Double Trouble: Change Healthcare

Dark Reading reports that Change Healthcare, a prominent healthcare technology unit of UnitedHealth Group, has yet again become a target of a ransomware attack. This new threat emerges just weeks after a significant cybersecurity incident involving the ALPHV/BlackCat ransomware group, which led to widespread disruptions across healthcare operations and posed serious privacy concerns due to the exfiltration of sensitive data.

The latest attack has been attributed to RansomHub, a ransomware gang demanding an extortion payment to prevent the sale of 4TB of stolen data, purportedly including sensitive information about U.S. military personnel and patients, alongside medical records and financial information. For perspective, 4TB of data printed single space would fill approximately 300,000,000 pages of paper. That stack of printed data would stand over 18 miles (just under 30 km) which is about the cruising altitude for commercial jets. RansomHub's threats to sell the data to the highest bidder if their demands are not met within 12 days adds immense pressure on Change Healthcare as it navigates recovery from the previous cyberattack​ (HHS.gov)​​ (HIPAA Journal)​​ (SecurityWeek)​​ (Health IT Security)​​ (TechCrunch)​.

RansomHub's communication underscores the severity of the situation, indicating that this is Change Healthcare and United Health's opportunity to safeguard their client's data, which, according to them, has not yet been leaked. This development places Change Healthcare in a precarious position, challenging its recent strides toward restoring operations and ensuring the security of its systems and the data it manages​ (TechCrunch)​.

Security experts, including Malachi Walker from DomainTools, have commented on the situation, suggesting that the recent attacks might indicate a conflict between two rival gangs or potentially a complex landscape of ransomware operations where affiliations and tactics are fluid. There is also speculation about whether there's a rebranding or connection between ALPHV/BlackCat and RansomHub, though it is too early for definitive conclusions. This scenario highlights the sophisticated and interconnected nature of the cybercrime ecosystem, emphasizing the challenges organizations face in defending against and responding to ransomware threats​ (SecurityWeek)​.

In case you missed the news, Change Healthcare recently experienced another significant cybersecurity incident initiated by the BlackCat/ALPHV ransomware group. Identified in late February 2024, this attack led to widespread disruptions across healthcare and billing information systems, affecting a substantial portion of the U.S. healthcare system due to Change Healthcare's central role in processing healthcare transactions. The attackers claimed to have exfiltrated 6 TB of sensitive data, including medical records, insurance information, and personal health information (PHI) from millions of patients, posing serious privacy concerns and potentially constituting one of the largest healthcare data breaches ever.

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has launched an investigation into the breach, focusing on whether there was a violation of the Health Insurance Portability and Accountability Act (HIPAA) rules concerning the safeguarding of protected health information. OCR emphasizes the importance of maintaining security measures to protect against such cyberattacks and offers resources to assist healthcare entities in strengthening their cybersecurity defenses​ (HHS.gov)​​ (SecurityWeek)​.

UnitedHealth Group has been actively restoring affected services and has made progress in resuming operations, including processing millions of transactions through a new instance of Change Healthcare’s Rx ePrescribing service. Despite these efforts, the attack has considerably impacted healthcare services, including prescription processing and insurance claim submissions, with pharmacies and healthcare providers nationwide experiencing significant disruptions​ (HIPAA Journal)​​ (Health IT Security)​.

The involvement of the BlackCat/ALPHV ransomware group, a notorious Russia-based cybercrime gang, highlights the ongoing threat ransomware poses to critical infrastructure sectors, including healthcare. This incident has led to increased scrutiny of the cybersecurity practices of healthcare entities and the need for robust defenses against sophisticated cyber threats​ (TechCrunch)​.

As the fallout from this cyberattack continues, there are growing concerns about the potential leak of stolen patient data online. Such a breach could have far-reaching implications for patient privacy and the integrity of the U.S. healthcare system. The situation underscores the critical need for healthcare organizations to enhance their cybersecurity measures and for ongoing vigilance against cyber threats​ (TechCrunch)​.

The repeated targeting of Change Healthcare raises broader concerns about the cybersecurity vulnerabilities within the healthcare sector. It underscores the need for robust security measures and prepared strategies for ransomware defense and recovery. It also highlights the critical importance of collaboration between law enforcement, cybersecurity experts, and affected organizations to address these pervasive cyber threats effectively.

Round 2: Change Healthcare Targeted in Second Ransomware Attack

RansomHub, which is speculated to have some connection to ALPHV, has stolen 4TB of sensitive data from the beleaguered healthcare company.

Dark ReadingDark Reading Staff