Change Healthcare Cyberattack Reported to the U.S. Department of Health and Human Services

By Richard Anderson

The Change Healthcare cyberattack has caused massive disruption to healthcare services in the United States, including huge financial hardship for healthcare providers due to a lengthy outage of Change Healthcare’s systems. That outage has hampered billings and payments for healthcare services, and an as-of-yet unconfirmed number of Americans have had their sensitive data stolen and are potentially at risk of fraud and identity theft.

As further information about the Change Healthcare cyberattack and data breach is released, this article will be updated so please check back regularly.

HHS’ Office for Civil Rights Notified About Change Healthcare Cyberattack and Data Breach

August 1, 2024

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has been notified about the Change Healthcare cyberattack and data breach. Under the Health Insurance Portability and Accountability Act (HIPAA), the Secretary of the HHS must be notified about a breach of the unsecured protected health information of 500 or more individuals without unnecessary delay and no later than 60 days from the date of discovery of the data breach.

The Change Healthcare cyberattack was detected on February 21, 2024; however, a data breach was not confirmed for several weeks, despite claims from the ransomware group behind the attack that data had been stolen.  The Change Healthcare notice of data breach states that data theft was not confirmed until March 7, 2024, and that it was not possible to obtain a copy of the data for analysis until March 13, 2024. The data breach notifications are therefore late, and Change Healthcare risks a financial penalty for the HIPAA failure.

The Change Healthcare data breach notification to the HHS should have provided an indication of just how big the Change Healthcare data breach was. Andrew Witty, the CEO of Change Healthcare’s parent company (UnitedHealth Group), had previously stated that the breach could affect a substantial proportion of Americans, and the Change Healthcare website states that its systems touch the data of 1 in 3 Americans. The breach was therefore expected to involve the data of more than 110 million Americans, yet the data breach was reported to the HHS as affecting 500 individuals.

The reason that total was used is because:

  1. The file review has not yet been completed so the total number of affected individuals is not yet confirmed
  2. 500 individuals is the trigger point for a data breach to require reporting within 60 days under the HIPAA Breach Notification Rule
  3. HIPAA requires an estimate of the number of affected individuals to be provided if the final total is not known at the point the breach is reported. An updated total can be provided to OCR when the number of affected individuals is confirmed.

It is unclear how long it will take to find out how big the Change Healthcare data breach is. UnitedHealth Group has previously stated that it could take several months before the file review is completed, although the file review is more than 90% completed.

OCR has published an update to its website explaining the “500 individuals” figure. “Change Healthcare’s breach report to OCR identifies 500 individuals as the “approximate number of individuals affected”. This is the minimum number of individuals affected that results in a posting of a breach on the HHS Breach Portal,” wrote OCR. “Change Healthcare is still determining the number of individuals affected. The posting on the HHS Breach Portal will be amended if Change Healthcare updates the total number of individuals affected by this breach.”

Notifications Mailed to Individuals Affected by Change Healthcare Cyberattack

July 20, 2024

Notification letters have started to be mailed to the individuals affected by the Change Healthcare cyberattack. A copy of the notification letter can be viewed on the link at the bottom of the July 10, 2024, update below.

Individuals receiving the notification letter may be confused since Change Healthcare is a business associate used by healthcare organizations and there is no direct relationship between Change Healthcare and the patients and health plan members affected by the data breach. To help clear up some of that confusion, we have explained why Change Healthcare holds personal and health data, what the data breach means, and what individuals receiving the notification letter should do.

Why Does Change Healthcare Have My Data?

You are unlikely to have any direct dealings with Change Healthcare as it operates behind the scenes. Change Healthcare Provides services to many healthcare organizations, including facilitating billing for healthcare services to ensure that healthcare providers are paid for their services. In order to provide those services, Change Healthcare must be provided with patient data, including personally identifiable information, health information, and insurance information.

Are the Change Healthcare Data Breach Notifications Legit?

The Change Healthcare breach involved unauthorized access to the personal and protected health information of many Americans. The number of individuals affected has still not been confirmed, but the Change Healthcare data breach may affect 1 in 3 Americans. Most of the affected healthcare organizations have asked Change Healthcare to send notification letters on their behalf since the data breach occurred at Change Healthcare. Some of the affected healthcare organizations may choose to issue notification letters themselves.

If you receive a notification letter in the mail, your data is likely to have been stolen in the ransomware attack, so the notifications are likely legitimate. You should read the notification letter carefully, as it includes steps that you should take to protect yourself against identity theft, fraud, and other misuse of your personal and health information.

