On February 21, 2024, Optum reported enterprise-wise connectivity issues. Optum is an American healthcare company that provides technology services, pharmacy care services and various direct healthcare services. Later the same day, Optum stated that Change Healthcare was experiencing a network disruption due to a cybersecurity threat. Optum immediately disconnected the systems to Change Healthcare after the attack was discovered, although it was too late.
As the days went on hospitals, health systems and pharmacies reported disruptions from the attack. The AHA (American Hospital Association) urged facilities to disconnect any connections to the Optum’s systems. Since Change Healthcare is owned by UnitedHealth through the subsidiary of Optum this incident will affect all systems involved. Change Healthcare’s loss of functionality due to the cyberattack prevented most payers’ ability to process claims and complete other critical functions for the delivery and payment of care.
The infamous ransomware group named “BlackCat” claimed responsibility for the attack. BlackCat is a Russian-speaking operation but have not linked it to any government. Over the past two years, Blackcat has established itself as the world’s second most prolific ransomware-as-a-service organization, taking hundreds of millions of dollars from victims. Meaning BlackCat will work with other hacking groups to provide the ransomware malware for a portion of the ransom. They are very successful with creating sophisticated attacks by creating multiple forms of extortion in their attacks. Not only will they take sensitive data, but they will also encrypt the system and demand a ransom to get the decryption key. If they do not pay up, they will release all sensitive information stolen to the public. This will not only cause major financial risk to the victim by reputational risk as well.
Change Healthcare confirmed that BlackCat stole 6 terabytes worth of data including medical records, patient Social Security numbers, and information on active military personnel. Although most ransomware groups will exaggerate the amount of data they have obtained to demand a higher ransom payment, but most companies will believe the claims or not risk calling the bluff.
By March 4, 2024, larger health systems are bleeding more than $100 million daily because of the interruptions. Most health systems resumed normal operations by utilizing electronic prescriptions via Epic and phasing out the use of paper scripts.
March 6, 2024, lawsuits began rolling in against United Health Group over the cyberattack. Court records show that at least five federal lawsuits have been filed this month against the company.
Wednesday May 1, 2024, UnitedHealth Group CEO Andrew Witty confirmed for the first time that the company paid a $22 million bitcoin ransom to BlackCat for the breach to its subsidiary Change Healthcare. Witty made this comment before the U.S. Senate Committee on Finance. This ransom was to try and protect patient data as by this point, they have a schedule to become fully operational. Witty said the company plans to share what it discovers about the breach with others, adding that there’s a need to focus on reducing the rate of cyberattacks on the health-care sector.
So how does a sophisticated attack like this happen? That is a good question reader. Well Witty told the committee that the cybercriminals accessed Change Healthcare through a server that was not protected by multi-factor authentication, which UnitedHealth now has MFA in place across all external-facing systems.
Billions of dollars have been spent by UnitedHealth Group paying out providers that have been impacted by the cyberattack on Change Healthcare. This also includes updating their systems and paying the attackers the ransom. Witty stated, “To all those impacted, let me very clear: I am deeply, deeply sorry.”
I am not saying that this attack could have been completely prevented by enabling MFA on all external facing servers, but it sure would have added a much-needed added level of security. This proves the importance of enabling MFA on all accounts and devices you own. I pray for all impacted victims of the attack, Optum and its subsidiaries to finish the investigation in a timely manner and fix the needed security issues, and to everyone yet to enable MFA on their account.
Leave a Reply