April 23, 2024
Discover how ransomware simulations and developing an incident response plan can help mitigate the disruption of a ransomware attack.
Hackers were reportedly in the networks of UnitedHealth Group’s Change Healthcare unit for days before launching their ransomware strike.
They gained entry to the networks on Feb. 12, using compromised credentials on an application that allows staff to remotely access systems, The Wall Street Journal (WSJ) reported Monday (April 22).
During the nine days they were in the system before launching the attack on Feb. 21, they may have been able to steal “significant” amounts of data, Seeking Alpha reported Monday, citing a WSJ article.
Change Healthcare posted its first update reporting connectivity issues Feb. 21, saying that “some applications are currently unavailable” and that the company was triaging the issue.
On April 16, UnitedHealth Group CEO Andrew Witty said during an earnings call that the cyberattack cost the company $872 million.
Witty said that the incident “was straight out an attack on the U.S. health system and designed to create maximum damage,” adding: “I think we’ve got through that very well in terms of the remediation and the build back to functionality.”
In the wake of that attack, the federal government announced it is offering a $10 million reward to help identify the people behind the organization that launched the attack: the ransomware-as-a-service group ALPHV BlackCat.
In addition, U.S. Sen. Mark R. Warner, D-Va., introduced a bill that would accelerate Medicare payments to healthcare providers that have suffered a cyberattack.
The bill, the “Health Care Cybersecurity Improvement Act of 2024,” is meant to incentivize cybersecurity in the healthcare industry.
“The recent hack of Change Healthcare is a reminder that the entire healthcare industry is vulnerable and needs to step up its game,” Warner said in a March 22 press release announcing the introduction of the bill. “This legislation would provide some important financial incentives for providers and vendors to do so.”
PYMNTS Intelligence has found that 82% of eCommerce merchants endured cyber or data breaches in the last year. Forty-seven percent of those merchants said the breaches resulted in both lost revenue and lost…
A ransomware attack in late 2023 exposed the personal data of nearly 185,000 people, a nonprofit Michigan healthcare organization reported Wednesday.
Cherry Street Services, also known as Cherry Health, said in a regulatory filing that the breach occurred on December 21 and was discovered on Christmas Eve.
The data breach notification filed with the office of Maine’s attorney general said the cause was ransomware, and that the attackers had accessed financial information such as credit card numbers and related security codes or passwords.
So far Cherry Health has identified 184,372 potential victims. It has not specified the exact nature of the attack or the ransomware group involved. The organization did not immediately respond to questions from Recorded Future News.
Cherry Health, based in Grand Rapids, operates in six Michigan counties and “offers high-quality health care to everyone, regardless of their ability to pay.”
In early January the organization issued a statement citing a “network disruption,” and later in the month identified the event as a “cybersecurity incident.” It continued notifying potentially affected people in February.
The 2023 holiday season saw several cyberattacks on healthcare institutions, including a Massachusetts hospital, a Seattle cancer center and an Australian provider.
Recorded Future
Intelligence Cloud.
UnitedHealth Group’s Change Healthcare is facing a second extortion demand following a February ransomware attack that sent shockwaves across the sector.
When the cyber crime group BlackCat first hit the health technology and payments processing giant, the effects left patients struggling to get care and health-care providers struggling to stay afloat financially. Change Healthcare reportedly paid off the ransomware attackers in March, but now the company must decide how to respond to claims from another ransomware group, RansomHub, which says it has 4 TB of stolen data, per The Register.
That data allegedly includes personally identifying information on patients and active military personnel, as well as medical and dental records, payments and claims information and source code files for Change Healthcare software solutions, per SC Media.
Researchers have posed several theories on how RansomHub could have gotten this data, if its claims are true.
Some suggest BlackCat may have reformed under a new name and is seeking a second payout. Others suggest that former BlackCat affiliates — stiffed by BlackCat developers on their share of the original extortion — held onto the stolen data and joined up with RansomHub, The Register reports. A conversation posted by a malware resource sharing group, if genuine, adds some weight to the latter theory, per SC Media.
Possibly, RansomHub could have separately compromised Change Healthcare. A researcher told SC Media that it is not uncommon for responders to a cyber incident to discover several threats inside a victim’s compromised environment.
Records of blockchain transactions linked to BlackCat, as well as claims on criminal forums, suggest Change Healthcare made a $22 million payment to the ransomware gang, although the company has not confirmed.
BlackCat operated with a ransomware-as-a-service model, in which developers create malicious code and affiliates then gain access to victim networks and deploy that ransomware. If victims pay, developers and affiliates each take cuts of the earnings.
In the case of Change Healthcare, however, BlackCat may have made off with the…