Cyber attack in the USA Health tech giant Change Healthcare has shut down much of the US healthcare system for the second week in a row.
Hospitals were unable to review patient stay insurance benefits, handle prior authorizations required for patient procedures and surgeries, or process billing for medical services. Pharmacies struggle to determine how much to charge patients for prescriptions without access to their health insurance records, forcing some to pay for expensive drugs out of pocket with cash while others can’t afford the cost.
Since Change Healthcare abruptly shut down its network on February 21 in an effort to curb digital intruders, some smaller healthcare providers and pharmacies are warning of dwindling cash reserves as they struggle to pay their bills and staff without the steady claims flow from insurance giants .
Change Healthcare’s UnitedHealth Group parent company said in a filing with government regulators on Friday that the health tech company was making “substantial progress” in restoring its affected systems.
As the short-term impact of the ongoing outages on patients and providers becomes clearer, questions remain about the security of millions of people’s highly sensitive medical information managed by Change Healthcare.
Out of Russia, a prolific ransomware gang that took credit for the Change Healthcare cyberattack has claimed — without yet releasing details — to have stolen huge banks containing millions of private medical patient data from the health tech giant’s systems. In a new development, the ransomware gang now appears to have faked its own collapse and is off the map after receiving a ransom payment worth millions in cryptocurrency.
If patient data is stolen, the impact on affected patients will likely be irreversible and long-lasting.
Change Healthcare is one of the world’s largest facilitators of health and medical data and patient records, handling billions of healthcare transactions annually. As of 2022, the health technology giant is owned by UnitedHealth Group, the largest health insurance provider in the United States. Hundreds of thousands of doctors and dentists, as well as tens of thousands of pharmacies and hospitals across the United States, rely on it to bill patients according to what their health insurance benefits allow.
This size presents a particular risk. US antitrust officials sued unsuccessfully to block UnitedHealth from buying Change Healthcare and merging it with Optum’s health subsidiary. arguing that UnitedHealth would gain an unfair competitive advantage by gaining access to “about half of Americans’ health insurance claims go through each year.”
For its part, Change Healthcare has repeatedly declined to say so far whether patient data has been compromised in the cyber attack. That hasn’t reassured healthcare executives who worry that the consequences of the data-related cyberattack are yet to come.
In letter dated March 1 to the US Govt, the American Medical Association warned of “significant data privacy concerns” amid fears that the incident “resulted in widespread breaches of patient and physician information.” AMA President Jesse Ehrenfeld was the reporters reported saying that Change Healthcare has not provided “any clarity about the data that was breached or stolen”.
A director of cybersecurity at a major US hospital system told TechCrunch that while they are in regular contact with Change and UnitedHealth, they haven’t heard anything so far about the security or integrity of patient records. The cybersecurity director expressed concern about the possibility of hackers posting stolen sensitive patient data online.
That person said Change’s communications, which gradually escalated from suggesting data may have been compromised to acknowledging an active investigation with several incident response companies, suggest it’s only a matter of time before we know how much has been stolen. and by whom. Customers will bear some of the brunt of this hack, this person said, asking not to be named as they are not authorized to speak to the press.
Ransomware gang pulls ‘exit scam’
Now, the hackers seem to have disappeared, adding to the unpredictability of the situation.
UnitedHealth initially attributed the cyberattack to unspecified government-backed hackers, but later rejected that claim and later blamed a Russian ransomware and extortion group called ALPHV (aka BlackCat), which has no known links to any government .
Ransomware and extortion gangs are financially motivated and typically use double-extortion tactics, first by tampering with the victim’s data with file-encrypting malware, then by stealing a copy for themselves and threatening to publish the data online if their demand for ransom is not paid. ransom.
On March 3, an affiliate of ALPHV/BlackCat – essentially a contractor who earns a commission for the cyberattacks they launch using the ransomware gang’s malware – protested in a post on a cybercrime forum claiming that ALPHV/BlackCat is defrauding the affiliate from their profits. The affiliate claimed in the post that ALPHV/BlackCat stole the $22 million ransom allegedly paid by Change Healthcare to decrypt their files and prevent a data leak, as first reported by veteran security watcher DataBreaches.net.
As proof of their claims, the affiliate provided the exact crypto wallet address which ALPHV/BlackCat had used two days earlier to get the ransom. The wallet showed a single transaction worth $22 million in bitcoins at the time of payment.
The affiliate added that despite losing the ransom portion, the stolen data is “still with us,” suggesting that the affected partner still has access to reams of stolen sensitive medical and patient data.
UnitedHealth has he declined to confirm to reporters if it paid the hackers’ ransom, saying instead that the company is focusing on its investigation. When TechCrunch asked UnitedHealth if it disputed reports that it paid a ransom, a company representative did not respond.
By March 5, the ALPHV/BlackCat website had disappeared in what investigators believe was an exit scam, where hackers run off with their new fortune never to be seen again, or lay low and later reform as a new gang .
The gang’s dark website was replaced with a splash screen that purported to be a law enforcement seizure notice. In December, a global law enforcement operation destroyed parts of ALPHV/BlackCat’s infrastructure, but the gang returned and soon began targeting new victims. But this time, security researchers suspect The cheating the gang itself in the gameinstead of another legal takedown attempt.
A spokesman for the UK’s National Crime Agency, which was involved in the initial operation to take down ALPHV/BlackCat last year, told TechCrunch that the apparently seized ALPHV/BlackCat website was “not the result of NCA activity”. Other global law enforcement agencies as well denied involvement to the group’s sudden disappearance.
It is not uncommon for cybercrime gangs to reform or reform as a way to rid themselves of reputational issues, which one might do after being taken down by law enforcement or paid off with an affiliate’s ill-gotten gains.
Even with a payment made, there is no guarantee that the hackers will delete the data. A recent global law enforcement effort to shut down the LockBit ransomware operation found that the cybercrime gang did not always delete victim data as it claimed it would if a ransom was paid. Companies are beginning to recognize that paying a ransom does not guarantee the return of their files.
For those on the front lines of healthcare cybersecurity, the worst-case scenario is that stolen patient records become public.
The patient safety and financial impact of this will be felt for years, the hospital’s director of cybersecurity told TechCrunch.
Do you work at Change Healthcare, Optum or UnitedHealth and know more about cyber attack? Contact us on Signal and WhatsApp at +1 646-755-8849 or via email. You can also send files and documents via SecureDrop.
