A Reuters report has popped onto my radar where it details that UnitedHealth’s tech unit Change Healthcare has been pwned by the BlackCat ransomware group. And the company confirms this. Which effectively confirms this story that I recently wrote:
UnitedHealth Group said on Thursday the cyberattack at its tech unit, Change Healthcare, was perpetrated by hackers who identified themselves as the “Blackcat” ransomware group.
The statement confirms a Reuters report on Monday. UnitedHealth had initially blamed a “suspected nation-state associated cybersecurity threat actor” for the disruption.
The hack, disclosed last Wednesday, has had a knock-on effect on players across the U.S. healthcare system, as disruptions triggered by the attack have impacted electronic pharmacy refills and insurance transactions.
The company said its experts were working with law enforcement authorities and third-party consultants to gauge the impact on its customers and patients.
“We are working on multiple approaches to restore the impacted environment and continue to be proactive and aggressive with all our systems, and if we suspect any issue with the system, we will immediately take action,” UnitedHealth said.
In a message posted on its darknet site, which was quickly deleted, the group known as “Blackcat” or “ALPHV” said on Wednesday it stole millions of sensitive records, including medical insurance and health data, from the company.
I have two comments on this story. Starting with Nic Finn, Senior Threat Intelligence Consultant at GuidePoint Security:
Following December’s law enforcement disruption of their data leak site, Alphv, also known as BlackCat, has vowed increasingly aggressive actions and removed ostensible restrictions on targeting critical infrastructure and healthcare.
While Alphv may have notionally prohibited targeting such organizations in the past, the group has been actively attacking healthcare organizations for a while now, with several large healthcare providers and networks impacted in 2023. Of the attacks impacting healthcare we observed in 2023, Alphv was responsible for nearly 10%, second only to LockBit.
While we have seen several healthcare organizations impacted by Alphv in 2024, it remains to be seen whether this is an intentional increase representative of deliberate targeting or just continued operations as usual, pursuing vulnerable targets of opportunity and exploiting frequent weaknesses in health organization networks. Healthcare organizations make attractive targets for ransomware groups due to the sensitivity and value of Personal Identifiable Information and Protected Health Information, which both increase extortive leverage over victims and the value of data for sale to other actors should the victim not pay.
More than perhaps any other group, Alphv has exhibited a particularly aggressive approach to public statements, routinely ridiculing victims and their associated incident responders and calling out alleged security shortcomings, which is likely intended as much as a coercive lever and ‘final warning’ to the victims as it is a signal to future victims of the consequences of non-compliance.
The next comment is from Scott Small, Director of Cyber Threat Intelligence at Tidal Cyber:
The BlackCat group claimed Change Healthcare as a victim, and the company confirmed that cybercriminal actors are behind a recent cybersecurity incident, changing course from a previous statement that blamed nation-state hackers for the attack.
U.S. authorities announced they disrupted BlackCat’s operations late last year, but the group has recently returned to claiming attacks against new victims. A confirmed attack against a major healthcare organization would be the strongest indication that the ransomware group has resumed its activities.
BlackCat was the second most active ransomware gang in terms of claimed victims last year, threatening organizations in virtually every primary sector. December’s disruption operation may have temporarily or partially changed the group’s operational ability, but defenders across the community should note a confirmed return.
This continues a troubling trend of health care organizations being pwned in cyberattacks because they’re low hanging fruit for threat actors. This needs to change and it needs to change now.
Cyberattack on insurance company Change Healthcare disrupting business for doctors, therapists
Posted in Commentary with tags Hacked on February 29, 2024 by itnerdCNN is reporting that a week after a cyberattack disrupted insurance processing at pharmacies across the US and health care professionals in the US have stated the hack continues to upend their businesses and cost them money:
Carter Groome, chief executive of Health First Advisory, a cybersecurity firm whose clients include big health care organizations, estimated that some health care providers are losing more than $100 million per day because of the outage.
“That’s just not sustainable in an industry with not a lot of cash on hand,” Groome told CNN.
