How Ransomware Fallout Is Rippling Through the US Health Care System
An ALPHV/Blackcat ransomware attack on Change Healthcare is wreaking havoc for patients and hospitals.
On Feb. 21, ALPHV/Blackcat hit payment and claims system Change Healthcare with a ransomware attack that is having widespread ramifications. The attack has left pharmacies scrambling to fill patient prescriptions and insurance providers unable to reimburse provider claims.
Change Healthcare, owned by UnitedHealth Group (UHG), took systems offline to contain the attack, NBC News reports. It has since established “multiple workarounds to ensure provider claims are addressed and people have access to the medications and care they need,” according to a UHG statement.
Why is this attack causing so much disruption in the health care industry? What can the cybersecurity community expect from ALPHV/Blackcat next? And how can health care prepare for the continued risk of ransomware?
The Ransomware Attack
Change Healthcare completes 15 billion health care transactions each year, and it touches one in three US patient records, according to its website. The cyberattack resulted in the theft of six terabytes of data, the ransomware gang claims. And the operational disruption has been severe. Patients have been forced to pay out of pocket for prescriptions, due to pharmacies’ inability to process discount cards, NBC News reports. Impacted hospitals and health systems aren’t getting paid because of the disruption to claims processing, leading to concerns that they won’t be able to make payroll.
UHG “... cannot estimate the duration or extent of the disruption at this time,” according to an 8-K filed on Feb. 22.
“I think the longer it goes, the more we’re going to find out about how the other systems will probably break. We'll have more inconveniences for the patient, and then again at the bigger level macro level, I think we're going to see more hospitals having financial issues because of the inability to be paid,” says Errol Weiss, chief security officer at Health-ISAC (Information Sharing and Analysis Center), a cyber threat intelligence sharing nonprofit.
This attack should serve as an awakening regarding the interconnectedness and complexity that exists in the US health care system, according to Weiss. “We as a sector, we as a society here in the US, need to do a better job of identifying these critical interdependencies,” he tells InformationWeek.
With workarounds in place, Change Healthcare has been able to process 3 million pharmacy transactions, with more being done each day, according to UHG’s updates page. On the claims side, it is up to 90% flow.
While the health care industry is still reeling from the fallout, it is unclear how exactly the attack was carried out. Security researchers have pointed to the ConnectWise ScreenConnect vulnerabilities exploited earlier this month. Health-ISAC shared in a Feb. 26 bulletin that cyber intelligence company RedSense identified Change Healthcare as a victim of the CVE-2024-1708 and CVE-2024-1709 vulnerabilities. On Feb. 27, ConnectWise published a statement stating it “is unaware of any confirmed connection between the ScreenConnect vulnerability disclosed on February 19th, 2024, and the incident at Change Healthcare.”
An ALPHV/Blackcat Comeback
UHG confirmed that ALPHV/Blackcat is behind the cyberattack. UHG allegedly paid a $22 million ransom, according to Reuters. ALPHV/Blackcat’s attack on Change Healthcare marks a significant return for the group following disruption by law enforcement in December 2023.
“You can look at the Change Healthcare hit as a bit of a response from Blackcat to what the FBI … takedown was,” says Nic Finn, senior threat intelligence consultant at GuidePoint Security, a cybersecurity consulting services company.
Following the attack on Change Healthcare, the ransomware group appears to be burning down its own infrastructure. ALPHV/Blackcat administrators have been accused of keeping the $22 million ransom to themselves, cutting out their affiliates.
“I think it’s still too early to say whether there’s actually infighting and we’re about to see the demise of ALPHV/Blackcat, or if this is more their craft of sending out misinformation,” says Marc Bleicher, CTO of cybersecurity company Surefire Cyber.
The ransomware group’s leak site has been shut down, and it has put its ransomware-as-service source code up for sale at $5 million. Experts believe this move to be an exit scam. The group blamed the FBI for shutting its doors, but law enforcement confirmed it has not been involved in recent disruption of the group’s operations, according to Bleeping Computer.