Patient Data Leaked Following Change Healthcare Cyber Attack

The cyber attack on Change Healthcare impacted over 100 services including dental, pharmacy, medical records, clinical, patient engagement, revenue, and payment services.

The company confirmed the cyber attack by updating the status page on its website with a statement on the incident. 

“Change Healthcare is experiencing a network interruption related to a cyber security issue and our experts are working to address the matter," reads the statement.

"Once we became aware of the outside threat, in the interest of protecting our partners and patients, we took immediate action to disconnect our systems to prevent further impact. The disruption is expected to last at least through the day."

Change Healthcare, headquartered in Nashville, Tennessee, connects payors, providers, and patients through its extensive network and platform. They offer services ranging from revenue & payment cycle management to advanced analytics, ultimately aiming to streamline healthcare and improve patient outcomes.

Substantial Patient Data Leaked

UnitedHealthGroup have now confirmed that a substantial amount of patient data has been compromised during the cyber attack on Change Healthcare. This includes "files containing protected health information (PHI) or personally identifiable information (PII), which could cover a substantial proportion of people in America."

After facing increased pressure from law enforcement, the BlackCat gang shut down their operation amid claims that they had taken a $22 million ransom payment from the Change Healthcare attack.

Read: Who is BlackCat? Behind the Feline Ransomware Gang

Change Healthcare initially declined to comment on whether it has paid a ransom, but an affiliate known as "Notchy" said they would extort the health giant again as they still had the company's data.

However, Change Healthcare how now confirmed that they paid a ransom fee in attempt to protect patient data though they have not disclosed the amount. 

In their latest press release Andrew Witty, CEO of UnitedHealth stated:

“We know this attack has caused concern and been disruptive for consumers and providers and we are committed to doing everything possible to help and provide support to anyone who may need it.”

The press release goes on to explain next steps, and explains that 'given the ongoing nature and complexity of the data review, it is likely to take several months of continued analysis before enough information will be available to identify and notify impacted customers and individuals'.

Following the BlackCat shut down Notchy, partnered with another ransomware gang known as ‘RansomHub’ to extort Change Healthcare again, despite the company allegedly paying the initial ransom. 

The cybercriminal issued a statement via the Ransomhub data leak site stating the data would be released if Change Healthcare were unable to ‘reach a deal’ with them. 

The threat actor issued a statement on the RansomHub data leak site saying that all the data would be released if Change Healthcare and United Health did not "reach a deal" with them.

They have now started leak screenshots of files they claim were stolen from Change Healthcare during the cyber attack.

The screenshots suggest they have access to data-sharing agreements between Change Healthcare and insurance providers, which include CVS Caremark, Health Net, and Loomis. There is also accounting data, aging reports, insurance payment reports, and other financial information.

Most notably this also included leaked patient data, including bills for patient care services.

The cybercriminals stated have that Change Healthcare has five days to pay an extortion demand, or they will sell the data.

UnitedHealth have set up a dedicated website and call centre to provide 'support for people who are concerned about their personal data'. This will offer free credit monitoring and identity theft protections. The call centre also employs trained clinicians to provide emotional support services.

Change Healthcare Cyber Attack Hits 1 in 3 US Patients.

The company initially could not confirm the nature of the attack or the extent of the damage though there was always speculation of ransomware based on their response of disconnecting affected systems as this is the typical response to such an attack. 

UnitedHealth have since confirmed that the BlackCat ransomware gang was behind the cyber attack on Change Healthcare .

The healthcare giant states that it handles over 15 billion healthcare transactions annually and that one in three US patient records are “touched by [their] clinical connectivity solutions.” 

Change Healthcare’s responsibility for this monumental amount of information makes it a key target for malicious actors. The sensitivity of health data makes it of high value to cybercriminals. Confidential information can be sold by hackers quickly - and for a high price, or companies can be extorted for its safe return. Stolen information can also be ideal for stealing money through tactics like fraudulent billing.

Who was behind the Change Healthcare cyber attack?

The BlackCat ransomware gang initially claimed responsibility for the attack through a website typically used by such groups. 

UnitedHealth Group, the parent company of Optum, a major Change Healthcare client, suspected a "suspected nation-state associated cybersecurity threat actor" might be behind the attack. They identified the actor on February 21st, 2024. Nation-state actors are governments targeting other countries for various reasons, including espionage or disrupting critical infrastructure.

A recent example of this was the attack on the Ukrainian mobile network operation Kyivstar, which saw Russia-backed hackers disrupt one phone line for millions of people across the country. Kyivstar’s CEO Oleksandr Komarov said the attack was a result of Ukraine’s war with Russia at the time. 

“Change Healthcare can confirm we are experiencing a cyber security issue perpetrated by a cybercrime threat actor who has represented itself to us as ALPHV/Blackcat,” said Tyler Mason, vice president at UnitedHealth, in a statement to TechCrunch.

Read: UnitedHealth Says BlackCat Behind Change Healthcare Cyber Attack

But the possibility of two different actors being involved, or the information from either source being inaccurate, cannot be ruled out completely.

What is the impact of the Change Healthcare cyberattack?

The disruption caused by the cyberattack has had a significant impact on the healthcare system, with some pharmacies being unable to process prescriptions.

Previous cyber attacks on healthcare institutions have been devastating. Just last week, the French medical payment systems Viamedis and Almerys were targeted in a ransomware attack that exposed half of the French population's data. 

The UK's NHS was also targeted in 2022. In that attack, medical staff were forced to keep patient details on scraps of paper for several months as the attack shut down the service's IT systems. 

Scheurer Health is one of the companies using Change Healthcare that due to a "nationwide outage from the largest prescription processor in North America" was "unable to process prescriptions," later clarifying that patients had the option to pay with cash/credit card if it there was an immediate need.

 Erfan Shadabi, Cybersecurity Expert at comforte AG, believes the cyber attack on Change Healthcare should be a wake-up call for organizations to develop and implement cyber incident response plans, enabling swift action and minimizing damage during a breach. 

"In light of the Change Healthcare cybersecurity incidents, it's imperative for organizations to prioritize the development and implementation of robust cyber incident response plans. These plans serve as critical frameworks for swift and effective action in the event of a breach, minimizing the potential damage and ensuring business continuity," Shadabi told EM360Tech. 

Furthermore, organizations must recognize the importance of investing in data-centric security measures, such as tokenization, to safeguard sensitive information effectively. Tokenization replaces sensitive data with unique tokens, rendering it meaningless to unauthorized users. By adopting such data-centric approaches, even in the event of a breach, organizations can ensure that their data remains secure and protected from exploitation.

"In today's rapidly evolving threat landscape, proactive measures like cyber incident response planning and data-centric security are vital. By integrating these practices into their cybersecurity strategies, organizations can mitigate risks, protect valuable assets, and maintain trust with stakeholders," Erfan Shadabi commented.

The Change Healthcare cyber attack serves as a stark reminder of the vulnerabilities within the healthcare system handling sensitive patient data and the importance of robust cybersecurity measures.

Read: Top 10 Most Common Cyber Attacks and How To Defend Against Them

Organizations need to invest in developing and implementing comprehensive response plans, prioritize data security solutions, and remain vigilant against evolving cyber threats.