Credit monitoring and identity theft protection services are being offered free of charge and you should ensure you sign up for those services as cybercriminals likely have your data. That data breach occurred as early as February 12, 2024. Cybercriminals (a ransomware group) stole data in the attack. The ransomware group behind the attack shut down its operation after being paid a $22 million ransom payment. A second ransomware group obtained the data stolen in the attack and claimed it would sell the data to the highest bidder.

Change Healthcare has created a website where you can get further information and has set up a helpline – 1-866-262-5342, (Mon-Fri, 8 a.m. to 8 p.m. CT) – where you can get further information. While the data breach notifications are legitimate, you should exercise caution since scammers may attempt to take advantage of this data breach. Be wary of any notifications that arrive via email or anyone contacting you asking for personal information. Do not disclose personal information via email or over the phone.

Change Healthcare Data Breach Notification Published

July 10, 2024

The Change Healthcare data breach letter has been published and provides further information on the types of data stolen in the Change Healthcare ransomware attack. The notification letters will start being sent to the affected individuals on July 20, 2024; however, the process may take some time as the file review is ongoing. Change Healthcare is still not in a position to provide an update on the number of individuals affected.

The notification letters confirm that an unauthorized third party (the Blackcat ransomware group) accessed its internal systems between February 12 and February 20, 2024 and that the ransomware attack was detected on February 21, 2024. Change Healthcare confirmed on March 7, 2024, that a significant amount of data had been exfiltrated from its network, although it was not possible to obtain a copy of that data for analysis until March 13, 2024. Change Healthcare has confirmed that a significant proportion of Americans have been affected.

The Change Healthcare notice of data breach states the types of information involved vary from individual to individual and may include one or more of the following:

  • Health insurance information (such as primary, secondary, or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers);
  • Health information (such as medical record numbers, providers, diagnoses, medicines, test results, images, care and treatment);
  • Billing, claims, and payment information (such as claim numbers, account numbers, billing codes, payment cards, financial and banking information, payments made, and balance due); and/or
  • Other personal information such as Social Security numbers, driver’s licenses, state ID numbers, or passport numbers.

Credit monitoring and identity theft protection services are being offered free of charge, the individuals affected can call a toll-free number to obtain more information about the data breach – 1-866-262-5342, (Mon-Fri, 8 a.m. to 8 p.m. CT) – and a website has been set up that provides detailed information about the incident.

Since data is known to have been stolen in the attack and the RansomHub ransomware group has claimed it is selling the stolen data, the affected individuals should ensure they sign up for those free services and take steps to protect themselves against identity theft and fraud.

In addition to signing up for the free credit monitoring and identity theft protection services, individuals should monitor their accounts and statements from health insurers for unauthorized activity and report any irregularities to the relevant financial institution and local law enforcement immediately.

You can view the Change Healthcare notice of data breach here.

Affected Providers Notified About Change Healthcare Ransomware Attack and Data Breach

June 22, 2024

Change Healthcare data breach notifications have started to be issued to the healthcare organizations affected by the cyberattack, which means individual notifications should be issued to the affected individuals within 60 days.

In a recent update about the Change Healthcare cyberattack, UnitedHealth Group confirmed that the file review is around 90% completed, although it is not yet possible to determine the exact types of data involved for each of its HIPAA-covered entity clients.

Those clients are now being notified that the types of data involved likely include names, addresses, birth dates, diagnostic images, payment information, Social Security numbers, passport numbers, state ID numbers, and health insurance information, but not medical charts or medical histories.

An update has also been provided on when Change Healthcare anticipates mailing individual notifications on behalf of the affected covered entities. Those notification letters should start to be mailed by the end of July, although Change Healthcare said it may not have up-to-date contact information. Since the file review is still ongoing, Change Healthcare may identify further individuals who have been affected, in which case those notifications will be mailed after the end of July.

Change Healthcare also reminded the affected covered entities and individuals that complimentary credit monitoring services are available immediately.

HHS Confirms That HIPAA Allows Change Healthcare to Issue Data Breach Notifications

June 4, 2024

There has been considerable confusion about who is responsible for issuing individual notifications about the Change Healthcare cyberattack and data breach. The Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule requires notifications to be issued when there is a breach of unsecured healthcare data.

In the event of a breach of unsecured personally identifiable health information – called protected health information (PHI) under HIPAA – notifications must be issued to the Department of Health and Human Services (HHS), the affected individuals, and the media. Those notifications must be issued without unnecessary delay and no later than 60 days from the date of discovery of a data breach. It has been more than 3 months and notifications have still not been issued.

