Start your day with intelligence. Get The OODA Daily Pulse.

After the Impact of the Change/United Healthcare Ransomware Attack, HHS Bolsters Healthcare Cybersecurity Initiatives

The ransomware epidemic is starting to feel like one continuous incident report and a growing national security concern – not to mention the dormant “ghost in the machine” capabilities that have already been positioned in the U.S. internetwork (by nation-state and non-nation-state players alike) as part of a strategic plan for a larger act of cyber war in the future.  Following is a tick-tick (no pun intended) of the recent attack on the Change/United Health Group, which has been attributed to the Russia-affiliated ALPHV/Blackcat ransomware group.  

As reported by The Record and Dark Reading: 

February 2024

Change Healthcare confirms Blackcat/AlphV behind ransomware attack

Medical insurance giant UnitedHealth Group confirmed Thursday that the Blackcat/AlphV ransomware group carried out a cyberattack that affected the operations of its subsidiary Change Healthcare. After days of posting the same updates online about a ‘cyber security issue,’ Change Healthcare said on Thursday the attack was ‘perpetrated by a cybercrime threat actor who has represented itself to us as ALPHV/Blackcat.’ Why it matters:

  1. Blackcat/AlphV Ransomware Attack: UnitedHealth Group experienced a heavy cyberattack on its subsidiary, Change Healthcare, by the notorious ransomware group Blackcat/AlphV. This revelation shows how pervasive and destructive ransomware attacks have become, threatening businesses and potentially critical healthcare services.
  2. Scope of Influence: The ransomware attack’s reach and implications are colossal. Change Healthcare is a middleman between pharmacies and insurance companies. The attack has resulted in widespread disruptions across the country, and even U.S. military clinics worldwide have been affected. This underscores the potential for significant fallout and collateral damage from such cyber threats.
  3. Relentless Cybercrime Activities: Blackcat/AlphV is not new to cybercrime. Despite an FBI-led raid in December and a track record of compromising over 1,000 entities and receiving almost $300 million in ransoms, the group is still active. This highlights the challenges law enforcement and cybersecurity agencies face in completely neutralizing such threats.

Prescriptions nationwide impacted by a cyber incident at Change Healthcare

Pharmacies across the country are running into issues filling prescriptions due to a cyber incident affecting a multibillion-dollar healthcare conglomerate involved in processing half of all medical claims in the U.S. Nashville-based Change Healthcare first announced disruptions to certain applications early on Wednesday before saying in the afternoon that the company was ‘experiencing a network interruption related to a cyber security issue. Why it matters:

  1. The cyber incident at Change Healthcare is severely impacting pharmacies’ ability to process prescriptions. As Change Healthcare is a critical intermediary in the healthcare system, this translates into delays and disruptions for patients awaiting medications.
  2. The scope and scale of the breach, coupled with the announced expectation of ongoing disruption, suggests a considerable impact on the overall function of the U.S. healthcare system. This is especially significant as Change Healthcare is responsible for processing half of all medical claims in the country.
  3. This incident exemplifies the healthcare industry’s attractiveness to cybercriminals. It follows a trend of increased cyber-attacks on healthcare providers and insurance companies, posing significant threats to patient data and the delivery of essential healthcare services.

Pharmacy Delays Across US Blamed on Nation-State Hackers

On Feb. 22, United HealthCare filed its required 8-K disclosure of a material cyber incident. The disclosure said Change Healthcare’s systems were breached by a suspected nation-state actor who gained temporary access to the healthcare tech vendor’s systems until they were taken offline. According to the HIPAA Journal, Change Healthcare is responsible for 15 billion healthcare transactions annually, and about a third of US patients use its connectivity solutions.   Change Healthcare systems being pulled offline has caused delays at pharmacies nationwide, prompting one Michigan retailer to ask customers to wait an extra day to refill meds, if possible, according to reports.

