Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Change Healthcare. Show all posts
User Privacy
BlackCat Change Healthcare Data Breach Medical Data User Privacy

UnitedHealth Claims Data of 100 Million Siphoned in Change Healthcare Breach

 

UnitedHealth has acknowledged for the first time that over 100 million people's personal details and healthcare data were stolen during the Change Healthcare ransomware assault, making it the largest healthcare data breach in recent years. 

During a congressional hearing in May, UnitedHealth CEO Andrew Witty warned that the attack had exposed "maybe a third" of all Americans' medical data.

A month later, Change Healthcare issued a data breach notification, stating that the February ransomware assault had exposed a "substantial quantity of data" for a "substantial proportion of people in America.” 

Last week, the U.S. Department of Health and Human Services Office for Civil Rights data breach portal increased the overall number of affected people to 100 million, marking the first time UnitedHealth, Change Healthcare's parent company, published an official number for the breach. 

Change Healthcare has sent out data breach alerts since June stating that a huge amount of sensitive information was stolen during the February ransomware assault, including: 

  • Health insurance information (including primary, secondary, or other health plans/policies, insurance firms, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers); 
  • Health information (such as medical record numbers, providers, diagnoses, medications, test results, images, care, and therapy); 
  • Personal information may include billing, claims, and payment information, as well as Social Security numbers, driver's licenses, state ID numbers, and passport numbers.

The information may differ for each person, and not everyone's medical history was disclosed. 

Change healthcare breach 

This data breach was prompted by a February ransomware attack on UnitedHealth subsidiary Change Healthcare, which resulted in severe outages across the US healthcare system. 

The disruption to the company's IT systems prevented doctors and pharmacists from filing claims, as well as pharmacies from accepting discount prescription cards, forcing patients to pay full price for their drugs.

The attack was carried out by the BlackCat ransomware group, also known as ALPHV. They used stolen credentials to get access to the company's Citrix remote access service, which did not have multi-factor authentication activated. 

During the attack, threat actors took 6 TB of data and ultimately encrypted network devices, forcing the organisation to shut down IT infrastructure in order to prevent the attack from propagating further.

UnitedHealth Group acknowledged paying a ransom to get a decryptor and have the threat actors delete the stolen data. The alleged ransom payment was $22 million, according to the BlackCat ransomware subsidiary that carried out the attack.

This ransom payment was meant to be shared between the affiliate and the ransomware operation, but the BlackCat abruptly stopped down, taking the entire payment and committing an exit scam. 

However, this was not the end of Change Healthcare's issues, since the affiliate claimed to still have the company's data and did not delete it as agreed. The affiliate collaborated with a new ransomware operation known as RansomHub and began releasing some of the stolen data, demanding an additional payment for the data not to be leaked.

The Change Healthcare entry on RansomHub's data breach site inexplicably removed a few days later, suggesting that UnitedHealth paid a second ransom demand. 

UnitedHealth said in April that the Change Healthcare ransomware assault resulted in $872 million in losses, which were included in Q3 2024 earnings and are estimated to total $2.45 billion for the nine months ending September 30, 2024.
Read more »
U.S. health data breach
ALPHV Blackcat Ransomware Change Healthcare cybersecurity in healthcare Data Breach healthcare data breach Ransomware attack timeline U.S. health data breach

Timeline of the Ransomware Attack on Change Healthcare: How It Unfolded

 

Earlier this year, a ransomware attack targeted Change Healthcare, a health tech company owned by UnitedHealth, marking one of the most significant breaches of U.S. health and medical data in history.

Months after the breach occurred in February, a large number of Americans are receiving notification letters stating that their personal and health information was compromised during the cyberattack on Change Healthcare.

Change Healthcare plays a critical role in processing billing and insurance for hundreds of thousands of hospitals, pharmacies, and medical practices across the U.S. healthcare sector. Consequently, the company stores an extensive amount of sensitive medical data on patients in the United States. Through a series of mergers and acquisitions, Change Healthcare has grown into one of the largest processors of U.S. health data, handling between one-third and one-half of all U.S. health transactions.

