Hackers gained entry to Change Healthcare's IT systems nine days before the ransomware attack on the UnitedHealth Group subsidiary, The Wall Street Journal reported April 22.
The cybercriminals, who are said to be members or affiliates of the ALPHV/BlackCat ransomware gang, broke into Change's network Feb. 12 before initiating the Feb. 21 cyberattack that disrupted large swaths of the healthcare industry, according to the story.
The hackers used compromised credentials to log into an application that allows Change staff members to remotely access the network, the newspaper reported, citing a person familiar with the investigation. Multifactor authentication, which employs text message codes or tokens for added cybersecurity, reportedly wasn't activated on the program. The source told the Journal the company paid ransom after the cyberattack, but declined to say how much or whether Change forked over a second ransom payment after a subsequent extortion attempt.
The cybercriminals moved "laterally" as they lurked in the network, suggesting they had ample time to steal from the company's massive troves of data, according to the Journal. Change hasn't confirmed exactly what and how much information was taken but said April 22 that based on an initial sampling it "could cover a substantial proportion of people in America." Hackers started leaking the company's data April 15.