Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label cybersecurity in healthcare. Show all posts

WHO and Global Leaders Warn Against Rise of Ransomware Attacks Targeting Hospitals

 

On November 8, the World Health Organization (WHO) joined over 50 countries in issuing an urgent warning at the United Nations about the increase in ransomware attacks on healthcare systems worldwide. WHO Director-General Tedros Adhanom Ghebreyesus addressed the UN Security Council, emphasizing the critical risks these cyberattacks pose to public health and safety. He highlighted the growing frequency of attacks on hospitals, which could delay urgent care, disrupt essential services, and lead to life-threatening consequences. Calling for global cooperation, he described ransomware as an international security threat that demands a coordinated response. 

Ransomware is a form of cyberattack where hackers lock or encrypt a victim’s data and demand payment in exchange for releasing it. This form of digital extortion has escalated globally, affecting healthcare providers, institutions, and governments alike. In the healthcare sector, such attacks can be particularly devastating, compromising the safety of patients and healthcare workers. The joint statement, endorsed by nations such as Japan, South Korea, Argentina, France, Germany, and the United Kingdom, outlined the immediate dangers these attacks pose to public health and international security, calling on all governments to take stronger cybersecurity measures. The U.S., represented by Deputy National Security Adviser Anne Neuberger, directly blamed Russia for allowing ransomware groups to operate freely within its borders. 

According to Neuberger, some countries knowingly permit these actors to execute attacks that impact critical infrastructure globally. She called out Moscow for not addressing cybercriminals targeting foreign healthcare systems, implying that Russia’s inaction may indirectly support these malicious groups. Additional accusations were made against North Korea by delegates from France and South Korea, who highlighted the country’s alleged complicity in facilitating ransomware attacks. Russia’s UN representative, Ambassador Vassily Nebenzia, defended against these claims, arguing that the Security Council was not the right forum to address such issues. He asserted that Western nations were wasting valuable council time and resources by focusing on ransomware, suggesting instead that they address other pressing matters, including alleged attacks on hospitals in Gaza.  

WHO and the supporting nations warn that cybercrime, particularly ransomware, requires a global response to strengthen defenses in vulnerable sectors like healthcare. Dr. Ghebreyesus underscored that without collaboration, cybercriminals will continue to exploit critical systems, putting lives at risk. The joint statement also condemned nations that knowingly enable cybercriminals by allowing them to operate within their jurisdictions. This complicity, they argue, not only endangers healthcare systems but also threatens peace and security globally. 

As ransomware attacks continue to rise, healthcare systems worldwide face increasing pressure to strengthen cybersecurity defenses. The WHO’s call to action emphasizes that nations need to take ransomware threats as seriously as traditional security issues, working together to protect both patient safety and public health infrastructure.

Timeline of the Ransomware Attack on Change Healthcare: How It Unfolded

 

Earlier this year, a ransomware attack targeted Change Healthcare, a health tech company owned by UnitedHealth, marking one of the most significant breaches of U.S. health and medical data in history.

Months after the breach occurred in February, a large number of Americans are receiving notification letters stating that their personal and health information was compromised during the cyberattack on Change Healthcare.

Change Healthcare plays a critical role in processing billing and insurance for hundreds of thousands of hospitals, pharmacies, and medical practices across the U.S. healthcare sector. Consequently, the company stores an extensive amount of sensitive medical data on patients in the United States. Through a series of mergers and acquisitions, Change Healthcare has grown into one of the largest processors of U.S. health data, handling between one-third and one-half of all U.S. health transactions.

