On February 21, 2024, Change Healthcare, a subsidiary of UnitedHealth Group and one of the largest healthcare payment processing companies in the United States, fell victim to a devastating ransomware attack. This incident, which has been described as the most significant and consequential cyberattack against the U.S. healthcare system in history, has had far-reaching implications for healthcare providers, patients, and the broader healthcare ecosystem.

This article provides a comprehensive analysis of the attack, its causes, consequences, and the ongoing fallout.

The ransomware attack on Change Healthcare began on February 12, 2024, when attackers associated with the ALPHV/BlackCat ransomware group gained initial access to the company’s systems. The vulnerability that allowed this breach was shockingly simple: inadequate remote access authentication on a critical application.

During a congressional hearing, UnitedHealth Group CEO Andrew Witty admitted that the compromised system lacked multi-factor authentication (MFA), a basic security measure widely considered an industry standard. This oversight is particularly surprising given that Change Healthcare processes approximately 15 billion medical claims annually, accounting for nearly 40% of all claims in the U.S.

The attackers exploited this weakness to compromise credentials on an application that allows staff to remotely access systems. Once inside, they spent nine days moving laterally through the network, exfiltrating data, and preparing for the ransomware deployment.

On February 21, the attackers launched ransomware, encrypting Change Healthcare’s systems, and causing widespread disruption. The company was forced to disconnect over 100 systems to prevent further impact, effectively grinding its operations to a halt.

The lack of multi-factor authentication on a remote access system was the primary security failure that allowed this attack to occur. This oversight is particularly egregious given the sensitive nature of the data Change Healthcare handles and the large role it plays in the U.S. healthcare system.

Moreover, the fact that the attackers were able to remain undetected in the system for nine days before deploying the ransomware suggests potential weaknesses in Change Healthcare’s threat detection and response capabilities. This extended dwell time gave the attackers ample opportunity to exfiltrate large amounts of data and thoroughly compromise the network.

The impact of the attack on healthcare providers has been severe and wide-ranging. Change Healthcare processes about half of all medical claims in the United States for approximately 900,000 physicians, 33,000 pharmacies, 5,500 hospitals, and 600 laboratories.

Many healthcare providers have been unable to submit claims or receive payments, leading to severe cash flow problems. An American Medical Association survey conducted in April 2024 revealed the extent of the disruption:

• 80% of physician practices lost revenue from unpaid claims.
• 60% faced challenges in verifying patient eligibility.
• 75% encountered barriers with claim submission.
• 79% could not receive electronic remittance advice.
• 85% experienced disruptions in claims payments

The financial impact has been particularly severe for smaller practices and rural hospitals, with some facing the risk of closure due to the prolonged disruption.

The scale of the data breach associated with this attack is staggering. During the congressional hearing, Andrew Witty estimated that approximately one-third of Americans may have had their sensitive health information compromised. This translates to potentially over 100 million individuals whose protected health information (PHI), or personally identifiable information (PII) may have been exposed.

The ransomware group claimed to have stolen 6 terabytes of data from Change Healthcare, including medical records, patient social security numbers, and information on active military personnel. While the exact contents and extent of the stolen data are still being investigated, the potential for widespread identity theft and fraud is significant.

On March 3, 2024, a bitcoin payment worth over $20 million was made to a wallet associated with the ALPHV/BlackCat ransomware group. UnitedHealth Group initially declined to comment on this payment, but on April 30, 2024, CEO Andrew Witty confirmed that the company had indeed paid a ransom of approximately $22 million in an attempt to protect patient data from disclosure.

Despite this payment, there is no guarantee that the stolen data won’t be leaked or sold. In fact, a second ransomware group, RansomHub, claimed to have obtained the stolen data and threatened to publish it unless an additional ransom was paid.

The financial impact of this attack on UnitedHealth Group is expected to be enormous. The company has estimated that the breach could cost in excess of $1.5 billion. This figure includes not only the direct costs of responding to the attack and restoring systems but also the potential legal liabilities, regulatory fines, and reputational damage.

The ripple effects of this attack have been felt across the entire healthcare ecosystem:

1. Healthcare Providers: Many providers have faced severe cash flow problems due to delayed or interrupted claim processing. Some have had to furlough staff or dip into personal funds to meet payroll. The American Hospital Association reported that some larger health systems were losing more than $100 million daily due to the interruptions.
2. Pharmacies: The attack disrupted e-prescribing services and claims processing for pharmacies nationwide. Many had to revert to manual processes, causing delays and potential errors in prescription fulfillment.
3. Patients: While the full impact on patients is still unfolding, many have faced delays in getting prescriptions filled or receiving care due to providers’ financial strains. The potential exposure of their sensitive health information also puts them at risk of identity theft and fraud.
4. Employees: Change Healthcare employees have faced significant challenges in the wake of the attack, working to restore systems and manage the crisis while dealing with the stress and uncertainty of a major cybersecurity incident.
5. UnitedHealth Group: Beyond the financial impact, the company faces significant reputational damage and potential regulatory scrutiny. The incident has raised questions about the company’s cybersecurity practices and its ability to protect sensitive health information.

The fallout from this attack continues to unfold. The U.S. Department of Health and Human Services Office for Civil Rights has opened an investigation into the incident, focusing on potential violations of HIPAA regulations. Congressional hearings have been held to examine the causes and consequences of the attack, with lawmakers considering potential legislation to strengthen cybersecurity requirements in the healthcare sector.

UnitedHealth Group has implemented a Temporary Funding Assistance Program to help providers facing cash flow issues, but many in the healthcare industry have criticized this response as inadequate. The company is also offering free credit monitoring and identity theft protection for two years to affected individuals, though the process of identifying and notifying all impacted parties is expected to take several months.

BlackFog provides a solution with a focus on preventing data exfiltration with ADX technology. This next generation cybersecurity solution has been designed to help organizations protect themselves from ransomware attacks and extortion 24/7, without the need for human intervention. Don’t wait for the next ransomware attack wave; take proactive action now and secure your most valuable asset, your data.

Learn how our solutions can strengthen your cybersecurity posture and prevent cyberattacks including ransomware.