However, the fallout might not be limited to pharmacies and could have exposed patient data, according to Nick Tausek, lead security automation architect at Swimlane.  “Change manages patient payments across the healthcare sector, with access to medical records and sensitive patient information,” Tausek stated. “Pharmacies across the country are already reporting delays in filling prescriptions and providing services as a result of this attack, marking the real-world dangers to human health cyberattacks can cause.”

Change Healthcare incident drags on as report pins it on ransomware group

Healthcare IT platform Change Healthcare continued Tuesday morning to push out a now-familiar alert about a ‘cyber security issue’ that disrupted pharmacy services nationwide, as a news report said the incident was an attack by a ransomware gang. As it has been on a security updates page for several days, Change Healthcare’s parent company, Optum, says some services might remain disconnected as it continues to be ‘proactive and aggressive with all our systems.’ Why it matters:

  1. Major Cybersecurity Threat to Healthcare: The cyberattack on Change Healthcare by the Blackcat/AlphV ransomware group is a significant disruption to pharmacy services nationwide, which is a crucial part of the healthcare sector. The implication extends beyond the immediate victims as it affects the delivery of critical healthcare services.
  2. Potential Risks of Healthcare Monopolies: The merger between Change Healthcare and Optum raises potential risks associated with having a conglomerate at the center of numerous healthcare services. The recent cybersecurity incident underscores the potential cascading effect of a breach in one entity that provides widespread critical services.
  3. Heightened Alert for Health Institutions: In light of the attack, organizations, especially those connected to Optum and Change Healthcare services, have been urged to be cautious. The Blackcat/AlphV group’s threat to target sensitive operations like hospitals and nuclear power plants highlights the importance of strengthening cybersecurity measures within health institutions.

March 2024

Industry in need of immediate relief following cyberattack on Change Healthcare, hospital group says

The American Hospital Association is accusing the parent company of Change Healthcare – which for two weeks has dealt with a cybersecurity incident that has caused disruptions at pharmacies nationwide – of failing to adequately address the issues healthcare providers face getting reimbursed for services as a result of the attack. On Friday, UnitedHealth Group, which owns Change Healthcare, rolled out a ‘Temporary Funding Assistance Program’ for providers who rely on the company’s software to get reimbursed by health insurers. Why it matters:

  1. The American Hospital Association (AHA) criticizes UnitedHealth Group’s assistance program for not addressing the healthcare providers’ reimbursement issues caused by a cybersecurity incident at Change Healthcare. The assistance program, seen by some as inadequate and too narrowly distributed, is designed to aid organizations affected by the attack in receiving payments from insurers.
  2. Senator Chuck Schumer calls for government intervention to aid struggling healthcare providers. Under the financial burden of the incident, facilities like Rome Health in central New York issue reported losses amounting to $2.3 million per week. Schumer underscores the need for immediate relief to ensure that providers can uphold their patient care standards amidst this financial crisis.
  3. Claims of a ransom payment made by UnitedHealth Group surface during an investigation into the attack. An individual claiming to be an affiliate of the attacker, BlackCat/AlphV, posts on a cybercrime forum alleging UnitedHealth Group had paid a $22 million ransom. The post included a Bitcoin address reportedly associated with prior ransom payments. While UnitedHealth has not confirmed the claim, a spokesperson stated that the company’s focus is on the ongoing investigation.

BlackCat Goes Dark After Ripping Off Change Healthcare Ransom

Experts speculate it’s possible that the Change Healthcare ransomware attack, and by association the US healthcare system more broadly, is wrapped up in a potential exit strategy for the BlackCat admins — who are burning affiliate bridges and going after one last big payday before abandoning their brand and existing infrastructure altogether.  After Change Healthcare reportedly deposited $22 million in a Bitcoin wallet as a ransomware payment, BlackCat admins were accused on the Dark Web of swooping in and grabbing all the cash for themselves, cutting their affiliates out of their part of the loot.  Now, BlackCat has shuttered its leak site and put its RaaS source code up for sale for $5 million for anyone who’s interested, it announced by way of its Tor chat over the past day or so. It’s a stunning reversal after a string of high-profile attacks, and doubly so given BlackCat’s position as the top ransomware gang now that LockBit has been sidelined by a law-enforcement action.