Key Events Following the Ransomware Attack:

  • February 21, 2024: The first signs of trouble emerged when outages began affecting doctors' offices and healthcare practices, disrupting billing systems and insurance claims processing. Change Healthcare’s status page was inundated with outage notifications impacting all aspects of its business. The company later confirmed a "network interruption related to a cybersecurity issue," indicating a serious problem. In response, Change Healthcare activated its security protocols, shutting down its entire network to contain the intruders. This led to widespread disruptions across the U.S. healthcare sector. It was later revealed that the hackers had initially infiltrated the company’s systems on or around February 12.
  • February 29, 2024: UnitedHealth disclosed that the cyberattack was carried out by a ransomware gang, rather than state-sponsored hackers as initially suspected. The ransomware group, identified as ALPHV/BlackCat, claimed responsibility for the attack, boasting that they had stolen sensitive health information from millions of Americans. ALPHV/BlackCat is a Russian-speaking ransomware-as-a-service gang, whose affiliates break into victim networks and deploy malware developed by the gang's leaders. These affiliates then share the profits from the ransoms paid by victims to regain access to their data
  • March 3-5, 2024: In early March, the ALPHV ransomware gang disappeared after collecting a $22 million ransom from UnitedHealth. The gang’s dark web site, which had claimed responsibility for the attack, was replaced with a notice suggesting that U.K. and U.S. law enforcement had taken it down, although both the FBI and U.K. authorities denied this. Signs pointed to ALPHV fleeing with the ransom in what appeared to be an "exit scam." The affiliate who executed the hack claimed that the ALPHV leadership had stolen the ransom and provided proof of a bitcoin transaction as evidence. Despite the ransom payment, the stolen data remained in the possession of the hackers.
  • March 13, 2024: Weeks into the cyberattack, the healthcare sector continued to experience outages, causing significant disruption. Military health insurance provider TriCare reported that all military pharmacies worldwide were affected. The American Medical Association expressed concern over the lack of information from UnitedHealth and Change Healthcare regarding the ongoing issues. By March 13, Change Healthcare had secured a "safe" copy of the stolen data, enabling the company to begin identifying the individuals affected by the breach.
  • March 28, 2024:The U.S. government increased its reward to $10 million for information leading to the capture of ALPHV/BlackCat leaders. The move was seen as an attempt to encourage insiders within the gang to turn on their leaders, as well as a response to the threat of having a significant portion of Americans' health information potentially published online.
  • April 15, 2024: In mid-April, the affiliate responsible for the hack formed a new extortion group called RansomHub and demanded a second ransom from UnitedHealth. The group published a portion of the stolen health data to prove their threat. Ransomware gangs often use "double extortion," where they both encrypt and steal data, threatening to publish the data if the ransom is not paid. The situation raised concerns that UnitedHealth could face further extortion attempts.
  • April 22, 2024: UnitedHealth confirmed that the data breach affected a "substantial proportion of people in America," though the company did not specify the exact number of individuals impacted. UnitedHealth also acknowledged paying a ransom for the data but did not disclose the total number of ransoms paid. The stolen data included highly sensitive information such as medical records, health information, diagnoses, medications, test results, imaging, care plans, and other personal details. Given that Change Healthcare processes data for about one-third of Americans, the breach is likely to have affected over 100 million people.
  • May 1, 2024:UnitedHealth Group CEO Andrew Witty testified before lawmakers, revealing that the hackers gained access to Change Healthcare’s systems through a single user account that was not protected by multi-factor authentication, a basic security measure. The breach, which may have impacted one-third of Americans, was described as entirely preventable.
  • June 20, 2024: On June 20, Change Healthcare began notifying affected hospitals and medical providers about the data that was stolen, as required by HIPAA. The sheer size of the stolen dataset likely contributed to the delay in notifications. Change Healthcare also disclosed the breach on its website, noting that it may not have sufficient contact information for all affected individuals. The U.S. Department of Health and Human Services intervened, allowing affected healthcare providers to request UnitedHealth to notify affected patients on their behalf.
  • July 29, 2024: By late July, Change Healthcare had started sending letters to individuals whose healthcare data was compromised in the ransomware attack. These letters, sent by Change Healthcare or the specific healthcare provider affected by the breach, detailed the types of data that were stolen, including medical and health insurance information, as well as claims and payment details, which may include financial and banking information.