Stethoscope on laptop showing Change Healthcare ransom payment and patient data

Change Healthcare Admits to Making Ransom Payment to Protect Patient Data, Discloses That Hacker Broke in Days Before Attack

Parent company UnitedHealth Group has released further details about the devastating Change Healthcare attack that caused widespread damage throughout the United States, taking large chunks of revenue from some care providers and in some cases keeping patients from needed medication. The group has confirmed that it made a ransom payment to restore service, and that there is no indication that the attacker published any patient data on the dark web beyond 22 initial screenshots used as proof of the breach.

Security researchers have also since drawn some new conclusions about the attack, putting a name to the particular AlphV/BlackCat affiliate that broke in and confirming that this party is now working with RansomHub in a bid to extort Change Healthcare a second time.

Xen Madden, Cybersecurity Expert at Menlo Security, notes that more detail about exactly what patient information was lost is needed before individuals can assess their own level of risk from the incident: “The next steps for customers whose data has been stolen are unclear and depend on the specific data stolen for each person. For example, if the data is enough to steal their identity or successfully phish them, they should immediately seek advice from UnitedHealth and potentially use their free credit monitoring and identity theft protection. If customers can identify exactly what data has been made public, it would empower them to (hopefully) protect themselves. However, it is unclear whether UnitedHealth will inform customers about the exact data released and how streamlined that process will be. We will have to wait and see.”

Ransom payment was made to settle Change Healthcare attack, but the hacker is back for more

The UnitedHealth Group statement indicates that patient data is believed to be safe, at least for now. The company confirmed that the attackers did access some amount of personally identifiable information, but that there is no indication that doctor’s charts or detailed medical histories were exfiltrated. However, the company added that it expects its review of patient data to potentially take months to complete and that impacted parties may not be contacted for some time.

The company said that it is also continuing to scan the dark web regularly for any sign of patient data being leaked or sold, but there are no indications as of yet. The only leaked information thus far is a set of 22 screenshots posted as initial proof of the ransomware attack.

Even though a ransom payment was made, the attack was nevertheless devastating to the processing of health insurance claims and payment information across the country. The UnitedHealth Group update indicates that 99% of pharmacies are now back to normal ability to process claims, and that its internal payment processing capacity is back to 86% of normal. 80% of the function of its major platforms and products has also been restored and the group expects a full recovery in a matter of weeks. It also says that medical claims are back to near-normal processing levels, but that it is working directly with some smaller providers that remain hampered by the attack fallout and is seeking to set up alternate methods of submission for them.

The ransom payment had been widely reported prior to the company’s admission, due to an otherwise inexplicable Bitcoin transaction (equaling about $22 million) traced to a wallet known to be associated with AlphV. The RaaS provider also opted to pull what appeared to be an “exit scam” after this payment rolled in, leading to the bag-holding affiliate taking to dark web forums to accuse the group of theft.

That affiliate, who goes by the handle “Notchy,” seems determined to get their money one way or another, even if it means extorting Change Healthcare for a second ransom payment. Notchy has gone to up-and-coming RaaS provider RansomHub with the stolen data, possibly working with some former AlphV members that jumped ship, and is threatening to sell the information to the highest bidder if a new ransom payment is not negotiated soon.

Ransomware disruption, theft of patient data caused massive financial damage

The total damage of the incident is still being calculated, and may not be known for months, but at a preliminary look it would appear to be the most damaging ransomware attack on the US healthcare industry of all time. American Medical Association members reported that four out of five clinicians had lost revenue due to the incident, and that some practices were relying on an owner or doctor’s personal finances to bridge the gap while insurance processing was in disarray. Change Healthcare has reported losing $827 million thus far, but expects the total damage to be over $1 billion once all accounting is done.

The attacker has said that they are sitting on 6 TB of stolen patient data. The company handles patient information for some 15 billion transactions across the country, and has been estimated to potentially have personally identifiable or protected health information for one out of three of all medical patients in the country.

Narayana Pappu, CEO at Zendata, notes that this means a huge amount of people could be getting a breach notification in the mail sometime before the end of summer: “Considering the $22 million in ransom payment made in bitcoin, how widespread the disruption has been, and the reach of UnitedHealthcare, the impact and exposure in all probability is extremely significant. I fully expect that many of us should expect a “you may have been impacted” letter in the near future, with an offer for free credit monitoring.”

Healthcare organizations have rapidly become a favorite target of hackers due to these massive collections of patient data and personal information. Steve Hahn, EVP of Americas, BullWall, believes that the way the Change Healthcare incident has unfolded is a very bad indicator of how this trend will continue to unfold in the near future: “ALPHV (Blackcat) told the FBI, after the FBI claimed falsely that they “took down” the ALPHV group, that they would now focus all of their efforts on US healthcare organizations. This attack is the first of many we will see, as they seem determined to live up to that promise. Organizations can no longer rely solely on prevention. They must have containment and mitigation strategies in place. They can continue to work to try to stop these threat actors, but they must also plan on the inevitable, and work out rapid Ransomware “containment” and mitigation strategies as well as plans for how to rebuild after the event.”

Emily Phelps, Director at Cyware, believes that this threat is now so acute that the industry will need mutual aid plans to keep up: “By participating in such intelligence-sharing communities like Health-ISAC, healthcare providers can access a wealth of intelligence that helps them identify and mitigate potential threats more effectively. This collaborative approach not only enhances individual organizations’ defensive capabilities but also strengthens the overall security posture of the healthcare industry. Operationalizing this intelligence involves integrating it into security operations to enable real-time responses and preventative strategies. By doing so, healthcare entities can safeguard their critical infrastructure, ensuring the continuity of vital services and protecting sensitive patient data.”