The Change Healthcare Hack: The Worst Cyber-Attack Against U.S. Healthcare to Date

The Change Healthcare Hack: The Worst Cyber-Attack Against U.S. Healthcare to Date

On December 19th, 2023, the FBI proudly announced it had released a decryptor for one of the most prolific ransomware threat groups, AlphV (also known as Blackcat). In conjunction with other international law enforcement agencies, the FBI had successfully infiltrated and shut down a huge part of the group’s infrastructure. Just two months later, on February 21st, 2024, UnitedHealthcare announced they had been the victim of a cyber-attack – one that has now proven to be among the most devastating, impactful breaches in history. The group responsible? AlphV. This isn’t to say that the FBI’s efforts were wasted – their infiltration was a huge collaborative accomplishment to be proud of. Rather, it’s to highlight that threats are ever-present, threat actors are remarkably persistent, and if you aren’t taking cybersecurity seriously, you’re just making yourself an easy target.

What We Know About the Change Healthcare Hack So Far

Admittedly, data breaches have become so common that most people probably saw the news about UnitedHealthcare and shrugged. That is, until they went to the pharmacy and tried to pay for a prescription. The breach actually targeted Change Healthcare, which was acquired by UnitedHealthcare in October 2022. Change is not a traditional insurance company, but rather a technology provider of back-end systems and applications for the medical, pharmaceutical, and health insurance industries. Change’s systems are so ubiquitous, in fact, that every year 50% of all American health insurance claims and one-third of patient records pass through their systems.

The ugly thing about ransomware is that a service disruption is largely inevitable. 80% of the time, a bad actor gains access to the network through compromised credentials. In the case of this attack, however, we still don’t know how the breach was initiated. What we do know is that AlphVused software to encrypt everything, then demanded payment to unlock everything. For those lacking the foresight to maintain an air-gapped backup that doesn’t connect to the rest of the network, there’s little other choice but to give into the attacker’s demands. Of course, those that do have a backup can still have their data exfiltrated with the ransomware group demanding payment or risk the release of the data.

The Devastating Impact of the Change Healthcare Hack

With Change Healthcare out of commission, all of the systems that process these billions of healthcare transactions have grounded to a halt. Without the ability to facilitate insurance payments or honor manufacturer’s coupons, patients have seen medication bills skyrocket. In one early example, cancer patients taking IBRANCE were hit with a $16,000 bill for a single month of medication. From anti-psychotics to diabetes drugs, patients were scrambling to afford life-saving medication, often having to depend on pharmacists or doctors who could give them free samples. Pre-authorizations have also grounded to a halt, which means when an insurance company requires a doctor to provide extra justification for certain medications, the medication is often getting delayed. One doctor reported staying up until 2 am every night manually calling insurance companies for patients in an effort to get medications approved.

Medical practices have also been left scrambling without the ability to submit and process insurance payments, preventing them from getting paid. In all too many instances, doctors haven’t been able to pay rent, salaries, or other overhead costs, and have been left to wonder if they need to shut their practices. One chain of urgent care centers in Columbus, Ohio has $650,000 in unprocessed insurance claims; the owners have taken bank loans and used their personal savings to keep employees paid. As if all this isn’t bad enough, there’s still no solid indication as to when the systems issues will be resolved. Stopgap solutions like loans from Optum have fallen critically short of providers’ needs.

What’s more, UnitedHealthcare has taken a huge financial hit; reports suggest they’ve already made a $22 million ransom payment. That’s just the tip of the iceberg; at least five federal lawsuits have been filed against UnitedHealthcare since the breach and operational disruption began.

What Healthcare Providers Can Do to Avoid Being Next

With all this going on, the question on everyone’s mind should be: how do I avoid becoming the next ransom victim? Even if your business is not responsible for a huge portion of the US healthcare system, this is not a situation you want to find yourself in. Portnox can help you avoid a disaster like this by implementing these must-have zero trust security measures:

• Passwordless Authentication: We’ve said it before, and we’ll say it again – 80% of all data breaches are due to compromised passwords. Target. Cisco. Reddit. Okta….this list goes on. Additionally, MFA is not going to protect you because it’s just putting a bandaid over a fundamentally flawed, insecure system. Portnox can help you implement secure, passwordless authentication using digital certificates that can’t be phished, guessed, or socially engineered.
• Role-Based Access: The concept of least-privileged access means everyone has access to what they need to do their jobs, and nothing more. In practical terms, if one account gets compromised, it prevents the bad actor from getting access to much more information than they otherwise would.
• Network Segmentation: Preventing lateral movement also means segmenting your network. One unguarded entry point can be the jumping-off point for access to many more internal resources unless you have things segmented and protected. If there is a breach, you can contain it much faster with segmentation already in place. Portnox can help you implement both network segmentation and role-based access control, ensuring a robust defense against unauthorized access and potential breaches.
• Endpoint Risk Monitoring: The Target hack of 2013 cost them almost $300 million dollars, and it all started with a contractor’s laptop that had malware on it. Prevent risky devices from connecting to your network with Portnox’s risk policy engine – set your security policy to require things like up-to-date antivirus or prohibit certain applications, and then rest assured no one is exposing you to vulnerabilities that could lead to a breach.

Some security experts say it’s not if, it’s when you get breached. That might be a little pessimistic, but even if the worst does come to pass and you are the target of a cyber-attack, proper access control and focus on zero trust security can protect you from being the next major headline.