May 24, 2024 By Jennifer Gregory 3 min read

UnitedHealth Group CEO Andrew Witty found himself answering questions in front of Congress on May 1 regarding the Change Healthcare ransomware attack that occurred in February. During the hearing, he admitted that his organization paid the attacker’s ransomware request. It has been reported that the hacker organization BlackCat, also known as ALPHV, received a payment of $22 million via Bitcoin.

Even though they made the ransomware payment, Witty shared that Change Healthcare did not get its data back. This is a common occurrence with ransomware attacks, and it’s one of the many reasons many experts, including IBM, do not recommend paying ransomware. With proper backups and data recovery processes, organizations can quickly restore their own data and reduce business disruptions. During 2023, ransomware payments like the one made by Change Healthcare reached an all-time high of $1.1 billion.

Testimony reveals details of the breach

According to Witty’s testimony, the ransomware gang BlackCat used compromised credentials to remotely access a Change Healthcare Citrix portal, which enabled remote desktop access, on February 12. The portal was not utilizing multi-factor authentication. BlackCat then deployed ransomware on February 21 inside Change Healthcare’s information technology environments, which encrypted all of Change’s systems so they were inaccessible. Because leaders did not know the point of entry, they severed connectivity with Change’s data center, which prevented the malware from spreading outside Change’s environment to other UnitedHealth Group systems.

The 2024 X-Force Threat Intelligence Index identified BlackCat ransomware, which originated in November 2021, as a top ransomware family. Past BlackCat attacks include the healthcare, government, education, manufacturing and hospitality sectors. However, the gang has been involved in several attacks where sensitive medical and financial data was leaked. By using the Rust programming language, BlackCat can customize ransomware in ways that make it very challenging to detect and analyze. Additionally, BlackCat often attempts double extortion schemes as part of its attacks.

The ransomware attack on Change Healthcare comprised files containing protected health information (PHI) and personally identifiable information (PII). Witty said that the breach could involve a substantial proportion of the American population. However, he shared that at the time of his testimony, doctors’ charts or full medical histories did not appear to be in the data that was breached.

Read the Threat Intelligence Index

Far-reaching effects of the breach

An American Medical Association survey found that four in five clinicians lost revenue due to the widespread nature of the Change Healthcare breach, with 77% experiencing service disruptions. The survey also found that the majority of practice owners (55%) used personal funds to pay bills and payroll due to the billing crisis the situation created. Other disruptions included limited ability to approve prescriptions and medical procedures.

Change Healthcare has also reported that it has lost $872 million to the attack and expects its losses will rise to over $1 billion. With currently 24 lawsuits against Change Healthcare, the organization is asking to consolidate the claims into a class action lawsuit.

Change Healthcare CEO made decision to pay the ransom

Witty told Congress that he personally made the decision to make the ransomware payment. He said it was one of the hardest decisions he’s ever made and one he wouldn’t wish on anyone. After the ransomware payment was made, threat actors still threatened to share the data on the dark web. All the data still has not been identified and recovered.

Further complicating the recovery, a BlackCat affiliate, RansomHub, leaked at least some of the stolen data and attempted additional extortion. RansomHub shared screenshots of the leaked data to the highest bidder on the dark web. In large breaches, such as Change Healthcare, double ransomware attempts are not uncommon and part of the reason many warn against paying the ransom.

Notifying impacted parties

As Change Healthcare is working through the recovery process, Witty told Congress that they are still working to determine who was impacted by the breach and issue notifications. However, many healthcare organizations and groups feel the process should be expedited. On May 8, the American Hospital Association wrote a formal letter on behalf of its members requesting a formal notification process.

“It is important, however, that UHG officially inform the Department of Health and Human Services Office for Civil Rights (OCR) and state regulators that UHG will be solely responsible for all breach notifications required under law and provide them with a timeline for when those notifications will occur,” wrote the AHA.

As the situation continues to evolve, especially the ramifications of the Congressional hearing, the effects of this large and widespread breach will continue to unfold.

To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence, or offensive security services schedule a meeting here.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More from News

Regulatory harmonization in OT-critical infrastructure faces hurdles

3 min read - In an effort to enhance cyber resilience across critical infrastructure, the Office of the National Cyber Director (ONCD) has recently released a summary of feedback from its 2023 Cybersecurity Regulatory Harmonization Request for Information (RFI). The responses reveal major concerns from critical infrastructure industries related to operational technology (OT), such as energy, transport and manufacturing. Their worries include the current fragmented regulatory landscape and difficulty adapting to new cyber regulations. The frustration appears to be unanimous. Meanwhile, the magnitude of…

Why the Christie’s auction house hack is different

3 min read - Christie's, one of the world's leading auction houses, was hacked in May, and the cyber group RansomHub has claimed responsibility. On May 12, Christie’s CEO Guillaume Cerutti announced on LinkedIn that the company had “experienced a technology security incident.” RansomHub threatened to leak “sensitive personal information” from exfiltrated ID document data, including names, dates of birth and nationalities. On the group’s dark website, RansomHub claims to possess 2GB of data on “at least 500,000” Christie’s clients from around the world.…

Should there be a total ban on ransomware payments?

3 min read - The debate about the United States government banning companies from making ransomware payments is back in the headlines. Recently, the Ransomware Task Force for the Institute for Security and Technology released a memo on the topic. The task force stated that making a ban on ransomware payments in the U.S. at the current time will worsen the harm to victims, society and the economy. Additionally, small businesses cannot withstand a lengthy business disruption and might go out of business after…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today