Healthcare Cloud Blog | Cloudticity

Change Healthcare Pays Out $22M to Blackcat | Cloudticity

Written by Abby Grifno | Mar 4, 2024 8:22:05 PM

Hackers recently gained access to Change Healthcare’s IT system, interrupting pharmacy service across the country.

What happened

Change Healthcare Platform, owned by UnitedHealth Group, is a healthcare technology company providing administrative and data services. As of 2015, the company served over 700,000 providers, 5,000 hospitals, 105,000 dentists, 60,000 pharmacies, 600 vendor partners, and 150 labs. Since then, the company has significantly grown. 

In a breach filing  with the SEC, UnitedHealth Group said abnormal activity was detected in its server on February 21st. The incident began in the early morning hours on the East Coast, when pharmacies and healthcare facilities first began facing outages.  

In the filing, the company said they “identified a suspected nation-state associated cybersecurity threat had gained access to some of the Change Healthcare information technology systems,” implying that the malicious actors may be working in conjunction with another nation. 

Once UnitedHealth Group detected the threat, the organization quickly took action by isolating Change Healthcare from the rest of its systems. 

On February 23rd the company said  the issue is ongoing and that experts are “working on multiple approaches to restore the impacted environment and will not take any shortcuts or take any additional risk as we bring our systems back online.” 

While UnitedHealth Group has remained diligent in its efforts to resolve the incident, the impact has been major, preventing patients all around the United States from receiving prescriptions. 

A national impact that could last weeks

According to one report, Change Healthcare processes over 15 billion healthcare transactions annually, or approximately one in three United States patient records. The company assists in providing several solutions, including helping facilitate transactions between providers and major insurance companies. 

When the company took its systems offline, the biggest impact was felt by pharmacies, which are continuing to face prescription delays due to processing issues. Doctors are currently unable to check if patients are eligible for prescriptions or fill them electronically. 

The majority of Change Healthcare’s system is still offline. In response, some workers are attempting to complete the work manually, resulting in massive amounts of clerical work that is meticulous and time-consuming.  

Now, it’s been two weeks and systems are still offline.

Pharmacies face financial pressure

Many major pharmacies work with Change Healthcare; CVS and Walgreens have seen disruptions as well as military clinics and hospitals worldwide. 

Yet smaller practices are also being impacted. According to CNBC, many of these healthcare organizations rely on reimbursement cash flow to operate. With no immediate solution, the situation is increasingly placing financial stress on these smaller institutions.  

“I don’t think that people are aware that the actual people providing the services are not able to extract revenue for those services,” said  Dr. Dan Inder Sraow, an interventional cardiologist in Phoenix, Arizona, “We don’t know how long that’s going to be, and that’s such a dangerous, dangerous thing.” 

While some practices have floated the idea of switching platforms, that process is also long and time-consuming, possibly overwhelming an already stressed staff. 

According to TechCrunch, many healthcare organizations are scrambling to make decisions. Columbia University, which runs a large hospital in New York, disconnected all systems from UnitedHealth Group, Change Healthcare, and Optum. Tricare, the U.S. military health insurance provider, also stated they had been impacted.  

The American Hospital Association (AHA) advised hospitals and healthcare providers to “consider disconnection from Optum until it is independently deemed safe to reconnect.”

Bringing in the experts

In efforts to resolve the incident, Change Healthcare has brought in several experts and is working with law enforcement. Namely, the company is working with third-party consultants Mandiant and Palo Alto Network. 

Madiant, operated by Alphabet’s cybersecurity unit, is handling the investigation. While Mandiant confirmed the involvement with Reuters, the company has not commented on their investigation efforts. 

Blackcat takes responsibility

Change Healthcare claims that ransomware group, Blackcat is responsible for the attack. Blackcat, also known as AlphV, is a Russian-speaking organization but is not officially linked to any government entity. Blackcat allegedly posted on the dark web that it has accessed "more than 6TB of highly selective data". Change Healthcare's systems have been down since February 21st.

Back in December, Blackcat faced a takedown led by the US, which resulted in several websites and decryption tools being seized. Blackcat threatened to retaliate, and this attack may be the result. 

Blackcat receives $22M ransom

On March 1st, a cryptocurrency wallet associated with BlackCat, previously identified by security researchers, received a single transaction valued at roughly $22 million. Change Healthcare has neither confirmed or denied the payout.

Brett Callow, a ransomware-focused researcher with security firm Emsisoft, says, "If Change did pay, it's problematic. It highlights the profitability of attacks on the health care sector. Ransomware gangs are nothing if not predictable: If they find a particular sector to be lucrative, they’ll attack it over and over again, rinse and repeat.”

Blackcat shutting down, or exit scam

On March 5, a representative for Blackcat said the group was shutting down, and that it had already found a buyer for it's ransomware software. However, experts say there's something else going on.

The BlackCat website now displays a seizure notice from the FBI, but various researchers have pointed out that this notice appears to be a simple copy and paste from the one left by the FBI during its December raid on BlackCat's network. The FBI has yet to comment on this.

Blackcat operates by licensing it's ransomware software to private contractors, who then receive commissions on their activities when they result in ransom payouts. Experts point out that Blackcat is merely pulling an "exit scam" so they don't have to pay out their contractors.