An enormous cyber attack in the United States shocked the healthcare technology giant Change Healthcare, disrupting a significant portion of the U.S. healthcare system for the second week in a row.
Hospitals struggled to verify insurance benefits for inpatient stays, obtain the necessary pre-approvals for patient procedures and surgeries, or process payments for medical services. Pharmacies grappled with determining how much to charge patients for prescriptions without access to their health insurance records, forcing some to pay for expensive medications out of pocket while others could not afford the costs.
Since Change Healthcare abruptly shut down its network on February 21 in an effort to contain digital intruders, several smaller healthcare service providers and pharmacies are on edge, fearing financial crises as they struggle to pay their bills without a steady flow of reimbursement from insurance agencies.
According to the parent company UnitedHealth Group of Change Healthcare, in a submission to regulatory authorities on Friday, the healthcare technology company is making "significant progress" in restoring its affected systems.
As the impact of the ongoing disruptions on patients and providers becomes clearer in the near future, questions remain about the security of the most sensitive medical information of millions of individuals treated by Change Healthcare.
From Russia, a notorious hacker group claiming credit for the cyber attack on Change Healthcare alleged – without yet providing evidence – that they stole vast amounts of private medical data containing millions of patient records from the healthcare technology giant. In a new twist, it appears that the hacker group faked its own death and disappeared after receiving a ransom payment equivalent to millions in cryptocurrency.
If patient data was indeed stolen, the implications for affected patients are likely irreversible and will have lasting effects.
Change Healthcare is one of the world's largest healthcare technology and medical information providers, processing billions of healthcare transactions each year. Since 2022, the healthcare technology giant has been owned by UnitedHealth Group, the largest health insurance provider in the United States. Hundreds of thousands of physicians and dentists, as well as tens of thousands of pharmacies and hospitals across the U.S., rely on it to bill patients according to their healthcare insurance allowances.
This size poses a certain risk. U.S. antitrust regulators unsuccessfully sought to block UnitedHealth from acquiring Change Healthcare and merging it with its healthcare services subsidiary, Optum, alleging that UnitedHealth would gain an unfair competitive advantage by accessing "half of all Americans' healthcare insurance claims that move each year."
On the other hand, Change Healthcare has repeatedly refrained from stating whether patient data was affected by the cyber attack. This has not reassured healthcare service managers who fear that the fallout related to the stolen data has yet to fully materialize.
In a letter dated March 1 to the U.S. government, the American Medical Association warned of "significant concerns for data privacy" amid concerns that the incident "resulted in widespread breaches of patient and physician information." AMA President Jesse Arnfeld was quoted by journalists as stating that Change Healthcare did not clarify which data was affected or stolen.
One cybersecurity director at a major U.S. hospital system told TechCrunch that despite being in continuous contact with Change and UnitedHealth, they have not heard anything yet about the security or integrity of patient records. The cybersecurity director expressed concern about the possibility that hackers might publish the sensitive patient data stolen online.
This individual stated that the communication from Change, which has gradually descended from implying that data may have been breached, to acknowledging an active investigation with multiple companies responding to the events, suggests that it is only a matter of time before we learn how much was stolen, and from whom. Customers will bear some of the burden of this breach, this individual said, and requested not to be quoted by name as they are not authorized to speak to the press.
Hacker Group Perpetrating Ransomware Schemes Pulls 'Exit Scam'
Now, it appears that the hackers have vanished, adding an unexpected twist to the situation.
Initially attributing the cyber attack to unidentified hackers without government backing, UnitedHealth later retracted this claim and then shifted blame towards a group of Russian-based ransomware and extortion criminals known as ALPHV (also known as BlackCat), having no known ties to any government.
Ransomware and extortion cybercrime syndicates typically engage in double-dipping extortion tactics, first encrypting victims' data and then exfiltrating a copy to themselves, threatening to publish the data online if their ransom demands are not met.
On March 3, a partner of ALPHV/BlackCat – essentially an affiliate profiting from the cyber attacks they launch using the ransomware software of the ransomware syndicate – complained in a forum post on a cybercrime forum that ALPHV/BlackCat cheated them out of their profits. The partner alleged in the post that ALPHV/BlackCat stole the ransom of $22 million that Change Healthcare supposedly paid to decrypt their files and prevent a data leakage, as first reported by longtime security watchdog DataBreaches.net.
As evidence for their claims, the partner provided the exact crypto wallet address used by ALPHV/BlackCat two days prior to allegedly receive the ransom. The wallet showed a single transaction of $22 million worth of Bitcoin at the time of the payment.
The partner added that despite losing part of their ransom, the stolen data is "still with us," indicating that the affected partner still has access to a variety of stolen sensitive medical data and patient records.
UnitedHealth has refused to confirm whether it paid the ransom to the hackers, instead stating that the company is focused on its investigation. When TechCrunch asked UnitedHealth if it agrees with reports that it paid the ransom, the company's spokesperson did not respond.
As of March 5, the website of ALPHV/BlackCat disappeared in what researchers believe is an exit scam, where hackers abscond with their newfound wealth to avoid retribution or remain low and rebrand later as a new group.
The cybercrime group's dark web site was replaced with a mock law enforcement seizure screen. In December, a global law enforcement action dismantled parts of ALPHV/BlackCat's infrastructure, but the syndicate quickly regrouped and soon started targeting new victims again. This time, cybersecurity researchers suspected the group's own scam playing out, rather than another legal takedown effort.
A spokesperson for Britain's National Crime Agency, which was involved in last year's initial takedown operation of ALPHV/BlackCat, told TechCrunch that the seemingly seized website of ALPHV/BlackCat "is not the result of NCA activity." Other global law enforcement agencies denied involvement in the sudden disappearance of the group.
It is not uncommon for cybercrime syndicates to reform or rebrand as a way to shed issues of reputation damage, something they may do after being arrested by law enforcement actions or after leaving their illegal profits.
Even with a payment made, there is no guarantee that hackers will delete the data. The latest global law enforcement action aimed at disrupting LockBit's prolific ransomware operation found that cybercriminals do not always erase victims' data as they claim they will if a ransom is paid. Companies are beginning to realize that paying the ransom does not guarantee the return of their files.
For those on the frontlines of healthcare cybersecurity, the worst-case scenario is that stolen patient records become public.
The safety of the patient and the economic impacts of this will be felt for years, said a cybersecurity director at the hospital to TechCrunch.
