The Change Healthcare Cyberattack

Three weeks ago, on Wednesday February 21st, Change Healthcare, a division of UnitedHealth Group, was hit by a ransomware attack that was devastating by any measure. That cyberattack shut down the largest healthcare payment system in the United States. The US Department and Health and Human Services addressed an open letter to “Health Care Leaders”, writing: As you know, last month Change Healthcare was the target of a cyberattack that has had significant impacts on much of the nation’s health care system.

The effects of this attack are far-reaching; Change Healthcare, owned by UnitedHealth Group (UHG), processes 15 billion health care transactions annually and is involved in one of every three patient records. The attack has impacted payments to hospitals, physicians, dental offices, pharmacists, and other health care providers across the country.

The day following the attack, on February 22nd, UnitedHealth Group filed a notice with the US Securities and Exchange Commission stating that “a suspected nation-state associated cybersecurity threat actor” had gained access to Change Healthcare’s networks. Following that UHG filing, CVS Health, Walgreens, Publix, GoodRX, and BlueCross BlueShield reported disruptions in insurance claims.

One week later, on the 29th, UHG confirmed that the ransomware attack was “perpetrated by a cybercrime threat actor who represented itself to Change Healthcare as ALPHV/Blackcat.” In the same update, the company stated that it was “working closely with law enforcement and leading third-party consultants, Mandiant and Palo Alto Networks” to address the matter. And then, four days later, eight days ago on March 4th, Reuters reported that a bitcoin payment equivalent to nearly $22 million USD was made to a cryptocurrency wallet “associated with ALPHV.”

UnitedHealth has not commented on the payment, instead stating that the organization was “focused on the investigation and the recovery.”  Apparently to the tune of $22 million US dollars. Now this is the point where most people would think the worst is over. Not by a long shot!

ALPHV/Blackcat is a ransomware as a service group. This means that they provide the software and back-end infrastructure while their affiliates perpetrate the attacks and in turn receive the lion’s share of the payment, in this case 70%, of any ransoms paid.

Here’s the next problem! In this instance it appears that ALPHV/Blackcat is not eager to part with that 70%, which amounts to around $15.4 million, so they’re claiming that they’ve shut down and disbanded. Nice timing!!!

A little over a week ago, the HIPAA Journal posted some interesting information. They wrote: “The ALPHV/Blackcat ransomware group appears to have shut down its ransomware-as-a-service (RaaS) operation, indicating there may be an imminent rebrand. The group claims to have shut down its servers, its ransomware negotiation sites are offline, and a spokesperson for the group posted a message, “Everything is off.” A status message was later added and ALPHV/Blackcat claimed that their operation was shut down by law enforcement and said it would be selling its source code.”

Optum paid the 350 Bitcoin ransom to have the stolen data deleted and to obtain the decryption key. The payment address shows a $22 million payment had been made to a bit-coin wallet address and the funds have since been withdrawn. The wallet has been tied to ALPHV/Blackcat as it received payments for previous ransomware attacks that have been attributed to the group.

The stolen data includes sensitive information from Medicare, Tricare, CVS-CareMark, Loomis, Davis Vision, Health Net, MetLife, Teachers Health Trust and health care insurance companies.

It’s unclear what the cyber criminals plan to do with the stolen data and whether they will attempt to extort Change Healthcare or try to sell or monetize the data. Currently, neither Change Healthcare nor its parent company UnitedHealth have confirmed if they paid the ransom and issued a statement saying they are currently focused on the investigation.

So this is all still a big mess. It appears that the Blackcat gang made off with Optum’s $22 million dollars, the affiliate didn’t get the $15.4 million or more that they feel they deserve and Optum got neither the decryption keys nor the deletion of their 6TB of data that they paid $22 million for.

More than 80% of hospitals said the cyberattack has affected their cash flow, and of those nearly 60% report that the impact to revenue is $1 million per day or more. In addition, the survey found that 74% of hospitals reported adverse effects to direct patient care due to the cyberattack.

For the rest of us, we can expect the stolen data to be monetized and sold over the coming months putting all of us at even more cyber security risk. On the dark web, medical records sell for $60 compared to $15 for a Social Security number and $3 for a credit card.

Meanwhile, the inevitable class action lawsuits have started to be filed due to the loss of patient care health records. At last count at least five lawsuits are now underway.

HIPAA Journal: https://www.hipaajournal.com/multiple-class-action-lawsuits-change-healthcare-ransomware-attack/

Cyberattack explainer: https://www.usnews.com/news/health-news/articles/2024-03-04/explainer-what-to-know-about-the-change-healthcare-cyberattack

Thanks to Steve Gibson of Security Now for all of this background information.