Q3 Cyber Threat Report: The Ransomware Ecosystem is Increasingly Distributed
Ransomware attacks remained high in Q3 2024 thanks to the RansomHub, PLAY, and LockBit 3.0 ransomware gangs. Check out the full cyber report for more info.
On February 21st, an unnatural disaster hit healthcare providers across the nation. The fallout: Hospitals that couldn’t file claims, healthcare practices unable to pay their staff, and individuals paying out of pocket for prescriptions.
Change Healthcare (CHC), a healthcare technology and business management vendor, was down as a result of a ransomware attack. UnitedHealth Group, which acquired Change Healthcare in 2022, announced they discovered that threat actors gained access to CHC’s environment and quickly disconnected impacted systems to stop the spread.
But CHC handles one in every three patient records in the United States. With it offline, healthcare providers were left scrambling.
Medical claims processing, pharmacy operations, and practice management slowed or stopped for thousands of hospitals, medical groups, and pharmacies.
The event prompted an investigation by the Department of Health and Human Services (HHS), which the HHS Office for Civil Rights cited as “unprecedented magnitude.” Later, a cohort of leaders from HHS, the White House, and health insurance companies discussed how to respond and recover.
To mitigate the fallout of the attack, Change Healthcare initiated a temporary funding program, and the Centers for Medicare and Medicaid Services (CMS) introduced flexibilities to provide relief for providers.
The attack was perpetrated by the notorious ransomware gang ALPHV/BlackCat, who the FBI has cited as the second most prolific ransomware-as-a-service variant in the world. In December, the FBI disrupted the gang’s efforts by seizing several websites operated by the group and offering a decryption tool to their victims.
Unfortunately, that didn’t seem to deter them or their affiliate from targeting one of the largest medical claims payment processors in the United States. ALPHV/BlackCat allegedly stole four terabytes of data — and an affiliate hacker claims they accessed data from numerous other healthcare firms partnered with CHC as well.
While Change Healthcare has not confirmed that it paid a ransom, security researchers spotted a publicly visible $22 million transaction on Bitcoin’s blockchain to an address connected to ALPHV/BlackCat.
The Office of Civil Rights issued a “Dear Colleague” letter stating that their investigation's primary focus is on United HealthGroup and whether a breach of private health information occurred. Impacted healthcare providers are a secondary concern for their investigation, but they included the following reminder:
“We are reminding entities that have partnered with Change Healthcare and UHG of their regulatory obligations and responsibilities, including ensuring that business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs.”
In December 2023, HHS released a concept paper outlining the Department’s cybersecurity strategy for the industry; this builds on the National Cybersecurity Strategy outlined by President Biden and introduces new healthcare-specific cybersecurity goals to increase accountability within the sector.
This incident serves as a real-life (worst-case scenario) reminder: The healthcare ecosystem is deeply interconnected. To prevent future catastrophic events, the entire industry needs to address an overreliance on a handful of vendors and meet the government’s cybersecurity standards. But sweeping systemic changes won’t happen overnight.
So, yes, operations are slowly returning to normal. But will “normal” be enough for the healthcare industry in the future?
It’s too early to understand the full scope of losses related to the attack. UnitedHealth has not revealed much on the topic of exposed patient data, but they have just begun the massive undertaking of parsing through what information may have been accessed by threat actors.
There’s also no guarantee that ALPHV/BlackCat deleted any of the exfiltrated data, even if UnitedHealth paid the ransom. And to make matters worse, the affiliate behind the attack claims they still have a copy (and were never paid by ALPHV/BlackCat).
In short, we have no idea what or how much data ALPHV/BlackCat accessed, which means millions of patients’ sensitive health information could be compromised. Plus, the sheer scale of the breach requires a thoughtful approach to notification. Think of how many healthcare providers the average patient sees a year (dentist, pharmacist, primary care) and the confusion (or panic!) if they get a separate notification from each.
UHG stated that, “where permitted,” it will handle the notification process for customers whose data was impacted. Depending on the services healthcare providers receive from CHC, CHC may act as a clearinghouse (in and of itself a HIPAA-covered entity) or a business associate of the healthcare entities. The terms of companies’ master agreements and business associate agreements with CHC entities will determine whether UHG will handle the notification process on behalf of the entities.
In a letter to Congress, The American Hospital Association called the Change Healthcare hack “the most significant cyberattack on the U.S. healthcare system in American history.”
While the scale is unprecedented (most vendors aren’t involved in a third of the business transactions in their industry), it provides an example of the impact third parties have on business resilience. Or rather, how quickly any organization can suffer if a critical vendor is offline.
Third-party risk management helps organizations assess and identify risks associated with third-party vendors so there’s a plan in place before a critical partner is breached. Read more about securing vendors here.
The actions an organization takes in the first 48 hours of a business disruption dictate the speed and effectiveness of resuming business operations. To make effective and quick mobilization possible, they need a business continuity and disaster recovery (BCDR) strategy.
This doesn’t just address their own systems, but also their dependency on vendors. By organizing a BCDR, it may force conversations between business partners and IT to address critical vendors, if any, and contingency plans if they were to go offline. Learn more here.
Try to avoid letting vendor contracts or BAAs go untouched for too long (especially with the frequency of mergers and acquisitions). As part of an organization’s third-party risk management, they should regularly make sure contracts are up-to-date, negotiate favorable terms (if possible), and note any provisions related to a cyber attack.