The HHS Office for Civil Rights (OCR), the main enforcer of HIPAA compliance, has previously stated that in the event of a data breach at a business associate of a HIPAA-covered entity, covered entities may delegate the responsibility for issuing notifications to the business associate; however, it is ultimately the responsibility of each affected covered entity to ensure that breach notifications are issued. OCR has not stated that Change Healthcare must send notifications but has now confirmed that it is acceptable for Change Healthcare to issue notifications.

“Affected covered entities that want Change Healthcare to provide breach notifications on their behalf should contact Change Healthcare,” said OCR Director Melanie Fontes Rainer. “All of the required HIPAA breach notifications may be performed by Change Healthcare. We encourage all parties to take the necessary steps to ensure that the HIPAA breach notifications are prioritized.” 

OCR has also confirmed that the 60-day deadline for issuing notification letters does not start until covered entities receive notification from Change Healthcare that their data was involved. Once that notification is received, notifications must be issued without undue delay and no later than 60 days from the date that notification is received.

“OCR will not consider the 60-calendar day period from discovery of a breach by a covered entity to start until affected covered entities have received the information needed from Change Healthcare or UHG,” explained Fontes Rainer.

Senator: UnitedHealth Group Executives Should be Accountable for Change Healthcare Cyberattack

June 1, 2024

Following on from the subcommittee hearing, Senator Ron Wyden (D-OR) wrote to the Chairs of the Federal Trade Commission (FTC) and Securities and Exchange Commission (SEC) demanding UnitedHealth Group executives be held accountable for the Change Healthcare cyberattack and the disruption it has caused.

Compromised credentials were used to gain access to a server that did not have multifactor authentication (MFA) enabled. Sen. Wyden pointed out that for a company the size of UnitedHealth Group, MFA should have been comprehensively implemented, and that it should have been known that skipping MFA was a very bad idea, even if compensatory controls were in place. 

Sen. Wyden explained that the massive disruption has pushed healthcare providers to the brink. The Change Healthcare cyberattack has caused patients harm by preventing them from getting the care they need. They now face an elevated risk of identity theft and fraud as their data has been stolen, and the theft of data – including the medical information of serving military personnel – has caused serious harm to U.S. national security.

Sen. Wyden suggested that the lack of MFA on an external-facing system and the lack of preparedness for ransomware attacks amounts to corporate negligence. Sen Wyden has called for the chairs of the FTC and SEC to investigate UnitedHealth Group in that regard.

He also criticized the board for appointing a Chief Information Security Officer (CISO) who lacked the necessary experience for the role. The CISO was appointed in June 2023 after holding other positions at UnitedHealth Group and Change Healthcare yet had not held the position of CISO or any similar cybersecurity position at any other company.

Sen. Wyden likened that decision to appointing a heart surgeon to perform brain surgery, stating, “The head of cybersecurity for the largest health care company in the world should not be someone’s first cybersecurity job.” While the CISO might be a convenient scapegoat, Sen. Wyden said the responsibility should fall on the people who appointed a person to the role who clearly did not have the necessary experience.

UnitedHealth Group CEO Explains What Went Wrong in Testimony to House Subcommittee

May 2, 2024

The CEO of UnitedHealth Group, Andrew Witty, testified before a U.S. House Energy and Commerce Committee Subcommittee on Oversight and Investigations on May 1, 2024.

A copy of Witty’s testimony was published online ahead of the subcommittee hearing, in which Witty apologized and said he was “deeply sorry” for the disruption caused.  Witty confirmed that the UnitedHealth Group staff has been working 24/7 from the day of the incident and the full resources of UnitedHealth Group have been deployed on its response and restoration efforts. “UnitedHealth Group will not rest – I will not rest – until we fix this,” said Witty.

Witty explained that his company is far from alone. Cyberattacks have been increasing in frequency and significance and ransomware attacks have cost more than $1 billion in ransom payments alone in 2023. Witty explained that his company repels an intrusion every 70 seconds, and last year more than 450,000 intrusions were thwarted. On February 21, 2024, it became clear that one of those attempts had succeeded.

Witty said the company’s response was “swift and forceful.” Since the initial access vector was not initially clear, the decision was taken to sever connectivity with Change Healthcare’s data centers to “eliminate the potential for further infection.” He claims that while that move was incredibly disruptive, it was the right thing to do as it allowed UnitedHealth Group to contain the attack and prevent it from spreading to the UnitedHealthcare, UnitedHealth Group, and Optum networks.

