The Change Healthcare Cyberattack Is Still Rocking Healthcare in the U.S.
How impactful can one cyberattack really be? Well, the answer is, apocalyptic. The recent ransomware attack on Change Healthcare, conducted by Russia-aligned cybergang BlackCat, has sent a shockwave through the healthcare industry — and the reverberations continue to be felt. This incident serves as an excellent example of just how damaging a successful cyberattack at a major service provider can be and why it is critical for businesses to take supply chain risk seriously and ensure they have robust protection against cyberthreats from service providers and third parties.
This is an ongoing incident. The data presented was accurate at press time.
Learn about the challenges that MSPs face in 2024 in Datto’s State of the MSP 2024 Report. GET YOUR COPY>>
Why did BlackCat target Change Healthcare?
Change Healthcare is a division of Optum and is owned by UnitedHealth Group. Change Healthcare offers a suite of healthcare solutions focused on improving operational efficiency, patient outcomes and financial productivity for providers. Its services include connecting healthcare systems, labs, pharmacies, radiology centers and payers, simplifying enterprise imaging, streamlining workflows, enhancing care coordination and supporting the transition to value-based care. Change Healthcare processes 15 billion financial and other transactions annually for doctors, hospitals, pharmacies and other health entities in the United States.
Change Healthcare is arguably the most prominent clearinghouse for insurance billing and payments in the U.S. The sheer amount of financial and personal data managed by the company is incredibly valuable to bad actors, not to mention it would be unable to tolerate much downtime, making it more likely to pay a ransom. Considering the spotty relationship the healthcare sector had with cybersecurity up until this point, the ransom and data sale potential of the operation made Change Healthcare an irresistible, low-hanging fruit.
Datto EDR’s Ransomware Rollback rolls data and systems back to their pre-attack state in minutes SEE HOW IT WORKS>>
The timeline of events
Now that we understand Change Healthcare’s role in the healthcare industry and BlackCat’s potential motivations, let’s dive into the nitty-gritty of how BlackCat’s ransomware attack severely disrupted the lives of patients and the operational efficiency of health systems throughout the nation. Here are some quick reference notes about this monster cyberattack.
- Attack date: The cyberattack on Change Healthcare was first disclosed on February 21, 2024.
- Perpetrator: The BlackCat ransomware group, also known as ALPHV, was confirmed to be behind the attack.
- Impact: The attack led to significant disruptions across the U.S. healthcare system, affecting electronic pharmacy refills, hospital and clinic billing, Medicare and Medicaid payment processing, and other health and insurance transactions.
- Response: UnitedHealth Group, the parent company, responded by working with law enforcement and cybersecurity experts to mitigate the attack’s impact and restore services.
- The ransom: The company purportedly paid a $22 million ransom.
- Broader implications: The incident emphasizes the ongoing threat to the healthcare industry and the importance of robust protection measures.
What should you be looking for in an EDR solution? This checklist helps you make a smart choice! GET IT>>
BlackCat has as many lives as its namesake
The notorious cybercrime group BlackCat, also called ALPHV, successfully executed a ransomware attack on Change Healthcare on February 21, 2024. Ransomware, a type of malicious software designed to block access to a computer system or data until a ransom is paid, is the signature weapon of most major cybercrime groups. BlackCat, known for its sophistication, has emerged as a formidable entity in the cybercrime underworld, engaging in numerous high-profile ransomware attacks across various sectors.
After conducting a major operation to dismantle BlackCat’s operations that walloped the gang in 2023, U.S. officials, including The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS), released a warning in February 2024 about the escalating threat the group posed to healthcare entities as BlackCat roared back to life.
