US Govt Probes if Ransomware Gang Stole Change Healthcare Data

The U.S. Department of Health and Human Services is investigating whether protected health information was stolen in a ransomware attack that hit UnitedHealthcare Group (UHG) subsidiary Optum, which operates the Change Healthcare platform, in late February. This investigation is coordinated by HHS' Office for Civil Rights (OCR), which enforces the Health Insurance Portability and Accountability Act (HIPAA) rules that protect patients' health information from being disclosed without their knowledge or consent. UnitedHealth Group confirmed in late February that Change Healthcare systems and services were shut down after a cyberattack by "nation-state" hackers, which was later linked to the BlackCat (ALPHV) ransomware gang.

Even though UHG has brought some of the impacted systems back online after the crippling February ransomware attack, the resulting outage is still impacting operations across the U.S. healthcare industry, with the company estimating that it will be able to revive its payments platform on March 15 and medical claims network and software on March 18. The investigation follows the BlackCat ransomware gang's claims that they stole 6TB of data from Change Healthcare's network belonging to "thousands of healthcare providers, insurance providers, pharmacies, etc.” Earlier this month, BlackCat ransomware shut down in an exit scam amidst claims that they stole the $22 million ransom paid by Optum to the operator behind the Change Healthcare attack.

Security Officer Comments:
The fallout of the ALPHAV/BlackCat ransomware attack on Change Healthcare has become the most noteworthy incident that the U.S. healthcare system has ever faced, negatively affecting the ability of UHG to provide healthcare services for over two weeks. Although a variety of data was stolen during this attack, the HHS’ OCR is solely investigating patients’ health information. In UHG’s official SEC filing for this attack, UHG stated that a nation-state threat actor was behind this attack. However, there is no official evidence that BlackCat is linked to any foreign government. It is possible that Optum will be extorted again using the original attack’s stolen data, this time by the BlackCat affiliate that was banned from the group and had his ransom stolen by other members during their recent exit scam.

Suggested Corrections:

  • Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program. One of the IoCs for this attack was CVE-2024-1709.
  • Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
  • Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident.
  • Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.