The investigation is ongoing, but Witty was able to share some details about the initial access vector. Witty confirmed that the initial intrusion occurred on February 12, 2024, when compromised credentials were used to remotely access a Change Healthcare Citrix portal – an application used for remote access to desktop computers. Crucially, that application did not have multifactor authentication enabled. The threat actor moved laterally within its systems “in more sophisticated ways,” exfiltrated data, and then 9 days after the initial intrusion, deployed ransomware to encrypt files.

Witty explained that UnitedHealth Group has a policy requiring multifactor authentication to be implemented on all external-facing systems; however, in some cases, when servers were using older technology, multifactor authentication may have been skipped due to compensatory controls being in place.

Regarding the decision to pay the ransom, Witty said, “I have been guided by the overriding priority to do everything possible to protect peoples’ personal health information,” confirming that, “as chief executive officer, the decision to pay a ransom was mine. This was one of the hardest decisions I’ve ever had to make. And I wouldn’t wish it on anyone.”

As previously reported, Witty confirmed that the exfiltrated files included protected health information (PHI) and personally identifiable information (PII) and stated that the breach could cover “a substantial proportion of people in America.”

As for when those individuals will find out if they have been affected, Witty said “it is likely to take many months of continued analysis before enough information will be available to identify and notify customers and individuals.” In the meantime, Witty said his company is monitoring the dark web and Internet to determine if any stolen data is published.

“Rather than waiting to complete this review, we are providing free credit monitoring and identity theft protections for two years, along with a dedicated call center staffed by clinicians to provide support services,” said Witty.

Lawmakers Question Witty About UnitedHealth Group’s Cybersecurity Preparedness and Response

At the hearing, lawmakers wanted answers about how UnitedHealth Group, which had around $22 billion in profit in 2023, could fall victim to such a devastating attack, overlook such a basic security measure as multifactor authentication on a system used for remote access, and then not have the redundancies in place to allow its systems to remain operational, or at least only be down for hours or days rather than weeks and months. The attack and the lengthy outage suggest a lack of preparedness and testing of incident response protocols. Sen. Marsha Blackburn (R-TN) pointed out that UnitedHealth Group’s profits are larger than some countries’ GDP, yet UnitedHealth Group still did not have the necessary redundancies in place.

The Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule requires individuals to be notified about a data breach within 60 days of the discovery of a breach yet there is no sign of notifications even being close to being sent in the 10 weeks since the attack was detected. U.S. Senator Maggie Hassan (D-NH) reminded Witty of his obligations to issue notifications and demanded that they be sent immediately.

The size of UnitedHealth Group was frequently mentioned in the hearing. UnitedHealth Group has been gobbling up smaller companies and has become a behemoth. That has created a situation where a single point of failure – the lack of multifactor authentication on an Internet-facing remote access solution – could bring the healthcare industry to its knees. “It is long past time to do a comprehensive scrub of UHG’s anti-competitive practices, which likely prolonged the fallout from this hack,” said Sen. Ron Wyden (D-OR), chair of the Senate Finance Committee.

“Substantial Proportion of People in America” May be Affected by the Change Healthcare Cyberattack

April 24, 2024

The Change Healthcare cyberattack on February 21, 2024, involved the theft of 6TB of data, according to the Blackcat ransomware group. The RansomHub group claimed it obtained 4TB of data when it attempted to extort UnitedHealth Group and Change Healthcare but there has been no confirmation of exactly how much patient data was compromised in the attack. Change Healthcare states on its website that its systems touch the health data of 1 in 3 Americans, so any Change Healthcare data breach has the potential to be huge.

UnitedHealth Group CEO Andrew Witty has stated that a significant proportion of that data may have been stolen in the attack. Witty confirmed for the first time that a ransom was paid to the Blackcat ransomware group to prevent the stolen data from being publicly leaked, but did not say how much was paid to the group. It has been widely reported that $22 million was transferred to the Blackcat group, which performed an exit scam and shut down its operation, claiming that there was no alternative due to a law enforcement operation.

The investigation of the Change Healthcare cyberattack is progressing and UnitedHealth Group has confirmed that the initial results of the investigation indicate personally identifiable information was compromised, including information classed as “protected health information” under the Health Insurance Portability and Accountability Act (HIPAA).

UnitedHealth Group said in a recent update that the exact types of data involved have yet to be confirmed but no evidence has been found to indicate doctor’s charts or full medical histories have been stolen. While the scale of the data breach is not yet known, UnitedHealth Group has confirmed that the breach could affect “a substantial proportion of people in America.”