Learn how to identify and mitigate malicious and accidental insider threats before there’s trouble! GET EBOOK>>
The attack on Change Healthcare
In a stunning strategic attack, the BlackCat ransomware group compromised Change Healthcare on February 21, 2024, deploying ransomware that led to widespread disruptions that affected its network of clients and their customers. BlackCat was also able to steal an undetermined amount of data on patients, estimated by UnitedHealthcare as “a substantial proportion of people in America.” The attack, which unfolded over several days, severely impacted the U.S. healthcare system’s operations, notably affecting electronic pharmacy refills and insurance transactions.
According to the American Hospital Association, open-source statements and press reports have identified exploitation of the ConnectWise vulnerability as a factor in this cyberattack. The U.S. government had previously recommended that all organizations immediately patch this vulnerability, highlighting the critical nature of this security gap and its potential use by cybercriminals to gain unauthorized access to systems.
The aftermath of the attack
Every aspect of the U.S. healthcare sector, as well as the patients it serves, was negatively impacted by the Change Healthcare ransomware disaster. This chart, summarizing the broad effects of the BlackCat ransomware group’s cyberattack on Change Healthcare, illustrates the ripples of damage caused by the attack.
| Impacted Entity | Outcome |
| Pharmacies | The cyberattack led to disruptions in electronic pharmacy refills, causing delays and challenges in timely medication receipts. This situation posed health risks, especially for those dependent on critical medications. The compromised access to insurance information can further cause administrative delays, gaps in care delivery or out-of-pocket expenses for treatments or prescriptions. |
| Insurance claims processing | Change Healthcare’s role as a major healthcare transaction processor was directly impacted, leading to backlogs in processing insurance claims. This situation affected many healthcare providers’ revenue cycles, delaying necessary medical treatments for patients awaiting insurance approval, which increased administrative burdens. |
| Billing | The attack complicated billing processes, leading to delays in issuing and processing payments. Healthcare providers faced challenges in accurately billing patients, which led to financial strains for both providers and patients. Smaller practices, in particular, experienced significant impacts on cash flow due to the inefficiency in payment processing. |
| Doctors’ offices | According to an American Medical Association (AMA) survey of the practices and clinics impacted by the cyberattack, the incident had a cascade of damaging effects on medical offices. The AMA reports that 31% of their survey respondents were unable to make payroll, 55% of respondents had to use personal funds to cover practice expenses and 44% were unable to purchase supplies. |
| Patients | The breakdown of doctors, clinics and pharmacies put public health at risk. Patients were forced to miss important treatments and left without essential medications and medical equipment. |
| UnitedHealth’s finances | UnitedHealth, the parent company of Change Healthcare, expects this attack to cost them $1.6 billion. That amount does not include the ransom that UnitedHealth paid, estimated to be $22 million. UnitedHealth reported $872 million in unfavorable effects from this attack in its Q1 earnings report. Cyberattack impacts in that quarter resolved at $0.74 per share, with the company estimating full-year impacts of $1.15 to $1.35 per share. |
| Hospitals | In a survey of 1,000 hospitals from March 9-12, 2024, the American Hospital Association (AHA) discovered that more than 80% of hospitals said the cyberattack affected their cash flow, and of those, nearly 60% reported that the impact on revenue to be $1 million per day or more. The AHA survey also found that 74% of hospitals reported impacts to direct patient care because of the cyberattack |
Learn how to spot today’s most dangerous cyberattack & get defensive tips in Phishing 101 GET EBOOK>>
Healthcare sectors must plan to move toward better security
The incident has spurred a collective industry response, with healthcare organizations across the world reevaluating and enhancing their cybersecurity protocols. The attack serves as a wake-up call, prompting a thorough examination of security measures and the implementation of more effective defenses in a healthcare organization’s IT environment. According to the HIPAA Journal, 56% of healthcare organizations report allocating less than 10% of their IT budget to cybersecurity.
UnitedHealth Group’s proactive measures, including a loan program to aid affected providers, is a step in the right direction to righting the ship and getting the U.S. healthcare system back on its feet. UnitedHealth said that they provided an estimated $6 billion in advance funding and interest-free loans to impacted care providers. This unprecedented step is an indicator of the company’s resolve to support recovery and remediation, serving notice to other insurers that they need to be prepared to shell out in the event of similar trouble.