Key Events Following the Ransomware Attack:

  • February 21, 2024: The first signs of trouble emerged when outages began affecting doctors' offices and healthcare practices, disrupting billing systems and insurance claims processing. Change Healthcare’s status page was inundated with outage notifications impacting all aspects of its business. The company later confirmed a "network interruption related to a cybersecurity issue," indicating a serious problem. In response, Change Healthcare activated its security protocols, shutting down its entire network to contain the intruders. This led to widespread disruptions across the U.S. healthcare sector. It was later revealed that the hackers had initially infiltrated the company’s systems on or around February 12.
  • February 29, 2024: UnitedHealth disclosed that the cyberattack was carried out by a ransomware gang, rather than state-sponsored hackers as initially suspected. The ransomware group, identified as ALPHV/BlackCat, claimed responsibility for the attack, boasting that they had stolen sensitive health information from millions of Americans. ALPHV/BlackCat is a Russian-speaking ransomware-as-a-service gang, whose affiliates break into victim networks and deploy malware developed by the gang's leaders. These affiliates then share the profits from the ransoms paid by victims to regain access to their data
  • March 3-5, 2024: In early March, the ALPHV ransomware gang disappeared after collecting a $22 million ransom from UnitedHealth. The gang’s dark web site, which had claimed responsibility for the attack, was replaced with a notice suggesting that U.K. and U.S. law enforcement had taken it down, although both the FBI and U.K. authorities denied this. Signs pointed to ALPHV fleeing with the ransom in what appeared to be an "exit scam." The affiliate who executed the hack claimed that the ALPHV leadership had stolen the ransom and provided proof of a bitcoin transaction as evidence. Despite the ransom payment, the stolen data remained in the possession of the hackers.
  • March 13, 2024: Weeks into the cyberattack, the healthcare sector continued to experience outages, causing significant disruption. Military health insurance provider TriCare reported that all military pharmacies worldwide were affected. The American Medical Association expressed concern over the lack of information from UnitedHealth and Change Healthcare regarding the ongoing issues. By March 13, Change Healthcare had secured a "safe" copy of the stolen data, enabling the company to begin identifying the individuals affected by the breach.
  • March 28, 2024:The U.S. government increased its reward to $10 million for information leading to the capture of ALPHV/BlackCat leaders. The move was seen as an attempt to encourage insiders within the gang to turn on their leaders, as well as a response to the threat of having a significant portion of Americans' health information potentially published online.
  • April 15, 2024: In mid-April, the affiliate responsible for the hack formed a new extortion group called RansomHub and demanded a second ransom from UnitedHealth. The group published a portion of the stolen health data to prove their threat. Ransomware gangs often use "double extortion," where they both encrypt and steal data, threatening to publish the data if the ransom is not paid. The situation raised concerns that UnitedHealth could face further extortion attempts.
  • April 22, 2024: UnitedHealth confirmed that the data breach affected a "substantial proportion of people in America," though the company did not specify the exact number of individuals impacted. UnitedHealth also acknowledged paying a ransom for the data but did not disclose the total number of ransoms paid. The stolen data included highly sensitive information such as medical records, health information, diagnoses, medications, test results, imaging, care plans, and other personal details. Given that Change Healthcare processes data for about one-third of Americans, the breach is likely to have affected over 100 million people.
  • May 1, 2024:UnitedHealth Group CEO Andrew Witty testified before lawmakers, revealing that the hackers gained access to Change Healthcare’s systems through a single user account that was not protected by multi-factor authentication, a basic security measure. The breach, which may have impacted one-third of Americans, was described as entirely preventable.
  • June 20, 2024: On June 20, Change Healthcare began notifying affected hospitals and medical providers about the data that was stolen, as required by HIPAA. The sheer size of the stolen dataset likely contributed to the delay in notifications. Change Healthcare also disclosed the breach on its website, noting that it may not have sufficient contact information for all affected individuals. The U.S. Department of Health and Human Services intervened, allowing affected healthcare providers to request UnitedHealth to notify affected patients on their behalf.
  • July 29, 2024: By late July, Change Healthcare had started sending letters to individuals whose healthcare data was compromised in the ransomware attack. These letters, sent by Change Healthcare or the specific healthcare provider affected by the breach, detailed the types of data that were stolen, including medical and health insurance information, as well as claims and payment details, which may include financial and banking information.
Read more »
United Health
Change Healthcare Data Breach Data Leak Ransomware United Health