Bitcoin Value, Ukraine, Other Potential Factors in BlackCat Breakup

Malachi Walker, security advisor with DomainTools, pointed out in an emailed statement that it’s possible that BlackCat admins decided to cash out of the business and rip off affiliates at this time because the value of Bitcoin is hitting all-time highs. Walker added that Ukraine is another possible reason BlackCat leadership is ready to cash out.

“Another possibility is that this exit scam is a result of Russia tapping BlackCat on the shoulder and telling them to quit their side hustle and pivot attention to leverage their ransomware capabilities in the war against Ukraine,” Walker said. “Whatever the case may be, these actions by BlackCat are of great interest.”  Regardless of who exactly is behind the BlackCat moves, Ariel Parnes, COO and co-founder of Mitiga, said the evidence shows an effort is undeniably being made to destabilize the BlackCat ransomware operation.

What Next?

HHS to investigate UnitedHealth and ransomware attack on Change Healthcare

The U.S. Department of Health and Human Services (HHS) is launching an investigation into the ransomware attack on Change Healthcare following weeks of disruption to healthcare and billing operations at hospitals, clinics and pharmacies across the country. The department’s Office for Civil Rights (OCR) published a letter on Wednesday announcing the investigation, with Director Melanie Fontes Rainer writing that they needed to look into the situation ‘given the unprecedented magnitude of this cyberattack, and in the best interest of patients and health care providers.’ Why it matters:

  1. The U.S. Department of Health and Human Services (HHS) is launching an investigation into the ransomware attack on Change Healthcare. This attack disrupted healthcare and billing operations across the country for weeks, making it unprecedented in magnitude. Whether any protected health information was compromised during the attack and if Change Healthcare and UnitedHealth Group (UHG), its parent company, complied with HIPAA rules is being investigated.
  2. Change Healthcare processes about half of all medical claims in the U.S. Hence, the attack is causing significant disruptions, including issues in maintaining payroll, delivering timely care, and filing for and receiving insurance payments. The situation is so severe that the American Hospital Association referred to it as ‘the most significant and consequential incident of its kind against the U.S. healthcare system in history.’ Repercussions such as these underscore the consequences of cyberattacks on such integral infrastructure systems.
  3. Ransomware attacks targeting the healthcare industry have increased 256% over the last five years. This growth, coupled with the data breaches in 2023 that affected more than 134 million people, raises serious concerns about the security measures in place to protect sensitive health data and the resilience of healthcare systems against cyberattacks. The incident is a stark reminder of the immense vulnerabilities within the healthcare industry, and the urgent need to address them.

HHS Plans for Cyber ‘One-Stop Shop’ After United Healthcare Attack

The initiative is meant to provide more resources and better strategies for healthcare entities that face an increasing amount of cybersecurity challenges.

The Department of Health and Human Services (HHS) has begun an initiative to better organize and equip its healthcare cybersecurity programs through a one-stop shop.  This latest resource is created through the HHS Administration for Strategic Preparedness and Response (ASPR), which leads the US during disasters and public health emergencies relating to health and medical preparation.  This initiative comes after a United Healthcare subsidiary was targeted by BlackCat ransomware group in February, causing days of outages and chaos across the healthcare supply chain. The cyberattack was considered one of the most serious of its kind within the healthcare sector, and led to United paying the ransom demanded by the threat actors. 

Prominent US senator sees new momentum for healthcare cybersecurity push

As U.S. hospitals struggle to pay their employees amid a cyberattack that knocked out a major payment vendor, a powerful Democratic senator is seizing the moment to push for better security in the sorely vulnerable healthcare sector. Sen. Mark Warner (D-VA) has introduced legislation requiring hospitals and their technology vendors to implement cybersecurity best practices before the government offers them any emergency payments. Why it matters:

