Change Healthcare reports a cyber incident
On February 21st, at 02:15EST, the health tech firm Change Healthcare (part of Optum, a UnitedHealth Group company) announced on their status page that some applications were unavailable. Later that morning, a new message stated they were experiencing enterprise-wide connectivity issues. By that afternoon, an update confirmed that the network interruption was due to an external cyber attack.
"Change Healthcare is experiencing a cyber security issue, and our experts are working to address the matter. Once we became aware of the outside threat, in the interest of protecting our partners and patients, we took immediate action to disconnect our systems to prevent further impact. At this time, we believe the issue is specific to Change Healthcare and all other systems across UnitedHealth Group are operational. The disruption is expected to last at least through the day. We will provide updates as more information becomes available."
With a reported 15 billion healthcare transactions handled annually and 1 in 3 US patient records touching their clinical connectivity solutions, the scope of what could be impacted is staggering.
Change Healthcare currently lists major outages on 115 solutions, including applications, customer portals, and transaction management platforms. A check of the status page today offers no new details or estimated downtime.
Update Feb 29 2024: The latest log on their status update page reads, "Change Healthcare can confirm we are experiencing a cybersecurity issue perpetrated by a cybercrime threat actor who has represented itself to us as ALPHV/Blackcat.
Our experts are working to address the matter and we are working closely with law enforcement and leading third-party consultants, Mandiant and Palo Alto Network, on this attack against Change Healthcare's systems. We are actively working to understand the impact to members, patients and customers."
Update Mar 4 2024: The latest post on The Optum/Change status page directs users to a page on UHG's website dedicated to information about the cyber attack and now reads, "Change Healthcare will use this status page to provide updates about specific products and services, including uptime and support availability."
Thinking outside of their immediate network, what do those outages mean in the real world? This cyber incident has caused a ripple effect, disrupting health providers' and pharmacies' ability to process prescriptions and other patient essentials across the United States. Far more than just a vague and ominous logged status, this situation translates into thousands—if not millions—of actual people unable to access the care they need.
While this cyber attack is making headlines and attracting worldwide attention, the incident only underscores the broader issue of cyber threats plaguing the healthcare sector. Cyber security experts have long lectured about strengthening cyber resiliency as organizations rapidly embrace innovation and undergo transformation.
In the wake of the Change Healthcare attack, we think it's crucial to explore the threat landscape in the healthcare sector and offer practical guidance on the key risk mitigation steps information security leaders and affected individuals should review right now.
Cyber security in healthcare
Change Healthcare and the UnitedHealth Group family of companies are part of an industry in which cybercriminals are particularly interested. The healthcare industry has experienced increasing levels of cyber attacks, especially ransomware, in recent years. Our own threat intelligence reports consistently place healthcare in the top 3rd or 4th spot for the most targeted sector.
Additionally, last year was the worst year on record for healthcare data breaches, with an estimated 133 million breached patient records— more than double the count from 2022.
When you think about it, it's no shock as to why. Healthcare professionals have incredibly busy jobs and may not have the time or resources to prioritize online security. Even with remarkable, exponential advances in medical technology in recent years, certain devices and legacy systems are still vulnerable.
Furthermore, medical records contain highly sensitive personally identifiable information (PII) and make for an attractive prize for criminals to obtain. With even more specific personal data found in protected health information (PHI), the exfiltration of these details becomes even more lucrative for bad actors.
Our Director of Healthcare Services, Kurt Osburn, illustrates the reality of what can happen as a result of leaked information like this, explaining "whether done directly or sold to someone else with the capability, they can build a fake person on the internet using your data because they've got birth, they usually have where you were born, they have your social security number, your full name, address, I mean everything you need to build a credit record or file taxes is in a healthcare record."
The nature of cyber threats evolves rapidly. The consequences of data breaches will only become more severe in the future.
Osburn adds, "You know, they used to bother stealing credit cards. Cards are nothing anymore. A credit card you can turn off, switch it over. You can't do that with healthcare records. You can't do that with personal information. Any new transactions, credit lines opened, social media accounts that get taken over...you have to track all this information for the rest of your life if you've been breached."
The looming threat of PII falling into the wrong hands is terrifying, but what about the immediate crisis? Healthcare IT systems are down. Medical record systems are offline. That means physicians are probably impacted in their ability to operate. Pharmacies are unable to process prescriptions or manage transactions. Concerning the current crisis with Change Healthcare, hospitals and third-party suppliers such as Camp Pendleton Naval Hospital, Scheurer Health, and GoodRx have reported delays in services.
