The Latest on Ransomware Attack Affecting U.S. Health Care System

The concern is that, while Change’s systems are down, many hospitals and physicians are unable to process insurance claims, says Russ Thomas, CEO of Availity, a health care tech company that facilitates communication between health plans and providers and processes claims. “Change has providers that, after two weeks of not being able to bill, are sitting on hundreds and hundreds of millions of dollars of stuck claims,” he notes.

“We are committed to providing relief for people affected by this malicious attack on the U.S. health system,” says Andrew Witty, CEO of UnitedHealth Group, in the update. “All of us at UnitedHealth Group feel a deep sense of responsibility for recovery and are working tirelessly to ensure that providers can care for their patients and run their practices, and that patients can get their medications. We’re determined to make this right as fast as possible.”

What happened

Change Healthcare announced on Feb. 29 that a notorious ransomware group, ALPHV, or BlackCat, claimed responsibility for the breach.

Change first acknowledged the attack on Feb. 21. Billing and care-authorization portals have been affected across the country.  

“Ransomware typically starts when someone in the organization clicks on a phishing link and it spawns some software that will give hackers access to the network of the company,” explains Frank McKenna, chief strategist for the San Diego–based fraud detection company Point Predictive. “From there, the hackers will infiltrate and then actually encrypt systems and download data so that the company cannot operate. They then reach out and demand payment.” 

The ALPHV/BlackCat gang is particularly pernicious in the world of cybercrime; the U.S. Department of State announced last month that it is offering a $10 million reward for information leading to the identity or location of ALPHV/BlackCat leaders, as well as up to $5 million for information leading to the arrest or conviction of any of the gang’s affiliates.

Change Healthcare hasn’t said publicly whether it paid or negotiated a ransom. But the word in the cybersecurity community is that it paid BlackCat $22 million, McKenna says. The ransom may have been paid for a decryption key that would allow the company to access its sensitive data and systems and to prevent the gang from releasing the data to the public, McKenna explains.​

Ransomware attacks a growing threat

Cybersecurity experts say ransomware attacks have increased substantially in recent years. The cryptocurrency-tracing firm Chainalysis’ annual crime report revealed that ransomware payments exceeded a record $1 billion in 2023, based on its tracking of cryptocurrency transactions. The report noted that last year, “ransomware actors intensified their operations, targeting high-profile institutions and critical infrastructure, including hospitals, schools, and government agencies.”

Health care systems are frequent targets, McKenna says, “because the level of information about customers is very expansive,” making their data extremely valuable.

The Change Healthcare attack comes on the heels of an attack in late January on a children’s hospital in Chicago, which had to take phone, email and medical records systems offline.

In December, HHS reported a 93 percent increase in large breaches reported to the HHS Office for Civil Rights (OCR) from 2018-2022, with a 278 percent increase in large breaches involving ransomware. It released a concept paper for dealing with rising cybersecurity threats, including “working with Congress to develop supports and incentives for domestic hospitals to improve cybersecurity.”

With reporting from AP