As Change Healthcare disruption grows, fears grow that patient data could spread online

Cyber ​​attack on America Health tech giant Change Healthcare has shut down the US healthcare system for the second consecutive week.

Hospitals have been unable to check the insurance benefits of a patient’s stay, handle the prior authorizations required for inpatient procedures and surgeries, or handle the billing process that pays for medical services. Pharmacies have struggled to determine how much to charge patients for prescriptions without access to their health insurance records, forcing some to pay cash out of pocket for expensive drugs, while others are unable to afford the costs. Are incapable of.

Since Change Healthcare abruptly shut down its network on Feb. 21 in an effort to stop digital intruders, some smaller healthcare providers and pharmacies have warned of cash reserves draining as they go without a steady flow of reimbursements from insurance giants. Struggling to pay their bills and employees. ,

Change Healthcare’s parent company UnitedHealth Group said in a filing with government regulators on Friday that the health tech company is making “substantial progress” in restoring its affected systems.

As the near-term impact of the ongoing outages on patients and providers becomes clearer, questions remain about the security of millions of people’s highly sensitive medical information handled by Change Healthcare.

From Russia, a prolific ransomware gang taking credit for the cyberattack on Change Healthcare claimed — without publishing evidence — that it stole vast banks containing millions of patients’ private medical data from the health technology giant’s systems. In a new twist, it now appears that the ransomware gang has faked its own demise and is off the map after receiving a ransom payment of millions in cryptocurrency.

If patient data is stolen, the consequences for affected patients are likely to be irreversible and lifelong.

Change Healthcare is one of the world’s largest providers of health and medical data and patient records, handling billions of healthcare transactions annually. Starting in 2022, the health tech giant is owned by UnitedHealth Group, the largest health insurance provider in the United States. Hundreds of thousands of physicians and dentists, as well as thousands of pharmacies and hospitals across America, rely on it to bill patients as their health insurance benefits allow.

That size presents a particular risk. U.S. antitrust authorities unsuccessfully sued to prevent UnitedHealth from purchasing Change Healthcare and merging with its health care subsidiary Optum, arguing that UnitedHealth would be “deprived of access to health insurance by all Americans who pass each year.” Gaining access to approximately half of the claims would provide an unfair competitive advantage.

For its part, Change Healthcare has so far repeatedly avoided saying whether patient data was compromised in the cyber attack. That hasn’t calmed healthcare officials, who are worried that the data-related fallout from the cyberattack is yet to come.

In a letter to the US government dated March 1, the American Medical Association warned of “significant data privacy concerns” amid fears that the incident “resulted in a widespread breach of patient and physician information.” AMA President Jesse Ehrenfeld was quoted by reporters as saying that Change Healthcare “has provided no clarity about what data was compromised or stolen.”

A cybersecurity director at a large US hospital system told TechCrunch that although they have been in regular contact with Change and UnitedHealth, they have heard nothing yet about the security or integrity of patient records. The cybersecurity director expressed concern over the possibility of hackers potentially publishing stolen sensitive patient data online.

This person said Change’s communications, which have gradually moved from suggesting that the data could be exfiltrated, to acknowledging an active investigation with multiple incident response firms, suggest that it knew. It’s only a matter of time before how much is stolen, and from whom. Customers will bear some of the burden of this hack, this person said, asking not to be named because they were not authorized to speak to the press.

Ransomware gang pulls out ‘exit scam’

Now, it seems that the hackers have disappeared, adding to the unpredictability of the situation.

UnitedHealth initially attributed the cyberattack to unspecified government-backed hackers, but later retracted its claim and later blamed it on a Russia-based ransomware and extortion cybercrime group known as ALPHV (also known as BlackCat). But Madha, who has no known connection with any government. ,

Ransomware and extortion gangs are financially motivated and typically employ a dual-extortion strategy, first scraping the victim’s data with file-encrypting malware, then swiping a copy for themselves and demanding a ransom. Threaten to publish the data online if payment is not made.

On March 3, an associate of ALPHV/BlackCat – effectively a contractor who earns commission for cyberattacks launched using the ransomware gang’s malware – complained in a posting on a cybercrime forum, claiming that ALPHV /Blackcat cheats associates out of their earnings. The associate claimed in the post that ALPHV/BlackCat stole the $22 million ransom that Change Healthcare reportedly paid to decrypt its files and prevent the data leak, as first reported by veteran security observer DataBreaches. net had reported.

As proof of his claims, the associate provided the exact crypto wallet address that ALPHV/Blackcat had allegedly used two days earlier to receive the ransom. At the time of the payment the wallet showed a single transaction worth $22 million in Bitcoin.

The associate said that despite losing its share of the ransom, the stolen data “is still with us,” suggesting that the victimized associate still had access to reams of sensitive medical and patient data stolen.

UnitedHealth has declined to confirm to reporters whether it paid the hackers’ ransom, instead saying the company is focusing on its own investigation. When TechCrunch asked UnitedHealth if it denied reports that it paid a ransom, a company spokesperson did not respond.

By March 5, ALPHV/Blackcat’s website had disappeared, in what researchers believe to be an exit scam, where the hackers run away with their new fortune and are never seen again, or remain silent. And later reform as a new gang.

The gang’s dark web website was replaced with a splash screen that purported to be a law enforcement seizure notice. In December, a global law enforcement operation took down parts of ALPHV/Blackcat’s infrastructure, but the gang returned and soon began targeting new victims. But this time, security researchers Suspicious Instead of another legitimate takedown attempt, the gang’s own deception is underway.

A spokesperson for the UK National Crime Agency, which was involved in the initial ALPHV/BlackCat disruption operation last year, told TechCrunch that the apparently seized website of ALPHV/BlackCat “is not the result of NCA activity.” Other global law enforcement agencies also denied any involvement in the group’s sudden disappearance.

It is not uncommon for cybercrime gangs to reform or rebrand to get rid of reputational issues, as one might do after being busted by law enforcement action or after parting ways with an associate’s ill-gotten gains.

Even after payment, there is no guarantee that hackers will delete the data. A recent global law enforcement action aimed at disrupting the prolific Lockbit ransomware operation found that the cybercriminal gang did not always delete victim data as it claimed it would if a ransom was paid. . Companies have begun to acknowledge that paying a ransom does not guarantee the return of their files.

For those on the front lines of healthcare cybersecurity, the worst-case scenario is that stolen patient records become public.

The hospital’s cybersecurity director told TechCrunch that its patient safety and economic impact will be felt for years.

Do you work at Change Healthcare, Optum or UnitedHealth and know more about cyberattacks? Contact us on Signal and WhatsApp at +1 646-755-8849 or by email. You can also send files and documents through SecureDrop.