UnitedHealth Group CEO Andrew Witty found himself answering questions in front of Congress on May 1 regarding the Change Healthcare ransomware attack that occurred in February. During the hearing, he admitted that his organization paid the attacker’s ransomware request. It has been reported that the hacker organization BlackCat, also known as ALPHV, received a payment of $22 million via Bitcoin.

Even though they made the ransomware payment, Witty shared that Change Healthcare did not get its data back. This is a common occurrence with ransomware attacks, and it’s one of the many reasons many experts, including IBM, do not recommend paying ransomware. With proper backups and data recovery processes, organizations can quickly restore their own data and reduce business disruptions. During 2023, ransomware payments like the one made by Change Healthcare reached an all-time high of $1.1 billion.

Testimony reveals details of the breach

According to Witty’s testimony, the ransomware gang BlackCat used compromised credentials to remotely access a Change Healthcare Citrix portal, which enabled remote desktop access, on February 12. The portal was not utilizing multi-factor authentication. BlackCat then deployed ransomware on February 21 inside Change Healthcare’s information technology environments, which encrypted all of Change’s systems so they were inaccessible. Because leaders did not know the point of entry, they severed connectivity with Change’s data center, which prevented the malware from spreading outside Change’s environment to other UnitedHealth Group systems.

The 2024 X-Force Threat Intelligence Index identified BlackCat ransomware, which originated in November 2021, as a top ransomware family. Past BlackCat attacks include the healthcare, government, education, manufacturing and hospitality sectors. However, the gang has been involved in several attacks where sensitive medical and financial data was leaked. By using the Rust programming language, BlackCat can customize ransomware in ways that make it very challenging to detect and analyze. Additionally, BlackCat often attempts double extortion schemes as part of its attacks.

The ransomware attack on Change Healthcare comprised files containing protected health information (PHI) and personally identifiable information (PII). Witty said that the breach could involve a substantial proportion of the American population. However, he shared that at the time of his testimony, doctors’ charts or full medical histories did not appear to be in the data that was breached.

Far-reaching effects of the breach

An American Medical Association survey found that four in five clinicians lost revenue due to the widespread nature of the Change Healthcare breach, with 77% experiencing service disruptions. The survey also found that the majority of practice owners (55%) used personal funds to pay bills and payroll due to the billing crisis the situation created. Other disruptions included limited ability to approve prescriptions and medical procedures.

Change Healthcare has also reported that it has lost $872 million to the attack and expects its losses will rise to over $1 billion. With currently 24 lawsuits against Change Healthcare, the organization is asking to consolidate the claims into a class action lawsuit.

Change Healthcare CEO made decision to pay the ransom

Witty told Congress that he personally made the decision to make the ransomware payment. He said it was one of the hardest decisions he’s ever made and one he wouldn’t wish on anyone. After the ransomware payment was made, threat actors still threatened to share the data on the dark web. All the data still has not been identified and recovered.

Further complicating the recovery, a BlackCat affiliate, RansomHub, leaked at least some of the stolen data and attempted additional extortion. RansomHub shared screenshots of the leaked data to the highest bidder on the dark web. In large breaches, such as Change Healthcare, double ransomware attempts are not uncommon and part of the reason many warn against paying the ransom.

Notifying impacted parties

As Change Healthcare is working through the recovery process, Witty told Congress that they are still working to determine who was impacted by the breach and issue notifications. However, many healthcare organizations and groups feel the process should be expedited. On May 8, the American Hospital Association wrote a formal letter on behalf of its members requesting a formal notification process.

“It is important, however, that UHG officially inform the Department of Health and Human Services Office for Civil Rights (OCR) and state regulators that UHG will be solely responsible for all breach notifications required under law and provide them with a timeline for when those notifications will occur,” wrote the AHA.

As the situation continues to evolve, especially the ramifications of the Congressional hearing, the effects of this large and widespread breach will continue to unfold.

To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence, or offensive security services schedule a meeting here.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.