Behind the Breach: Understanding the Change Healthcare Cyberattack

Behind the Breach: Understanding the Change Healthcare Cyberattack

Change Healthcare, a company that handles medical billing, claims processing, and other critical healthcare functions, fell victim to a sophisticated cyberattack. The attackers gained unauthorized access to the company’s systems, compromising a vast amount of sensitive data.

The Breach

UnitedHealth has disclosed for the first time what types of medical and patient data were stolen in the huge Change Healthcare ransomware assault, claiming that data breach notifications will be sent out in July.

On Thursday, UnitedHealth issued a data breach notification, saying that the ransomware attack exposed a "substantial quantity of data" to a "substantial proportion of people in the US."

While UnitedHealth has not disclosed how many people were affected, CEO Andrew Witty indicated during a congressional hearing that "maybe a third" of all Americans' health data was compromised in the hack.

But what exactly was stolen?

Personal Details: The stolen information includes personal identifiers such as names, addresses, and Social Security numbers. These details are valuable for identity theft and fraudulent activities.

Government Identity Documents: The breach exposed government-issued identification documents, such as driver’s licenses and passports. This poses a significant risk to affected individuals, as criminals can misuse these documents for various purposes.

Health Records: The most concerning aspect is the exposure of health records. These records contain diagnoses, treatment plans, medications, test results, and other confidential medical information. Imagine the consequences if this data falls into the wrong hands.

Impact and Ramifications

The impact of the Change Healthcare breach is far-reaching:

Individuals: Patients whose data was compromised face potential harm. Their privacy is violated, and they may suffer financial losses due to identity theft. Moreover, health-related information can be exploited for targeted scams or even blackmail.

Healthcare Providers: Change Healthcare’s reputation is tarnished, and trust among healthcare providers is eroded. The breach highlights vulnerabilities in the industry, prompting urgent security improvements.

Regulatory Compliance: The breach triggers legal obligations. Change Healthcare must notify affected individuals, regulators, and relevant authorities. Compliance with data breach notification laws is crucial.

What have we learned so far?

  • Encryption: Encrypt sensitive data both at rest and during transmission. Encryption ensures that the data remains unreadable even if attackers gain access without the decryption key.
  • Access Controls: Implement strict access controls—limit who can access sensitive data and regularly review permissions. Unauthorized access should trigger alerts.
  • Employee Training: Educate employees about cybersecurity best practices. Phishing attacks often exploit human vulnerabilities. Regular training can prevent such incidents.
  • Incident Response Plan: Have a robust incident response plan in place. Quick detection, containment, and recovery are essential to minimize damage.

Read more »
United Health
ALPHV/BlackCat Change Healthcare cyber attack Ransomware United Health

Ransomware Attack Targets Healthcare Giant, Change Healthcare

 


A recent cyberattack on Change Healthcare, a subsidiary of United Health, has led to a distressing data extortion situation, further complicating an already tumultuous ordeal. Let's delve into the details to understand the gravity of the situation and its potential repercussions.


Background

In February, Change Healthcare fell victim to a cyberattack, causing significant disruptions in the US healthcare system. The attack, attributed to the BlackCat/ALPHV ransomware operation, resulted in the theft of approximately 6 TB of data.


