Unfortunately, It’s been a good year for Ransomware groups: Here in Chicago we saw Lurie's Children’s Hospital severely hampered by “a cybersecurity incident” that took them offline for over a month, which we have recently learned was caused by the Rhysida ransomware group. In their case, they were able to restore operations without paying the $3.4 million ransom.[1][2]

[1] https://www.beckershospitalreview.com/cybersecurity/hackers-say-they-sold-lurie-childrens-hospital-data-for-3-4m.html

[2] https://www.msn.com/en-us/health/other/chicagos-lurie-childrens-hospital-reactivating-mychart-after-cyberattack/ar-BB1jUmZu

The same cannot be said for Change Healthcare, a subsidiary of United Healthcare. Change Healthcare manages the payments for thousands of healthcare providers, serving as the middleman between insurers, providers, and patients. As part of this process, they also facilitate the patient’s prescriptions, intermediating between the insurer, provider, and pharmacy. As such, they serve as a keystone in a lot of healthcare interactions, and we know what happens when a keystone is removed.[3]

[3] https://www.nytimes.com/2024/02/26/health/cyberattack-prescriptions-united-healthcare.html?searchResultPosition=8

On 21 February, Change Healthcare was taken off-line, apparently due to a ransomware attack by the AlphV ransomware group. Immediately, providers stopped getting paid. Furthermore, patients couldn’t get payment authorization for their prescription refills and had to pay out of pocket – and then they couldn’t even get the refill authorization, cutting off access to critical medications.[4]

[4] https://techcrunch.com/2024/02/29/unitedhealth-change-healthcare-ransomware-alphv-blackcat-pharmacy-outages/

A quick history lesson: most people will remember the Colonial Pipeline ransomware attack in mid-2021. This attack was perpetuated by the DarkSide ransomware group, who was apparently unprepared for the degree of heat brought on by the US law enforcement and intelligence response. As a result, shortly after the Colonial Pipeline ransom payment, the group dissolved (law enforcement was later able to recover much but not all of the payment).[5] When the DarkSide members scattered to the wind, it is believed that many of them reformed into the AlphV ransomware group, which was first seen operating in late 2021.[6]

When Change Healthcare had no quick fix, they offered to pay providers pennies on the dollar until they could restore their systems. Unfortunately, most landlords don’t accept pennies on the dollar, making most practices using Change Healthcare across the country delinquent on their rent and other bills, and threatening to close many of them.[7]

[5] https://www.nytimes.com/2021/05/14/business/darkside-pipeline-hack.html

[6] https://www.wired.com/story/alphv-blackcat-ransomware-doj-takedown/

[7] https://healthitsecurity.com/news/optum-offers-temporary-funding-assistance-for-change-healthcare-customers

Change Healthcare’s parent, United Healthcare, quickly felt pressure from all sides. As of this writing, the US Department of Health and Human Services Office of Civil Rights (HHS OCR) has opened an investigation into the incident.[8] Additionally, six lawsuits have been filed against Change Healthcare and United Healthcare, with a motion to grant class-action status.[9]

[8] https://www.hhs.gov/about/news/2024/03/13/hhs-office-civil-rights-issues-letter-opens-investigation-change-healthcare-cyberattack.html

[9] https://www.healthcaredive.com/news/change-healthcare-cyberattack-lawsuits/709617/

Under this pressure, a $22 million payment was made to the AlphV group. Change Healthcare has not confirmed that they made the payment, but given the magnitude of the attack and the timing, analysts agree it was almost certainly made by Change Healthcare or on their behalf. Ransomware operates like a franchise: there are a handful of global “chains” like AlphV who provide the tools and service. Individual operators (the franchisees, if you will) go around attacking victims like Change Healthcare, installing the ransomware tool when they are successful. The ransomware group collects the payment and then pays a share to the franchisee. Given this background, things get interesting: shortly after the $22 million payment was made, AlphV went offline, putting up a fake message that they had been taken down by US law enforcement (an analysis shows that the message was copied from a different takedown). The “franchisee” who broke into Change Healthcare posted on the darkweb that AlphV stiffed them on their payment. Once again, the same people who took the money and ran from Colonial Pipeline did the same thing to Change Healthcare.[10]

[10] https://arstechnica.com/security/2024/03/alphv-ransomware-site-claims-it-was-seized-by-fbi-researchers-suspect-22m-scam/

Most notably, it appears that Change Healthcare did not receive the decryption keys, leaving them to continue the arduous process of restoring their systems by hand. Here we are some takeaways from this ransomware attack on Change Healthcare:

1. When attacked with Ransomware, don’t bother trying to pay the ransom. It seems like a quick fix, but you are very likely to be out the money with no fix.

2. While the HHS OCR is investigating if Change Healthcare was out of compliance with the Health Insurance Portability and Accountability Act (HIPAA), we would caution that HIPAA compliance alone is a necessary but insufficient part of an organization’s information security posture. In particular, HIPAA is almost 30 years old, and its security rule is over 10 years old, so it has not kept pace with modern threats, which is likely one of the chief reasons we see healthcare organizations successfully breached time and time again. For example, it does not mandate two-factor authentication. If you are a healthcare organization, Scalesology can help ensure that you are not only HIPAA compliant, but that your information security posture is appropriate for modern threats.

3. Ensure that you have frequent – even hourly – reliable backups that are inaccessible from the rest of your systems and that your systems can be rapidly restored from. Ransomware is completely ineffective if all an organization has to do is run a command to wipe and reload its systems to the last known, good state. Scalesology can help you design and implement such a robust backup solution.

We hope that in the wake of AlphV taking the money and running from Change Healthcare that organizations will stop paying ransoms altogether. Ransomware only stays around because organizations pay. Until that happens, however, you need a partner like Scalesology to ensure your organization is protected. 

The best way to not pay a ransom is to avoid the attack in the first place.  Scalesology can help.  Our Risk Assessment identifies risks, threats, and holes in your technology systems.  Scalesology looks at the technology infrastructure landscape not just in your industry or business, but globally, tapping into key trends and emerging threats.  Technology evolves rapidly, and checklists are insufficient; you need to have a view of the entire landscape to be effective considering people, processes, and technology. Our holistic approach provides peace of mind by reviewing not just the external, but internal threats and all steps and processes in between. 

Ready to get started?  Contact Scalesology today and let’s make sure you are securely scaling your technology.