiting a vulnerability in software provided by IT company Citrix, UnitedHealth CEO Andrew Witty revealed in testimony before the House Energy and Commerce Committee.

The incident, which occurred on February 12, 2024, saw hackers infiltrate Change Healthcare's systems by exploiting a weakness in Citrix software, which allows remote access to desktop computers. Initially, the company attributed the attack to a suspected nation-state threat actor, but later it became clear that a ransomware group was behind the hack.

Change Healthcare processes over 15 billion billing transactions annually, with one in every three patient records passing through its systems.

According to Witty's written testimony, the cybercriminal gang known as AlphV aka BlackCat, orchestrated the attack, demanding a ransom to unlock Change Healthcare's systems. The attackers exploited compromised login credentials to gain remote access to a Citrix portal lacking multi-factor authentication, highlighting the importance of robust security measures in safeguarding sensitive information.

In response to the attack, the company shut down its systems, affecting multiple services of US healthcare organizations.

The company didn’t reveal what specific flaw was exploited by the hackers, but the US authorities issued multiple warnings about security issues in Citrix software.

UnitedHealth Group reportedly has paid the hackers a $22 million ransom to recover access to data and systems encrypted by the group. Witty said that the company paid out an additional $1 billion to affected providers since last week, bringing the total amount advanced to more than $3.3 billion.