Double Extortion Tactics

Following intense pressure from law enforcement, the BlackCat gang abruptly shut down their operation amidst allegations of an exit scam. Subsequently, an affiliate named "Notchy" joined forces with the RansomHub gang to engage in a double extortion scheme against Change Healthcare. Despite rumours of a ransom payment, the threat actors are now threatening to release the stolen data unless their extortion demands are met.


Data Leak and Implications

Screenshots of purportedly stolen data, including corporate agreements and sensitive patient information, have begun circulating online. The leaked information not only jeopardises the privacy of individuals but also raises concerns about potential financial repercussions for Change Healthcare and its affiliates.


Response and Investigation

Change Healthcare has refrained from commenting on the situation, leaving many questions unanswered. Meanwhile, the Department of Health and Human Services has launched an investigation into the incident to assess potential breaches of healthcare data regulations.


Financial Fallout

The fallout from the cyberattack has hit hard financially, with UnitedHealth Group revealing substantial losses of $872 million during the first quarter of this year. These losses cover not only the direct costs of responding to the attack but also the wider disruptions it caused across the company's operations. Additionally, the timing of public sector cash receipts has been affected, further exacerbating the financial impact. Furthermore, UnitedHealth Group disclosed that it had advanced approximately $3 billion to healthcare providers whose finances were disrupted by the attack.


With data security at the forefront of public discourse, it underscores the growing threat posed by ransomware attacks in critical sectors such as healthcare. The need for robust cybersecurity measures and proactive response strategies has never been more apparent, as organisations grapple with the devastating consequences of data breaches and extortion attempts.


Read more »
Threat Landscape
American HealthCare Change Healthcare Cyber Attacks Ransomware attack Threat Landscape

Change Healthcare Detects Ransomware Attack Vector

 

The cyberattack's widespread destruction underscores how threat actors can do significant damage by targeting a relatively unknown vendor that serves a vital operational function behind the scenes.

The AlphV ransomware group disrupted basic operations to the critical systems of US healthcare services by attacking a vital financial and claims processing link in a highly interconnected industry. The outage and cascading effects of the cyberattack on the healthcare IT systems continued into the fourth week on Thursday.

UnitedHealth Group reported unauthorised access on its systems on February 21. The reconnecting and testing of Change's claims systems will be completed in phases next week.

The US Department of Health and Human Services launched an inquiry into the incident on Wednesday to investigate whether protected health information was stolen and if Change met privacy and security standards. 

The department's Office for Civil Rights (OCR) announced the investigation in a letter on Wednesday, with Director Melanie Fontes Rainer writing that it was necessary to look into the situation "given the unprecedented magnitude of this cyberattack, and in the best interests of patients and health care providers." 

The statement comes following a crisis meeting on Tuesday with White House officials, medical sector leaders, HHS Secretary Xavier Becerra, and Andrew Witty, CEO of UnitedHealth Group, Change Healthcare's parent company. 

According to Fontes Rainer, the investigation will focus on whether protected health information was compromised and if Change Healthcare and UHG followed Health Insurance Portability and Accountability Act (HIPAA) requirements. 

“OCR’s interest in other entities that have partnered with Change Healthcare and UHG is secondary. While OCR is not prioritizing investigations of healthcare providers, health plans, and business associates that were tied to or impacted by this attack, we are reminding entities that have partnered with Change Healthcare and UHG of their regulatory obligations and responsibilities, including ensuring that business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs as required by the HIPAA Rules,” Rainer said. 

The American Hospital Association referred to the attack as the most significant and consequential incident of its kind against the U.S. healthcare system in history.
Read more »
Ransomware attack
American HealthCare Change Healthcare Cyber Attacks Medical Data Ransomware attack

UnitedHealth's Cyberattack Should Serve as a 'Wake-up Call' for HealthCare Sector

 

The US Health and Human Services Department (HHS) announced Tuesday that it would assist doctors and hospitals in locating alternate claims processing platforms to help restart the flow of business following a cyberattack on a UnitedHealth Group (UNH) subsidiary that crippled operations of a large swath of America's health systems for the past two weeks. 