Individuals waiting to hear if they have been affected could be in for a long wait, as the review of the affected data is not expected to be completed for some time. “Given the ongoing nature and complexity of the data review, it is likely to take several months of continued analysis before enough information will be available to identify and notify impacted customers and individuals,” said UnitedHealth Group in an update about the Change Healthcare data breach. “As the company continues to work with leading industry experts to analyze data involved in this cyberattack, it is immediately providing support and robust protections rather than waiting until the conclusion of the data review.”

When healthcare organizations experience data breaches it can take months before individual notifications are mailed. Files must be reviewed to identify the individuals affected, the types of data involved must be confirmed, contact information must be verified, and only then can notification letters be issued. UnitedHealth Group has confirmed that credit monitoring and identity theft protection services are being made available and it is not necessary to wait until a notification letter is received. Further information on signing up for those services can be found on a website that has been set up to provide further information about the cyberattack and data breach.

While it has not been disclosed by UnitedHealth Group, sources close to the investigation told the Wall Street Journal that the Blackcat affiliate behind the attack had access to Change Healthcare’s systems for 9 days before ransomware was deployed and that compromised credentials were allegedly used to access its systems. To prevent compromised credentials from granting access to accounts, multifactor authentication should be implemented, but according to the Wall Street Journal, they were not enabled on the compromised account.

That would be a major oversight for any company, let alone one the size of Change Healthcare that handles such vast amounts of sensitive data.

RansomHub Starts Leaking Data Stolen in Change Healthcare Ransomware Attack

April 15, 2024

It would appear that the RansomHub ransomware group does hold a copy of the data stolen in the Blackcat ransomware attack on Change Healthcare. RansomHub has uploaded samples of the data allegedly stolen in the attack to its dark web data leak site, some of which include patient data. The data appears to include documents related to billing, insurance, and medical records. UnitedHealth Group has yet to confirm whether the leaked data is genuine. On April 12, 2024, a spokesperson for Change Healthcare confirmed to Wired that no evidence has been found indicating this is a separate attack.

It is not unusual for evidence of data theft to be published by ransomware groups on dark web data leak sites to pressure victims into paying. There are 5 days remaining before RansomHub claims it will sell the stolen data, and the posting of samples of data indicates UnitedHealth Group is not prepared to pay. That is perfectly understandable since $22 million has already been paid to the Blackcat group, only for the group to pocket the funds in an apparent exit scam.  

“The more we go through the data, the more we are shocked by the amount of financial, medical, and personal information we find and it will be more devastating than the first attack itself,” wrote RansomHub. “Five days remain on the clock. The devastating effect can still be mitigated. Insurance providers should be really concerned as this will impact them and their clients beyond measure.”

RansomHub Ransomware Group Claims to Have a Copy of the Stolen Change Healthcare Data

April 8, 2024

Things have gone from bad to worse for Change Healthcare and UnitedHealth Group. While it has not been publicly confirmed that the ransom was paid, evidence has been provided by the affiliate behind the attack that a $22 million ransom was paid to the ALPHV/Blackcat group. Now UnitedHealth Group has received another ransom demand, this time from a different ransomware group – RansomHub.

RansomHub was not involved in the initial attack but claims to have obtained 4 TB of data stolen in the attack and issued a ransom demand, giving UnitedHealth Group 12 days to pay. “Change Healthcare and United Health you have one chance in protecting your clients data,” wrote RansomHub. “The data has not been leaked anywhere and any decent threat intelligence would confirm that the data has not been shared nor posted.” The group claims the stolen data will be sold to the highest bidder if the ransom is not paid.

RansomHub has been actively recruiting affiliates since the ALPHV/Blackcat group pulled an exit scam. It is possible that Blackcat recruited the affiliate and is attempting to get payment. RansomHub is a relatively new ransomware operation and is not thought to be connected to ALPHV/Blackcat, so partnering with the ransomware group may have been seen as the best option for the affiliate to get paid.  

As to whether UnitedHealth Group will pay, that seems unlikely. A $22 million ransom was paid to prevent the release of the stolen data, and that payment appears to have amounted to nothing. UnitedHealth Group is unlikely to pay another ransom when there is no guarantee that the data will be deleted and will not be sold anyway. It is also unclear whether RansomHub actually has a copy of the stolen data.

Change Healthcare Data Breach Lawsuits Mount

April 5, 2024

Multiple class action lawsuits have been filed in response to the Change Healthcare ransomware attack and data breach, including by individuals who claim their sensitive data was stolen, even though that has yet to be confirmed by Change Healthcare/UnitedHealth Group. At least two dozen lawsuits have already been filed and more can be expected over the coming weeks. The lawsuits allege that Change Healthcare failed to implement appropriate cybersecurity measures despite there being a high risk of a cyberattack. Since highly sensitive data was stolen, the plaintiffs allege they face an imminent and elevated risk of identity theft and fraud.