“This is our Colonial Pipeline,” he said, referring to a 2021 ransomware on one of America’s biggest pipelines that disrupted fuel shipments for days and cemented ransomware as a national security concern in the minds of senior US officials.
In the wake of the hack, Elevance Health, which owns Anthem Blue Cross and Blue Shield and insures millions of Americans, has severed network connections to Change Healthcare “out of an abundance of caution,” Elevance spokesperson Leslie Porras told CNN in an email.
“The ability for our members to access medical care, services or fill their prescriptions remains unaffected,” Porras said.
As of Wednesday morning, Change Health Care said the company’s affected network was still offline. Tyler Mason, a company spokesperson, said that insurance claims submissions have returned to “pre-disruption levels” because health care providers are using “alternative clearing houses” to submit claims.
Mason said that doctors and patients can use these workarounds to address the problems described by Parikh and Disney.
“Since identifying the cyber incident, we have worked closely with customers and clients to ensure people have access to the medications and the care they need,” Mason said in an email. “As we remediate, the most impacted partners are those who have disconnected from our systems and/or have not chosen to execute workarounds.”
This is bad. I will comment as to why in a moment. But right now, I’ll let Melvin Lammerts, Lead Hacker, Hadrian comment on this:
“The Change Healthcare attack underscores the healthcare sector’s vulnerability to damaging cyberattacks. This incident caused significant disruptions in patient care, financial losses for providers, and potential harm to patients and their families.It highlights systemic weaknesses in healthcare cybersecurity and the pressing need for healthcare organizations to prioritize robust security measures. This includes thorough risk assessments, comprehensive incident response plans, strong network protection, and reliable backup systems.Furthermore, the attack emphasizes the importance of collaboration between healthcare providers and government agencies. This partnership is essential to build more resilient defenses against evolving cyber threats and mitigate their severe impact on patient care.”
This is still another example of how healthcare organizations are low hanging fruit for threat actors. The fact that I am writing about this so often in the last few days illustrates that. Change to make healthcare less of a target needs to happen now.
UPDATE: BullWall Executive, Carol Volk had this to say:
“Ransomware attacks in the healthcare sector endanger patient lives by disrupting critical services and their supply chain. Strong cybersecurity practices are essential to protect patient safety, as well as privacy and to ensure continuity of care. Providers throughout the entire healthcare chain must prioritize cybersecurity by conducting thorough risk assessments and implementing effective response strategies to remove this important target from attacker’s sights. First class defense tools, including ransomware containment systems are readily available and must be a priority or we’ll continue to see attacks escalate.”
Mark B. Cooper, President & Founder, PKI Solutions adds this comment:
“The lingering effect and the extent of those impacted by Change’s cyber-attack exemplifies the prolific challenges the healthcare industry faces in safeguarding its Critical Infrastructure Protection (CIP) environments.
“It highlights the need for mindset shift from reactive to proactive measures that prevent vulnerabilities from becoming a problem. It requires real-time, attentive monitoring to quickly identify misconfigurations and alert the appropriate security resources for prompt remediation. Without such measures, the healthcare industry will continue to be targets with debilitating outcomes where the impact isn’t triggering simply an 8-K or an assembly line disruption, it’s a peoples’ health and their quality of life.
Emily Phelps, VP, Cyware had this comment:
“This event highlights the vulnerability of healthcare organizations to cyber threats and the cascading effects such disruptions can have on patient care and revenue streams. It emphasizes the urgent need for healthcare organizations to invest in cybersecurity efforts that enable proactive defense.
“By leveraging Health ISACs, for example, and integrating and operationalizing threat intelligence, even organizations with limited security resources can better anticipate and mitigate the impact of such attacks. This approach not only protects sensitive data but also ensures that healthcare services remain uninterrupted, thereby safeguarding patient well-being. In response, the healthcare sector must prioritize investments in cybersecurity infrastructure and training to build resilience against future cyber threats.”
Leave a comment »