On February 21, a cyberattack paralysed Change Healthcare, which hospitals, doctors' offices, and pharmacies use to handle payments and prior authorizations for patient visits and medicines.

United gave a lengthy status update Tuesday afternoon, stating that the attack was carried out by BlackCat, a well-known Russian-backed ransomware outfit. 

The FBI was aware of BlackCat, also known as ALPHV, and was successful in breaching the group at the end of last year, but was unable to put it down. BlackCat has previously targeted a number of healthcare companies. It claimed to have collected up to 6 gigabytes of data during the last attack, and that it received $22 million in bitcoin, a transaction visible on the blockchain, but it is still being determined where it came from. 

Based on the most recent statistics, 90% of claims are still being processed for health providers, and pharmacies should be fully operational by Thursday, UHG explained in a statement Tuesday.

Additionally, the company noted, "We've made progress in providing workarounds and temporary solutions to bring systems back online in pharmacy, claims and payments." 

While smaller systems that rely heavily on Change Healthcare are suffering, larger systems with many vendors or the financial capacity to quickly switch to another provider are less affected. 

"This may be the first of its kind, where an outage at the interoperability layer weakens the capacity of the system to function," stated Aneesh Chopra, former US chief technology officer and currently co-founder and president of CareJourney, a healthcare analytics company. "This is a wake-up call on the need for redundancy in systems so we have backup options when a particular vendor goes down.” 

Third-party risks 

Tech platforms have had difficulty allowing their software to interact with each other and provide seamless connectivity for health systems due to regulations safeguarding patient data. However, newer products have made interoperability easier to achieve, which also makes them more susceptible to attacks. 

United's attack makes sense for that reason because it choked off a key mechanism in the inner workings of the system. The change enables several healthcare system companies to handle payments and claims. For example, CVS (CVS) reports that 25% of its claims are processed using Change.

This is in stark contrast to earlier attacks that target specific organisations, such as insurance and hospitals, and affect only one aspect of the system. 

United is also a tempting target because its Optum brand comprises Optum Financial, a different division of UHG that operates a number of payment systems.
Read more »
Websites
Attack Blackcat hackers Change Healthcare critical infrastructure providers Data Breach digital decryption keys Extortion Hospitals International law enforcement seizure Websites

Notorious Hacker Group Strikes US Pharmacies

In December, international law enforcement targeted a gang, leading to the seizure of various websites and digital decryption keys, as reported by Reuters. In response to this crackdown, the Blackcat hackers threatened to extort critical infrastructure providers and hospitals.

A recent attack on Change Healthcare, resulting in its parent company UnitedHealth Group disconnecting its systems to prevent further impact, has caused disruptions in prescription insurance claims, according to the American Pharmacists Association. This outage, which has persisted through Tuesday, is attributed to a notorious hacker group, as per a new report.

The outage at Change Healthcare, which handles payment management for UnitedHealth Group, was caused by a ransomware attack by hackers associated with Blackcat, also known as ALPHV, according to Reuters, citing anonymous sources. Blackcat has been involved in several recent high-profile data breaches, including attacks on Reddit, Caesars Entertainment, and MGM Resorts.

As a result of the breach, pharmacies nationwide are facing significant delays in processing customer prescriptions. Change Healthcare stated they are actively working to restore the affected environment and ensure system security.

UnitedHealth Group mentioned that most pharmacies have implemented workarounds to mitigate the impact of the outage on claim processing. The company expressed confidence that other data systems in its healthcare portfolio were unaffected by the breach.

While last week's breach was suspected to be "nation-state-associated," according to an SEC filing by UnitedHealth, it's uncertain if the group responsible was sponsored by foreign actors. Cybersecurity firms Mandiant and Palo Alto Networks, appointed by UnitedHealth, will lead the investigation into the breach.
Read more »
Subscribe to: Posts (Atom)