See why choosing a smarter SOC is a smart business decision. DOWNLOAD AN EBOOK>>
The Change Healthcare cyberattack ushers in a new era of supply chain risk
Cyberthreats will continue to evolve and so must the defenses of healthcare organizations, necessitating ongoing vigilance, investment in cutting-edge security technologies and adherence to best practices in cybersecurity management. The FBI’s Internet Crime Complaint Center (IC3) 2023 Report states, “Cybercriminals continue to adjust their tactics, and the FBI has observed emerging ransomware trends, such as the deployment of multiple ransomware variants against the same victim and the use of data-destruction tactics to increase pressure on victims to negotiate.”
The attack currently stands as an important and very necessary reminder of the cybersecurity challenges the healthcare industry must address immediately. It highlights the necessity for relentless vigilance and robust cybersecurity measures to protect sensitive health information and ensure the continuity of healthcare services. Allan Liska, a threat intelligence analyst at Recorded Future had this to say, “As far as we can tell, the attack is being contained. We don’t think it’s going to get worse. But when you have a critical system like this that’s down for an extended period — the longer it’s down and the longer that recovery takes, the more impact it’s going to have on patient care.”
As the industry moves forward, this incident will undoubtedly shape the future of cybersecurity in healthcare, reinforcing the importance of cyber-readiness and resilience in the face of evolving cyberthreats. It is imperative for the healthcare industry to become thoroughly proactive in implementing the latest cybersecurity practices to fend off modern cyberthreats and prevent further disastrous events like the Change Healthcare cyberattack.
Learn more about growing supply chain risk for businesses and how to mitigate it in a fresh eBook. DOWNLOAD IT>>
Kaseya’s Security Suite Helps Businesses Mitigate All Types of Cyber Risk Affordably
Kaseya’s Security Suite has the tools that MSPs and IT professionals need to mitigate cyber risk effectively and affordably, featuring automated and AI-driven features that make IT professionals’ lives easier.
BullPhish ID — This effective, automated security awareness training and phishing simulation solution provides critical training that improves compliance, prevents employee mistakes and reduces a company’s risk of being hit by a cyberattack.
Dark Web ID — Our award-winning dark web monitoring solution is the channel leader for a good reason: it provides the greatest amount of protection around with 24/7/365 human and machine-powered monitoring of business and personal credentials, including domains, IP addresses and email addresses.
Graphus — Automated email security is a cutting-edge solution that puts three layers of AI-powered protection between employees and phishing messages. It works equally well as a standalone email security solution or supercharges your Microsoft 365 and Google Workspace email security.
RocketCyber Managed SOC — Our managed cybersecurity detection and response solution is backed by a world-class security operations center that detects malicious and suspicious activity across three critical attack vectors: endpoint, network and cloud.
Datto EDR — Detect and respond to advanced threats with built-in continuous endpoint monitoring and behavioral analysis to deliver comprehensive endpoint defense (something that many cyber insurance companies require).
Vonahi Penetration Testing – How sturdy are your cyber defenses? Do you have dangerous vulnerabilities? Find out with vPenTest, a SaaS platform that makes getting the best network penetration test easy and affordable for internal IT teams.
Learn more about our security products, or better yet, take the next step and book a demo today!
Read case studies of MSPs and businesses that have conquered challenges using Kaseya’s Security Suite. SEE CASE STUDIES>>
Our Partners typically realize ROI in 30 days or less. Contact us today to learn why 3,850 MSPs in 30+ countries choose to Partner with ID Agent!
Check out an on-demand video demo of BullPhish ID or Dark Web ID WATCH NOW>>
See Graphus in action in an on-demand video demo WATCH NOW>>
Book your demo of Dark Web ID, BullPhish ID, RocketCyber or Graphus now!