On Feb. 21, 2024, Change Healthcare, a subsidiary of UnitedHealth Group (UHG) and one of the largest platforms for managing health insurance billing and payments in the United States, experienced a large-scale cyberattack. This attack forced the company to shut down over 100 services across its system for multiple weeks, affecting millions of health care providers and patients across the country.
Due to its magnitude, cybersecurity experts have deemed the incident one of the most disruptive attacks in history, showcasing the devastating impacts of cyber events in the health care sector. This article provides more information on the Change Healthcare cyberattack and offers guidance to help organizations prevent similar incidents.
Cyberattack Overview
The attack began when BlackCat (also known as ALPHV), a sophisticated cybercriminal group responsible for executing several major data breaches, infiltrated Change Healthcare’s system. Although it’s currently unknown how BlackCat gained this unauthorized access, cybersecurity experts presume it was likely via remote desk protocol (RDP), brute-force techniques or application vulnerabilities. From there, the cybercriminal group deployed ransomware to render a variety of sensitive data and essential operations across Change Healthcare’s system unavailable. BlackCat then demanded the company make a large payment in exchange for restoration.
In response to the attack, Change Healthcare immediately disconnected more than 111 of its services to prevent further damage and contacted law enforcement for additional remediation assistance. From Feb. 21-28, the company’s services remained disconnected, ultimately leaving doctors and hospitals unable to bill, manage and issue prescriptions for medical procedures; preventing pharmacies from filling prescriptions; and restricting patients from making health insurance claims and receiving prescribed medications. According to digital health risk assurance firm First Health Advisory, this downtime may have cost health care providers up to $100 million per day.
During this time, several health care organizations, such as the American Hospital Association and the Medical Group Management Association, released public statements emphasizing the severity of the cyberattack and urging the U.S. government to get involved in mitigation efforts. Shortly afterward, BlackCat took responsibility for the attack, claiming they compromised more than six terabytes of health care provider, insurance program and patient data, including personally identifiable information.
On March 1, Change Healthcare began to show signs of recovery as the company made temporary funding available to health care providers in its system.
By March 5, the federal government announced its involvement in the remediation process, with the U.S. Department of Health and Human Services outlining a detailed plan for investigating the incident and supporting the health care sector in multiple recovery initiatives. A few days later, Change Healthcare restored services related to prescription claim submissions and payment operations. The company expects to reinstate the remainder of services impacted by the cyberattack during the week of March 18.
Altogether, the attack contributed to several weeks of considerable operational disruptions, financial challenges and health care complications for both Change Healthcare and its stakeholders. Furthermore, the company may have compounded its losses from the attack by complying with BlackCat’s ransom demand. Although Change Healthcare has not confirmed this speculation, some cybersecurity experts reported that a recent Bitcoin transaction of $22 million to an account affiliated with BlackCat via the cryptocurrency’s publicly visible blockchain platform proves that the company paid the ransom.
Prevention Guidance
As ransomware incidents like the Change Healthcare cyberattack become more frequent and costly, it’s important for organizations to take steps to prevent similar losses. Here are some ransomware prevention tips for organizations to keep in mind:
If you have questions or concerns about protecting your business from Cyberattacks, please contact us immediately to discuss and protect your digital assets.