  1. Reinforcing cybersecurity in the healthcare sector: Senator Mark Warner’s legislation plans to target America’s vulnerable healthcare sector, which has underinvested in cybersecurity. This influential senator’s compelling push aims to establish minimum cybersecurity standards, forcing the industry to strengthen its digital defenses, particularly amidst a staggering increase in ransomware attacks. Continuous cyber attacks conveying the healthcare industry as an easy target for cybercriminals underscore the urgency of this measure.
  2. The cost of neglecting cybersecurity measures: The recent cyber attack on Change Healthcare, the largest medical claims processor in the U.S., unveiled the severe consequences of inadequate cybersecurity defenses. This compromise led to the interruption of hospital payments, pushing the already financially stressed healthcare industry into a crisis. The financial stress augmented by the COVID-19 pandemic further emphasizes the need for regulatory focus on technology vendors who sell to these facilities.
  3. Implications of Warner’s legislation: The proposed Health Care Cybersecurity Improvement Act will require healthcare providers and their vendors to adhere to ‘minimum cybersecurity standards’ before receiving emergency funds from the government in case of a cyber attack. This has the potential to catalyze an industry-wide focus on cybersecurity. However, the new measures face resistance from a sector that has traditionally opposed such regulations due to the financial and training implications they bring.

Additional OODA Loop Resources 

Cyber Risks

Corporate Board Accountability for Cyber Risks: With a combination of market forces, regulatory changes, and strategic shifts, corporate boards and their directors are now accountable for cyber risks in their firms. See: Corporate Directors and Risk

Geopolitical-Cyber Risk Nexus: The interconnectivity brought by the Internet has made regional issues affect global cyberspace. Now, every significant event has cyber implications, making it imperative for leaders to recognize and act upon the symbiosis between geopolitical and cyber risks. See The Cyber Threat

Ransomware’s Rapid Evolution: Ransomware technology and its associated criminal business models have seen significant advancements. This has culminated in a heightened threat level, resembling a pandemic in its reach and impact. Yet, there are strategies available for threat mitigation. See: Ransomware, and update.

Challenges in Cyber “Net Assessment”: While leaders have long tried to gauge both cyber risk and security, actionable metrics remain elusive. Current metrics mainly determine if a system can be compromised without guaranteeing its invulnerability. It’s imperative not just to develop action plans against risks but to contextualize the state of cybersecurity concerning cyber threats. Despite its importance, achieving a reliable net assessment is increasingly challenging due to the pervasive nature of modern technology. See: Cyber Threat

Recommendations for Action

Decision Intelligence for Optimal Choices: The simultaneous occurrence of numerous disruptions complicates situational awareness and can inhibit effective decision-making. Every enterprise should evaluate its methods of data collection, assessment, and decision-making processes for more insights: Decision Intelligence.

Proactive Mitigation of Cyber Threats: The relentless nature of cyber adversaries, whether they are criminals or nation-states, necessitates proactive measures. It’s crucial to remember that cybersecurity isn’t solely the responsibility of the IT department or the CISO – it’s a collective effort that involves the entire leadership. Relying solely on governmental actions isn’t advised given its inconsistent approach towards aiding industries in risk reduction. See: Cyber Defenses

The Necessity of Continuous Vigilance in Cybersecurity: The consistent warnings from the FBI and CISA concerning cybersecurity signal potential large-scale threats. Cybersecurity demands 24/7 attention, even on holidays. Ensuring team endurance and preventing burnout by allocating rest periods are imperative. See: Continuous Vigilance

Embracing Corporate Intelligence and Scenario Planning in an Uncertain Age: Apart from traditional competitive challenges, businesses also confront external threats, many of which are unpredictable. This environment amplifies the significance of Scenario Planning. It enables leaders to envision varied futures, thereby identifying potential risks and opportunities. All organizations, regardless of their size, should allocate time to refine their understanding of the current risk landscape and adapt their strategies. See: Scenario Planning

Track Technology-Driven Disruption: Businesses should examine technological drivers and future customer demands. A multidisciplinary knowledge of tech domains is essential for effective foresight. See Disruptive and Exponential Technologies.

Daniel Pereira

About the Author

Daniel Pereira

Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.