Cyber incidents: When, not if
It's 2024, and the statistics surrounding cyber attacks paint a grim picture: cyber incidents are seemingly inevitable. Instead of cycling through what-ifs, the most important question we want to ask is, "Are you prepared?"
As mentioned above, the healthcare sector has become rife with ransomware. Over the past two days, many security professionals have speculated that was indeed the case in the Change Healthcare attack. Their response of disconnecting affected systems is a typical initial response in such a scenario.
Kurt Osburn notes that ransomware is a good guess, saying, "A couple of things could have happened. If medical records were stolen and they found out, they're going to lock off all external access just to see if they can find out where the exposure was. But the second thing is, it could be ransomware because this company doesn't have access- nobody has access to medical information or services anymore."
On the other hand, parent company UnitedHealth Group had first revealed in an SEC disclosure earlier in the week that they "identified a suspected nation-state associated cyber security threat actor had gained access to some of the Change Healthcare information technology systems." This statement complicates the situation and introduces different motives and capabilities. Blackcat is not believed to be linked to a specific nation-state or government, but there has been no further context from United Healthcare Group.
Most recently, the Health-ISAC and sources for Reuters both broke news of a new twist in the story— They believe it was, in fact, a ransomware attack carried out by the notorious ALPHV/Blackcat group. The Health-ISAC (Information Sharing and Analysis Center), which is a global non-profit that offers critical cyber threat intelligence and best practices for health stakeholders, attributed IOCs toward the ransomware gang.
Update Feb 29 2024: On behalf of Change Healthcare, UnitedHealth Group confirmed that ALPHV/Blackcat was the perpetrator of the incident. The group took credit for the attack in a post Wednesday before deleting it.
Update Mar 5 2024: A Bitcoin wallet thought to be linked with ALPHV shows it received 350 Bitcoin in a single transaction on March 1st. There is growing suspicion that this could have been a ransomware payment. An intelligence analyst from Recorded Future shared a RAMP forum post submitted by a user claiming to be part of an ALPHV affiliate that carried out the hack, stole massive amounts of data, and was subsequently scammed out of their cut by the gang.
Given the relative lack of details provided by Change Healthcare and UHG/Optum, it's extremely important not to jump to conclusions. Osburn mentions that besides taking emergency incident response measures, identifying the source and thoroughly processing events must happen first.
5 crucial security measures to take to avoid becoming the next victim:
1. Implement robust backup and recovery systems, such as escrow services, to ensure access to data is maintained even if systems are impacted by ransomware.
Having a strong incident response program in place is also vital to adequately prepare for crisis situations, maintain control, and rebuild your systems.
2. Prioritize cyber security and invest in the people, processes, and technologies needed to harden defenses. Don't just accept the risk of being hacked; proactively prevent, detect, and respond to threats.
3. Protect patient data privacy and security. Have safeguards in place for storing, accessing, and sharing sensitive personal health information to limit the impact if a breach occurs.
4. Provide cyber security training to employees to raise awareness of phishing, malware, and other social engineering tactics hackers rely on to gain access.
Employees are a key layer of defense. Osburn says he can't stress this enough. "With a huge company that handles millions, billions of records and transactions, can you imagine the target that places on employees? When with phishing, it only takes one?"
5. Control access to systems and data via multilayered authentication, authorization, and encryption. Make it difficult for attackers to move freely across the network. Segment the network to limit lateral movement.
3 essential steps to take if you learn your PII was part of a data breach:
Our firm provides comprehensive cyber security assurance and risk mitigation for organizations spanning forward-thinking startups to tech giants to governments. However, it’s ultimately all done to protect the end user—you.
While we wait to learn exactly how far reaching the Change Healthcare cyber incident goes, Kurt Osburn offers a few universal and imperative actions to take if your personal information is ever compromised.
1. Monitor your accounts and credit reports for any suspicious activity. Place fraud alerts and request credit freezes if needed to prevent identities from being created in your name.
Consider enrolling in identity theft protection services to provide ongoing monitoring and rapid response if any fraudulent activity is detected.
2. Review all medical bills, claims, and statements closely for any irregularities that could indicate fraud. Report mistakes or unknown charges.
Change passwords and security questions/answers for any of your online accounts that may have reused compromised information. Enable multifactor authentication where possible.
Be vigilant about unsolicited contacts, offers, and requests for your personal information. Scammers exploit breaches to launch phishing attacks.
3. Contact the breached organization to understand what specific data elements were exposed and what mitigation services they are offering impacted individuals. This could include free credit monitoring, identity protection services, etc.
Receive expert support before, during, and after a cyber security crisis.
Start a conversation to discuss your particular situation with our team today.