Healthcare providers affected by the continuing outages are also taking legal action to try to recover costs. They claim that the ransomware attack has put their businesses at risk. While providers and patients are taking legal action for different reasons, Change Healthcare maintains that all of the lawsuits make similar claims and are based on the same facts, and is attempting to have the lawsuits consolidated in its home state of Tennessee where the evidence and key witnesses are located.

Change Healthcare said all of the legal actions are based on the incorrect and unfounded theory that because there was a cyberattack and data breach its cybersecurity defenses must have been deficient. Change Healthcare maintains that was not the case.

Data Theft Confirmed by UnitedHealth Group

March 29, 2024

The Blackcat group behind the Change Healthcare ransomware attack has stated that 6TB of data was stolen in the attack and the affiliate claims to have retained a copy of the data after Blackcat pulled an exit scam. UnitedHealth Group has been unable to confirm what data was stolen in the attack as analysis could not start until it was safe to recover the data.

In a recent update, UnitedHealth Group confirmed a restore point has been identified so the data can be recovered; however, it has taken time to complete mounting and decompression procedures. A copy of the exfiltrated data has been obtained and analysis has started. UnitedHealth Group said it is now focused on the data review. While the exact types of data involved have yet to be determined, UnitedHealth Group said personally identifiable information was likely compromised in the Change Healthcare cyberattack, which may include eligibility, claims, and financial information. The dark web is being monitored and the stolen data does not appear to have been disclosed.

The recovery process is progressing, and while key systems have been restored, Change Healthcare is some way off restoring all of its services. Its eligibility processing, clinical data exchange, and retrospective episode-based payment models are due to be restored over the coming 3 weeks.

$10 Million Reward Offered for Information on the Identity and Location of Blackcat Cyber Actors

March 27, 2024

The U.S. Department of State is seeking information on individuals linked to the ALPHV/Blackcat ransomware group, their affiliates, and any proof that the group is linked to any foreign governments. Under the Rewards for Justice program, up to $10 million is being offered as a reward for information that leads to the identification or location of those individuals.

Department of Health and Human Services Issues Guidance for Affected Healthcare Providers

The U.S. Department of Health and Human Services (HHS) in conjunction with the Administration for Strategic Preparedness and Response (ASPR), has published guidance for healthcare providers affected by the Change Healthcare cyberattack that includes useful resources and tools from health plans and payers for providers in need of assistance, including alternative clearinghouses and information on how to obtain advance payments.

UnitedHealth Group Identifies Initial Access Vector

March 15, 2024

Assisted by Mandiant and Palo Alto Networks, UnitedHealth Group has identified the initial access vector used in the Change Healthcare ransomware attack, although that information has not (yet) been disclosed. Now that it is clear how and when the Blackcat group gained access, UnitedHealth Group has identified a safe restore point – a critical step in its recovery. Work can now commence on restoring the systems that are still offline.

UnitedHealth Group has confirmed that it has stood up new instances of its Rx Connect (Switch) and Rx ePrescribing services, and claims volume is back to around 99% of the pre-incident level. The Rx Connect, Rx Edit, and Rx Assist services will shortly be available.

Ransom Paid Following Change Healthcare Ransomware Attack

March 5, 2024

A $22 million ransom appears to have been paid by UnitedHealth Group to prevent the release of data stolen from Change Healthcare in its February 2024 ransomware attack.

According to the ransomware remediation firm Coveware, the average ransom payment in Q4, 2023 for a ransomware attack was $408,644 and the median ransom payment was $185,972. The ransom supposedly paid by UnitedHealth Group subsidiary Optum to prevent the release of the stolen Change Healthcare data was $22 million, around 118 times the average ransom payment.

Paying a ransom is always a risk as there is no guarantee that encrypted data will be recoverable. It is common for encrypted files to be corrupted and the supplied decryptors do not always work. According to the 2023 Ransomware Trends Report from Veeam, 1 in 4 companies that paid a ransom failed to get their data back. Even if some data can be recovered, it is relatively rare for there not to be at least some data loss.

Ransoms are not only paid to obtain the decryption keys. Many companies are able to recover their data from backups but still pay the ransom to prevent the threat actors from leaking or selling the stolen data. Ransomware groups typically refrain from publishing the stolen data and take down their data leak site listing when payment is made but there is no guarantee that all copies of the data will be deleted.

