A cyber attack on US health tech giant Change Healthcare has brought much of the US healthcare system to a standstill for the second week in a row.
Hospitals cannot verify insurance benefits for hospitalized patients, process prior authorizations for patient procedures or surgeries, or process billing for medical services. Pharmacies have struggled to decide how much to charge for prescriptions for patients who don't have access to their health insurance records, with some having to pay out of pocket for expensive drugs and others having to pay for expensive drugs out of pocket. I can't afford the cost.
Since Change Healthcare abruptly shut down its network on Feb. 21 to contain digital intruders, some smaller medical providers and pharmacies have struggled with their bills without steady reimbursement from insurance giants. The company is struggling to pay its staff and has warned that its cash reserves could dwindle. .
Change Healthcare's parent company, UnitedHealth Group, said in a government regulatory filing Friday that the company is making “significant progress” in restoring affected systems.
As the short-term impact of the ongoing outages on patients and healthcare providers becomes clearer, questions remain about the security of millions of people's sensitive medical information handled by Change Healthcare.
A prolific ransomware gang from Russia, which took credit for the cyber attack on Change Healthcare, has stored the personal medical data of millions of patients from the medical technology giant's systems, although it has not yet released evidence. He claimed that he had stolen from a large bank. In a new development, a ransomware gang seems to have faked its own demise and disappeared from the map after receiving millions of dollars worth of cryptocurrency ransoms.
When patient data is stolen, the impact on affected patients can be irreversible and lifelong.
Change Healthcare is one of the world's largest facilitators of health and medical data and patient records, processing billions of healthcare transactions annually. Since 2022, the health tech giant has been owned by UnitedHealth Group, the largest health insurance company in the United States. Hundreds of thousands of doctors and dentists across the United States, as well as tens of thousands of pharmacies and hospitals, use it to bill patients for health insurance benefits.
This size carries special risks. U.S. antitrust authorities allege that UnitedHealth has an unfair competitive advantage by having access to “approximately half of all American health insurance claims that pass through each year” The company filed a lawsuit to block its acquisition and merger with healthcare subsidiary Optum, but the lawsuit was unsuccessful.
Meanwhile, Change Healthcare has so far repeatedly denied whether patient data was compromised in the cyber attack. Still, medical professionals remain concerned that the data-related fallout from the cyber attack is still a long way off.
Amid concerns that the incident “resulted in a large-scale breach of patient and physician information,” the American Medical Association wrote in a March 1 letter to the U.S. government that “data privacy warned of serious concerns. According to reporters, AMA President Jesse Ehrenfeld said Change Healthcare said it was “not clear what data was compromised or stolen.”
The head of cybersecurity for a large U.S. hospital system told TechCrunch that while he is in regular contact with Change and UnitedHealth, he has not heard anything so far regarding the security or integrity of patient records. Ta. Cybersecurity chiefs have expressed alarm that hackers could publish stolen sensitive patient data online.
According to the person, communications with Change gradually escalated from hinting that data may have been compromised, to the point where multiple incident response companies were willing to conduct an active investigation, and how much data had been leaked. This suggests that it is only a matter of time before we find out whether the item was stolen. , and from whom. Customers will bear some of the burden of the hack, the person said, asking not to be named because he was not authorized to speak to the press.
Ransomware group carries out “exit scam”
Now, the hackers seem to have disappeared and the situation has become even more unpredictable.
UnitedHealth initially blamed the cyberattack on unspecified government-backed hackers, but later retracted that claim and blamed Russia-based ransomware and extortion cybercrime group ALPHV. ” (also known as the Black Cat). This group has unknown ties to the government. .
Ransomware and extortion gangs are financially motivated and typically employ dual extortion tactics, first scrambling the victim's data with file-encrypting malware and then swiping a copy for themselves. It threatens to publish the data online if the ransom demand is not paid.
On March 3, an affiliate of ALPHV/BlackCat (a de facto contractor that earns commissions from the ransomware gang's malware-based cyberattacks) posted on a cybercrime forum that ALPHV/BlackCat received revenue from its affiliates. I filed a complaint alleging that I had been defrauded. As first reported by the veteran security watchdog's DataBreaches.net, the affiliate company said in a post that the $22 million allegedly paid by Change Healthcare to decrypt files and prevent a data breach was The ransom money he claimed was stolen by ALPHV/BlackCat.
As proof of their claim, the affiliate provided the exact crypto wallet address that ALPHV/BlackCat allegedly used to receive the ransom two days ago. The wallet showed a single transaction worth $22 million in Bitcoin at the time of payment.
The affiliate added that despite losing some of the ransom money, the stolen data “is still in our hands,” and that the affected affiliate still has large amounts of confidential medical data that was stolen. and patient data.
UnitedHealth declined to confirm to reporters whether it had paid the ransom to the hackers, saying the company was focused on the investigation. A spokesperson for the company did not respond to a request from TechCrunch if it disputes reports that it paid a ransom to UnitedHealth.
By March 5th, the ALPHV/BlackCat website had disappeared. Researchers believe this is an exit scam. The hackers flee with their new wealth, never to be seen again, or go into hiding and later reform as a new gang.
The gang's dark web website was replaced with a splash screen disguised as a law enforcement seizure notice. In December, a global law enforcement operation destroyed some of ALPHV/BlackCat's infrastructure, but the gang returned and quickly began targeting new victims.But this time, security researchers i doubt it Rather than another legitimate takedown operation, the gang's own deception is at work.
A spokesperson for the UK National Crime Agency, which was involved in the first ALPHV/BlackCat sabotage operation last year, told TechCrunch that the ostensibly seized ALPHV/BlackCat websites “are not the result of NCA activity.” Other global law enforcement agencies also denied involvement in the group's sudden disappearance.
It is not uncommon for cybercriminal organizations to reorganize or rebrand as a way to combat reputational problems, something they do after being busted by law enforcement or profiting from the illegal profits of their affiliates.
Even if payment is made, there is no guarantee that the hacker will delete your data. Recent global law enforcement actions aimed at thwarting the large-scale LockBit ransomware campaign have shown that victims' data is not necessarily compromised, as the cybercrime organization claimed it would do if the ransom was paid. It turns out that I wasn't actually deleting the . Companies are starting to realize that paying a ransom does not guarantee the return of their files.
For those on the front lines of healthcare cybersecurity, the worst-case scenario is that stolen patient records become public.
The patient safety and financial implications of this will be felt for years to come, a hospital cybersecurity director told TechCrunch.
Do you work at Change Healthcare, Optum, or UnitedHealth and want to know more about cyberattacks? Contact us on Signal and WhatsApp (+1 646-755-8849) or email. You can also send files and documents via SecureDrop.