Change Attack Update: New Ransom Gang and Mounting Lawsuits

| Author , tagged in
Cloudticity, L.L.C.

Since early March, Cloudticity has been following the massive attack on Change Healthcare that’s led to a deluge of issues–from operational delays, government involvement, lawsuits, and an increased threat of further attack. 

While organizations that utilize Change Healthcare services are now operational, the situation has yet to be fully resolved. In fact, as more information comes to light, Change appears to still be in a precarious situation. We’ll provide an overview of the major events that took place and what new issues have arisen. 

How It Started

The attack first occurred in late February, when the Change Healthcare Platform, owned by the UnitedHealth Group fell victim to a ransomware attack. Russian-language group, BlackCat, ultimately took responsibility for the attack. 

It’s estimated that approximately 30% of Americans have had data somehow connected to Change Healthcare. The company processes 15 billion transactions annually. 

When the company faced the attack, many platforms went offline, preventing countless transactions and other critical systems from functioning.

According to a survey by the American Hospital Association of 1,000 hospitals, 94% said they felt a financial impact from the event. One Massachusetts hospital reported losing nearly $24 million daily. 

UnitedHealth Group faced a devastating extortion threat; BlackCat threatened to sell 6 terabytes of data if a ransom was not paid. Meanwhile, the organization faced pressure from impacted hospitals that struggled to serve patients and generate revenue. 

Change ultimately decided to pay the ransom, stating “A ransom was paid as part of the company’s commitment to do all it could to protect patient data from disclosure.” Yet even after Change paid the ransom and reconnected the majority of platforms, the ordeal is not over. 

From BlackCat to RansomHub

After Change paid BlackCat the ransom, the organization claimed to have shut down. The website displayed a seizure notice from the FBI, but the FBI confirmed that at the time, they had not seized BlackCat’s website.  

With BlackCat seemingly inactive, it appeared the worst may have been over. But then RansomHub came on the scene. 

This organization claimed to have 4 terabytes of data. Experts considered it a possible BlackCat affiliate or potential bluff. Yet soon after, in April, tech website Wired received screenshots of some data, adding authenticity to RansomHub’s claims. 

RansomHub is similarly demanding funds and threatening to release data to the dark web. No further information regarding the demands or Change’s course of action has been released. As of April 23rd, the listing from RansomHub has been removed from the dark web, but it’s unclear what could happen next. 

New Government Initiatives

With a far-reaching impact on hospitals, pharmacies, and other facilities around the United States, the Health and Human Services (HHS) department has made steps to assist struggling facilities and hold Change accountable for any part it played in the attack. 

On March 18th, the HHS convened to discuss actions that could mitigate the financial impact. HHS Secretary Xavier Becerra and White House Domestic Policy Advisor Neera Tanden discussed adjustments to improve the claims process, with a particular focus on smaller providers, and those who serve vulnerable populations or are in rural communities. 

The HHS has taken several steps so far, including: 

  • The CMS released a FAQ regarding the availability of accelerated and advanced payments
  • OCR announced an investigation into the attack that would not target affected entities, but rather Change Healthcare and United Health Group
  • The CMS re-opened a Merit-based incentive payment system to provide relief
  • Medicaid agencies will be granted additional flexibility to ensure that states can make interim payments to impacted providers. 

Mounting lawsuits

As of early April, Change Healthcare has been hit with 24 class-action lawsuits. 13 were filed by consumers who are concerned about data theft. Another 11 are from providers that struggled to receive payments while Change’s systems were down. 

Change Healthcare has filed to consolidate the cases, especially the multiple filed in Tennessee. While some cases name entities like United Health or Optum, Change has argued that their technology company is at the center of all cases, which could further consolidation. In a filing, Change asked for cases to be centralized into the federal U.S. District Court for the Middle District of Tennessee, the district where Change is headquartered.

Despite the lawsuits, Change has stated that its security was adequate and reasonable.  

Outside of these lawsuits, the HHS is launching an investigation into the incident to determine whether Change violated HIPAA. Part of the investigation will determine if Change should have notified patients. HIPAA requires healthcare clearinghouses, plans, and providers to report breaches to individual patients within 60 days of discovery. 

So far, Change has not disclosed what, if any, patient data was exposed. As a company, Change is estimated to be involved in 30% of American patient records. 

What the Experts Are Saying

The health subcommittee recently led a hearing, “Examining Health Sector Cybersecurity in the Wake of the Change Healthcare attack” on April 16th. 