Ransomware groups may provide proof that data has been deleted, such as videos of data deletion, but that may not be the only copy of the data that is held. Victims are given no alternative but to trust the cybercriminals that have breached their systems that they will be true to their word and will delete all copies of the stolen data. Ransomware groups are financially motivated, and the stolen data is valuable. Retaining a copy of the stolen data to sell at a later date would provide the operators with additional income.

The law enforcement operation against the LockBit ransomware group – Operation Cronos – headed by the UK’s National Crime Agency (NCA) resulted in access being gained to LockBit’s primary administration environment, including its public-facing leak site on the dark web and its source code. A considerable amount of intelligence was gathered from those systems. The NCA reports that some of the data on LockBit’s systems belonged to victims who paid the ransom, confirming that data is not always deleted. 

ALPHV/Blackcat Ransomware Group Shuts Down in Apparent Exit Scam

In this case, UnitedHealth Group’s $22 million gamble appears not to have worked. The Blackcat affiliate allegedly behind the attack, Notchy, claims to have been cheated out of their share of the ransom payment and still holds a copy of the stolen data. 

“After receiving the payment ALPHV team decide to suspend our account and keep lying and delaying when we contacted ALPHV admin,” wrote the affiliate Notchy. “Sadly for Change Healthcare, their data still with us.” If the affiliate’s claim is true, and there is no reason to suggest it isn’t, then it appears that the $22 million payment has achieved very little.

On March 5, 2024, a member of the Blackcat group issued a statement confirming the group would be shutting down, had already arranged the sale of its source code, and claimed that there was no alternative. “We can officially state that we got screwed by the feds.”

The ALPHV/Blackcat data leak site now displays a seizure notice indicating it has been lost to law enforcement; however, several researchers suggested that is unlikely to be the case, and that the posted seizure notice appears to have been copied and pasted from the notice posted by the FBI when Blackcat’s infrastructure was seized in a December 2023 operation.

The $22 million payment appears to have been pocketed in an apparent exit scam. Fabian Wosar, Emsisoft’s head of ransomware research, suggests that is exactly what the group is doing, and any affiliates who have not yet been paid will see their share of the ransom payments pocketed.

Having not been paid for conducting the attack, the affiliate is likely to attempt to recoup the lost income. What that will entail remains to be seen. There could be a further extortion attempt or the stolen data may be sold.

Change Healthcare Confirms Ransomware Attack by the ALPHV/Blackcat Ransomware Group

February 29, 2024

Change Healthcare has confirmed that the cyberattack initially suspected as being the work of a nation-state actor was a ransomware attack by a financially motivated threat actor, ALPHV/Blackcat. According to the latest entry on UnitedHealth Group’s update page, “Our experts are working to address the matter, and we are working closely with law enforcement and leading third-party consultants, Mandiant and Palo Alto Network, on this attack against Change Healthcare’s systems. We are actively working to understand the impact to members, patients and customers.”

On February 28, 2024, cybersecurity analyst Brett Callow shared a post by the ALPHV/Blackcat group which claimed responsibility for the attack. The ransomware group alleged UnitedHealth Group had released misleading statements about the nature of the attack.

The group confirmed that the attack centered on Change Healthcare’s production and corporate environments, which are used by all clients that rely on Change Healthcare’s technology solutions, of which there are thousands, including healthcare providers, insurers, and pharmacies. The group claimed that it identified and exfiltrated 6 TB of data in the attack, including highly sensitive patient data.

ALPHV/Blackcat claimed it stole data from huge names in healthcare including Medicare, Tricare, CVS-CareMark, Loomis, Davis Vision, Health Net, MetLife, Teachers Health Trust, and tens of insurance companies. The group claims to have exfiltrated the sensitive records of millions of individuals including active US military/navy personnel. The group said it has stolen medical records, dental records, payment information, claims information, patients’ personally identifiable information including contact information and Social Security numbers, insurance records, and more than 3000 source code files for Change Healthcare’s solutions.

“Anyone with some decent critical thinking will understand what damage can be done with such intimate data on the affected clients of UnitedHealth/UnitedHealth solutions as well, beyond simple scamming/spamming,” wrote the group. “After 8 days and Change Health have still not restored its operations and chose to play a very risky game hence our announcement today”.

There had been some speculation that the group exploited a vulnerability in ConnectWise to gain access to Change Healthcare’s systems but the group claimed that was not its initial access vector.

Who are ALPHV/Blackcat?

ALPHV/Blackcat is a ransomware group that operates under the ransomware-as-a-service (RaaS) model. The group provides the encryptor and infrastructure to allow ransomware attacks to be conducted and recruits affiliates to conduct the attacks. The RaaS operators retain a percentage of any ransom payments, with the majority of the ransom payments are provided to the affiliate.

