Data Breach

UHG CEO Reports: Change Healthcare Hackers Used Stolen Credentials Without MFA to Breach the System

Parker Bytes May 2, 2024

Crack open your cup of tea, lads and lasses, because the case of the Change Healthcare cyber-attack just got even more interesting! If you haven’t been following, some dodgy characters only went and broke into the biggest health tech company in the United States, and you won’t believe the shocking reason how.

Now, you might be wondering, how does a gang of computer outlaws manage to breach a company that size? You’d think such a massive operation would have the security clout to hold them off, right? Well, it turns out that even Goliath can have a weak ankle.

UnitedHealth Group CEO, Andrew Witty, himself revealed that the miscreants managed to sneak into the company using stolen access credentials. And here’s the real kicker – the targeted systems didn’t even have two-step authentication. A bit like leaving your house key under the doormat and hoping the burglars won’t find it.

No, you didn’t hear me wrong. A health tech leviathan, with patient records, diagnoses, treatment plans, the lot, didn’t have multifactor authentication (MFA) on all its systems. It boggles the mind, doesn’t it?

For those of you not into your cyber-jargon, MFA is a bit like having a lock and a bolt on your front door. Rather than just relying on one vulnerable password or ‘key,’ you need two or more verification steps to gain access. Seems like a bit of a no-brainer, wouldn’t you say?

Now, this isn’t an episode of ‘Who Done It’ where we’ve just been handed our killer clue. We must remember that it takes faults on both ends for a situation like this to occur. The online ruffians managed to get their grubby mitts on the passwords in the first place. And let’s not even get started on where that access point might have been left unprotected, likely some naff phishing scam or a poor old employee tricked into giving away sensitive information.

What this sad tale of woe teaches us though, is that top-notch cybersecurity should be non-negotiable. And by this, we don’t mean those free antivirus programmes. We’re talking solid strategic planning, robust recovery measures, strict access controls, and of course, MFA.

Are we all saints with perfect habits of never ever forgetting to bolt the digital door? Nope, we’re human. And apparently, so are multi-billion-dollar healthcare entities. But just as we wouldn’t leave our peace Lily at home without a friend to water it or our dog without a walker, we can’t risk leaving our sensitive data unprotected.

So, here’s the takeaway, chums: cyber bad guys are getting smarter every day. Let’s turn that knowledge into power, and make sure our metaphorical doors are tightly locked with bolt, chain and deadlock. It’s time to pop that kettle on and check whether we’ve got our own house in order.

And remember, a bit more MFA won’t hurt anyone. Well, maybe the hackers – but we’re not too bothered about their feelings, are we? Now, give that tea a good stir, and let’s vow to make tech security our number one priority!

by Parker Bytes