The hearing included several cybersecurity and healthcare experts. John Riggi, the National Advisor for Cybersecurity and Risk at the American Hospital Association gave a testimony of the impact on hospitals, “The staggering loss of revenue has meant that some hospitals and health systems had to seek alternate ways to ensure they could pay salaries for clinicians and other members of the care team, acquire necessary medicines and supplies, and pay for mission critical contract work in areas such as physical security, dietary and environmental services.” 

Riggi urged Congress to provide additional support for payments and an extension for current recoupment terms. He said that the AHA supports voluntary consensus-based cybersecurity practices, like the ones announced in January from the HHS. Riggi further shared that hospitals and health systems are not where the risk of cyber attacks lies, instead, AHA notes that 95% of significant breaches first impacted business associates. 

Greg Garcia, the Executive Director of the Healthcare and Public Health Sector Coordinating Council Cybersecurity Working Group, provided several recommendations to prevent future incidents and their impact. Recommendations include: 

  • Performing a health infrastructure mapping and risk assessment
  • Use risk assessment results to facilitate the government’s ability to “assess consolidation proposals for mergers and acquisitions against their potential for increased incident and impact risk.” 
  • Hold third-party product and service providers and business associates to a higher standard
  • Invest in a government-industry rapid response capability
  • Invest in a cyber safety net for underserved providers
  • Implement the HSCC’s 5-year Health Industry Cybersecurity Strategic Plan, which includes secure design and implementation of technology and services, and a “911 cyber civil defense” capability to lead early warning alerts and prevention tactics. 

Garcia testified that healthcare cybersecurity is a relatively new issue. As of 2017, the HHS Healthcare Cybersecurity Task Force diagnosed healthcare cybersecurity to be in “critical condition” because of the rise in digital healthcare, technological advances, and the expansion of connected devices and data, and more. 

Even as security issues rise, there are many steps healthcare organizations can take to make them less susceptible to future attacks. 

Reviewing the Timeline

With so much happening, we compiled the major events of the attack and the lingering impacts still felt by hospitals and Change Healthcare. 

Date

What Happened

February 21

  • Change detects suspicious activity on its network
  • Outages across pharmacies nationwide begin
  • More than 70,000 pharmacies are impacted

February 22

  • Change issues statement regarding restoration, states a “nation-state group” may be responsible
  • AHA advises facilities to disconnect from Optum systems

February 26

BlackCat claims responsibility

March 1

Optum provides temporary funding assistance for companies struggling with cash flow, particularly small businesses

March 3

BlackCat receives a bitcoin payment worth $20M. Change does not confirm if it paid the ransom.

March 5

HHS provides accelerated payments to impacted hospitals, showing government involvement. 

March 6

UnitedHealth Group begins facing federal lawsuits; at least 5 with more to come.  

March 7

Change’s pharmacy electronic prescribing is functioning for claim submission and payment. Change promises to reconnect other services soon. 

March 10-12

Change continues to face heat; hospitals state losing millions daily, HHS demands United Health to “take responsibility.” 

March 20

UnitedHealth restores Amazon Web Services from backups. 

March 22

Change begins restoring the largest clearinghouse platforms and begins processing $14 billion in claims. 

March 27

UnitedHealth Group begins the process of determining if patient data was stolen. Suggests it is likely. 

April 8

RansomHub claims they have 4 terabytes of data, and demands ransom payment. The validity of the threat is questionable.

April 12

Technology website Wired is sent screenshots of data, legitimizing the threat.

April 23

RansomHub’s listing of Change Healthcare data appears to be taken down. No further information has been released. 

 

How Cloudticity Can Help

Ransomware breaches are skyrocketing, and so are the associated costs. Unfortunately, for ransom organizations, the attack on Change Healthcare was wildly successful and could spur on future attacks. 

Attacks can lead to downed operations, impact patient well-being, and are incredibly expensive. Between 2020 and 2023, the cost associated with a data breach increased by 53%, rising to an average of $11 million per breach. 

While these attacks can be devastating, they are far from inevitable. Cloudticity has managed HIPAA workloads in the cloud for over 12 years, and we’ve never had a breach due to our defense-in-depth security practices.

If you want to learn more about our ransomware solutions, reach out for a free consultation today.

ransomware consultation blog banner
Subscribe Today

Get notified with product release updates and industry news.