What started as Change Healthcare reporting “enterprisewide connectivity” issues early in the morning of February 21, quickly turned into any healthcare provider's worst nightmare. After four days of extensive disruptions to all IT systems, the ransomware group ALPHV/BlackCat claimed responsibility for the attack that impacted the ability to verify benefits, process claims, and receive payments for healthcare practices across the country that use the Change Healthcare platform—including my wife’s dental practice.
In early March, the federal government launched an investigation into the Change Healthcare cyberattack, but days passed with no response or aid. Between March 9 and 12, the American Hospital Association found that of nearly 1,000 hospitals, 94% of them felt financial consequences from the attack, with over half reporting a significant or serious impact.
My wife’s dental practice in Texas was among the providers impacted – we had to seriously consider strategies for stringent cash flow management with limited information on when the Change Healthcare downtime would finally end. This attack clearly illustrates how a single-point-of-failure of a prominent healthcare clearinghouse company like Change Healthcare serves as a compelling target for attackers seeking access to vast amounts of data. While cyberattacks are inevitable in every sector, it’s critical that the healthcare industry take steps to protect themselves as they are increasingly targeted by cybercriminals.
The initial attack on Change Healthcare brought into question whether the hackers would try to sell the terabytes of data they obtained during the attack. In early March, rumors circulated that Change’s parent UnitedHealth paid a $22 million ransom to ALPH/Black Cat to recover the data, prompted by researchers who uncovered payment logs that suggest money changed hands. However, it was revealed shortly afterward that the ALPH/Black Cat administration allegedly stole the payment from their affiliates, meaning the data was still in their hands and up for grabs on the dark web. The uncertainty of what will become of the data fuels apprehension within the cybersecurity community and underscores the urgent need for robust preventive measures and proactive risk mitigation strategies.
The Change Healthcare attack serves as yet another example of why companies should not make ransom payments, as cybercriminals are notoriously unreliable and there’s no guarantee that paying the ransom would result in the recovery of all stolen data. It’s why the White House and global allies alike have repeatedly cautioned against ransom payments, even considering potential bans on them altogether, in an attempt to disrupt the criminal ransomware payment ecosystem
At the beginning of April, nearly two months after the initial attack, and a month after the alleged ransom was paid, RansomHub claimed it now possessed the Change Healthcare data and threatened to release the 4 terabytes in their possession unless they received additional payment. As of April 15, RansomHub has started sharing the sensitive information. This several-month-long attack on Change serves as a stark reminder of the pervasive cyber threats the healthcare industry faces.
The Change Healthcare breach represents an issue that’s systemic across the healthcare industry. Healthcare has become the top target for ransomware, highlighting the widespread susceptibility of healthcare organizations to cyber intrusions.
Consider the case of HCA Healthcare, which fell victim to a major hack in July 2023 that compromised sensitive records of millions of patients. The cybersecurity problems in healthcare continue to worsen, as last year was the worst year for breached healthcare records, with breached records increasing by 156% since 2022. Once attackers gain access to IT systems, they may steal data to sell on the dark web or lock users out until they pay a ransom. And just because an organization falls victim to a breach doesn’t immunize it against a second attack.
Our cybersecurity industry must acknowledge that the healthcare sector remains a prime target for attacks, and make a more concerted effort to bolster the defenses of healthcare organizations. Healthcare organizations also must make cybersecurity as a critical component of their risk management strategy and invest in technologies, processes, and personnel to safeguard patient data effectively.
The Cybersecurity & Infrastructure Security Agency (CISA) offers valuable guidelines and best practices for enhancing cybersecurity resilience in the healthcare sector. Organizations should heed these recommendations and collaborate with industry partners, regulators, and law enforcement agencies to stay ahead of evolving threats and minimize the impact of potential breaches.
The Change Healthcare breach serves as a sobering reminder of the persistent cybersecurity challenges facing the healthcare industry, and the importance of adhering to government recommendations not to pay ransom demands. It also underscores the imperative for collective action and shared responsibility in safeguarding sensitive health information and preserving patient trust. Only through proactive measures and a concerted commitment to cybersecurity can we hope to mitigate the risks posed by malicious actors and secure the future of healthcare delivery.
Riaz Lakhani, chief information security officer, Barracuda Networks
