As reported by Bleeping Computer, UnitedHealth CEO Andrew Witty’s written testimony (PDF) to a House committee said the threat actors got in by using stolen credentials for a Citrix remote access service that lacked multifactor authentication.
On February 12, criminals used compromised credentials to remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops. The portal did not have multi-factor authentication. Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data. Ransomware was deployed nine days later.