One of the biggest and most disruptive cyberattacks on the American healthcare sector occurred in February 2024 when it targeted Change Healthcare, a unit of UnitedHealth Group.
The ransomware attack against Change Healthcare, a company of UnitedHealth, was carried out by the cybercriminal gang ALPHV, also referred to as BlackCat. This kind of attack encrypts the victim's data and demands a ransom to unlock it. Frequently, it also includes threats to release the stolen material if the ransom is not paid.
The hackers' first point of access was a weakness in Change Healthcare's server that prevented multifactor authentication (MFA). This fundamental cybersecurity precaution might have stopped unwanted access. Prior to launching the ransomware, the attackers most likely entered the network by phishing or by taking advantage of unpatched vulnerabilities, which allowed them to gain access on and steal confidential information.
Change Healthcare took its systems offline on February 21, 2024, after detecting a cybersecurity threat. This was the start of the attack. The American Hospital Association has issued a public warning about the widespread impact by February 26. BlackCat acknowledged culpability for the hack on February 28. UnitedHealth had already sent the attackers $22 million in Bitcoin by the beginning of March. Significant outages persisted into April despite UnitedHealth's efforts to reduce the impact of the attack and restore services during March and April. It was anticipated that it would require several months to fully restore services.
The cybercriminal group ALPHV/BlackCat, which is driven by financial gain, was found to be the attackers of the attack. Their principal aim was financial benefit, which they attained by demanding ransom payments from their victims. The organization is well-known for its innovative ransomware-as-a-service (RaaS) business model, which gives affiliates access to its ransomware tools in return for a cut of the ransom money. Because of the high value of healthcare data on the dark web and the importance of the services that were disrupted, the attack on Change Healthcare was very profitable because there was a higher chance that the ransom would be paid.
The impact of the cyberattack on finances has been huge. According to UnitedHealth, the attack cost the corporation over $870 million in the first quarter of 2024 alone. The remaining amount was attributable to revenue loss and business interruption, with nearly $600 million going toward system restoration and response measures. It is estimated that the annual cost will be between $1.4 billion and $1.6 billion. In an additional effort to stop the publication of stolen data, UnitedHealth paid the perpetrators a $22 million ransom. The long-term financial impact may be much greater; estimates indicate that ongoing remediation, legal costs, and possible regulatory fines could greatly increase the overall cost.
The attack significantly disrupted the U.S. healthcare system's operations. Every year, Change Healthcare handles more than 15 billion medical transactions. As a result of the attack, hospital, insurance, pharmacy, and medical group financial activities across the country were severely disrupted. Many healthcare providers experienced cash flow problems as a result of the disruption in payment and claims processing, and some smaller clinics experienced existential financial crises. Additionally, the attack caused a delay in patient care as medical professionals searched for ways to bypass the compromised systems. While UnitedHealth has been attempting to restore services, the process has been labor-intensive and slow; it is anticipated that several months will pass before full restoration occurs.
Following the cyberattack on UnitedHealth, here are the lessons learned:
Strong cybersecurity protections are essential, and this is one of the main things that can be learned from the UnitedHealth attack. A fundamental yet essential security mechanism, multifactor authentication (MFA), was not present in the Citrix remote access portal that was the target of the attack. To avoid unwanted access, make sure MFA is enabled on all computers with an external facing IP. To quickly identify and neutralize attacks, companies should also invest in robust encryption, automated vulnerability scanning, patch management, endpoint behavioral anti-malware, and Endpoint Detection and Response (EDR).
The attack brought attention to the weaknesses in legacy technologies. Because Change Healthcare's systems were not separated and some of them were old and the ransomware was able to infect both the primary and backup environments. Modernizing IT infrastructure can greatly increase resistance against attacks, especially if cloud-based systems with integrated security features are adopted. For companies using outdated technology, updating need to be a top concern.
The attack made it even more important to have trustworthy backup and recovery plans. UnitedHealth's insufficient backup procedures made it difficult for them to reconstruct encrypted systems. In the event of an attack, quick recovery can be guaranteed by following the 3-2-1 backup approach, which calls for three copies of the data on two distinct media and one off-site, as well as routinely testing backups for malware and functionality. Extra security measures can also be added using cloud disaster recovery services.
Artificial intelligence (AI) and machine learning have contributed to the complexity of cyberattacks, making it necessary for all employees—from board members to frontline staff—to complete ongoing education and training. It is essential to regularly receive cybersecurity awareness training that covers the newest social engineering techniques, such as phishing and MFA fatigue attacks. To help with threat identification and response, organizations should also invest in innovative AI and ML capabilities. These tools offer analytical support for managing large amounts of threat intelligence.
The attack led to intense regulatory scrutiny, including investigations by the Federal Trade Commission (FTC) and the Department of Health and Human Services (HHS), among others. To avoid paying large fines and penalties, organizations must make sure they are in compliance with laws like the California Consumer Privacy Act (CCPA) and HIPAA. Regulatory risks can be reduced by proactive interaction with authorities and open communication regarding cybersecurity precautions and incident responses.
Here are the recommendations and actions UnitedHealth Group have implemented:
(Added the section "Recommendations" and updated on 2024-04-22 after reading the article UnitedHealth Group Updates on Change Healthcare Cyberattack)