ALPHV/Blackcat engages in double extortion. Before encrypting files, sensitive data is exfiltrated from the victim’s systems and a ransom demand is issued. The ransom must be paid to obtain the keys to decrypt data and prevent the publication or sale of the stolen data. The group maintains a dark web data leak site and leaks stolen data if the ransom is not paid. It is currently unclear how much the group is demanding from Change Healthcare but given the apparent extent of data theft and the massive impact the attack is having, the ransom demand is likely several million dollars. 

ALPHV/Blackcat was first identified in November 2021 and rapidly became one of the most prolific RaaS groups, with only the LockBit RaaS group conducting more attacks over the past 18 months. According to the U.S. Department of Justice, the group has conducted more than 1,000 ransomware attacks, including several attacks on critical infrastructure providers in the United States. The attacks have resulted in hundreds of millions of dollars of losses.

ALPHV/Blackcat was the subject of a law enforcement operation in December 2023 that disrupted the group’s infrastructure. The FBI was able to develop a decryption tool to allow past victims to recover their data for free. That disruption was short-lived. The group was soon able to recover. In response to the operation, the group removed restrictions for its affiliates, allowing them to attack all targets apart from those located in the commonwealth of independent states. Affiliates were encouraged to target healthcare organizations. The group had previously claimed that it had rules for affiliates preventing them from attacking medical institutions, ambulances, and hospitals.

Impact of the Change Healthcare Ransomware Attack

The Change Healthcare ransomware attack is having a nationwide impact and is causing massive disruption to healthcare operations. The outage of Change Healthcare’s systems, which are relied upon by thousands of healthcare providers and health insurers, is causing substantial billing and cash flow problems. Healthcare providers are unable to bill payers for their services, claims are not being paid, prior authorization submissions are being rejected, and it has not been possible to perform eligibility checks.

While workarounds are being implemented, the workload for the affected healthcare providers is considerable. Many providers are already struggling with staff shortages and have limited cash reserves, which will rapidly be eaten up should the outage continue. There have been reports that patients have been unable to receive essential medications unless they have the funds to pay for them in full out of their own pockets.  

Change Healthcare Cyberattack Under Investigation

February 23, 2024

Change Healthcare is currently grappling with a cyberattack. Change Healthcare’s parent company, UnitedHealth Group, confirmed in a February 21, 2024, filing with the U.S. Securities and Exchange Commission (SEC) that, “A suspected nation-state associated cyber security threat actor had gained access to some of the Change Healthcare information technology systems.”

According to the filing, efforts are underway to restore systems and return to normal operations as soon as possible; however, no timescale has been provided on when that process will be completed. Change Healthcare is working with external cybersecurity experts to assess the nature and scope of the incident and secure its systems. UnitedHealth Group said it believes the attack has only affected Change Healthcare’s systems. All other systems across UnitedHealth Group and Optum are fully operational and proactive steps have been taken to isolate the impacted systems from other connecting systems to contain the incident. UnitedHealth Group warned that the attack has caused disruption and certain networks, and transactional services are temporarily not accessible.

On February 22, 2024, the American Hospital Association (AHA) advised all healthcare organizations that have been disrupted or are potentially exposed to the incident to disconnect from Optum until it has been confirmed that it is safe to reconnect and to implement downtime procedures and contingency plans. Optum is a subsidiary of UnitedHealth Group that provides technology, data, pharmacy care, and direct healthcare.

Who is Change Healthcare?

Change Healthcare Cyber Attack

Change Healthcare is a Nashville, Tennessee-based software, data analytics, and revenue and payment cycle management company owned by UnitedHealth Group. One of the biggest roles of the company is to connect payers, providers, and patients in the U.S. healthcare system. According to the Change Healthcare website, the company processes more than 15 billion healthcare transactions a year and its systems touch the health data of 1 in 3 Americans.

Has There Been a Change Healthcare Data Breach?

Change Healthcare is currently investigating the security incident and at this early stage of the investigation, it is not possible to tell to what extent, if any, patient data has been compromised. Change Healthcare has not confirmed if this was a ransomware attack or if data has been exfiltrated from its systems. If a Change Healthcare data breach has occurred, it has the potential to be massive as the personal and health information of 1 in 3 Americans touches Change Healthcare systems. If all of that data has been stolen, the Change Healthcare data breach could affect more than 110 million Americans.

Twitter Facebook LinkedIn Reddit Link copied to clipboard

Posted by

Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news