During a House hearing into the cyberattack in April, UnitedHealth’s CEO Witty confirmed that the cybercriminals broke into one of its employee systems using stolen credentials that were not protected with multi-factor authentication (MFA), a security feature that can help to protect against the misuse of password theft.
Source (from the posted article):