How Ransomware Fallout Is Rippling Through the US Health Care System

On Feb. 21, ALPHV/Blackcat hit payment and claims system Change Healthcare with a ransomware attack that is having widespread ramifications. The attack has left pharmacies scrambling to fill patient prescriptions and insurance providers unable to reimburse provider claims.  

Change Healthcare, owned by UnitedHealth Group (UHG), took systems offline to contain the attack, NBC News reports. It has since established “multiple workarounds to ensure provider claims are addressed and people have access to the medications and care they need,” according to a UHG statement.  

Why is this attack causing so much disruption in the health care industry? What can the cybersecurity community expect from ALPHV/Blackcat next? And how can health care prepare for the continued risk of ransomware?    

The Ransomware Attack 

Change Healthcare completes 15 billion health care transactions each year, and it touches one in three US patient records, according to its website. The cyberattack resulted in the theft of six terabytes of data, the ransomware gang claims. And the operational disruption has been severe. Patients have been forced to pay out of pocket for prescriptions, due to pharmacies’ inability to process discount cards, NBC News reports. Impacted hospitals and health systems aren’t getting paid because of the disruption to claims processing, leading to concerns that they won’t be able to make payroll.   

Related:International Operation Hits Major Ransomware Player LockBit

UHG “... cannot estimate the duration or extent of the disruption at this time,” according to an 8-K filed on Feb. 22.  

“I think the longer it goes, the more we’re going to find out about how the other systems will probably break. We'll have more inconveniences for the patient, and then again at the bigger level macro level, I think we're going to see more hospitals having financial issues because of the inability to be paid,” says Errol Weiss, chief security officer at Health-ISAC (Information Sharing and Analysis Center), a cyber threat intelligence sharing nonprofit. 

This attack should serve as an awakening regarding the interconnectedness and complexity that exists in the US health care system, according to Weiss. “We as a sector, we as a society here in the US, need to do a better job of identifying these critical interdependencies,” he tells InformationWeek.  

With workarounds in place, Change Healthcare has been able to process 3 million pharmacy transactions, with more being done each day, according to UHG’s updates page. On the claims side, it is up to 90% flow.  

While the health care industry is still reeling from the fallout, it is unclear how exactly the attack was carried out. Security researchers have pointed to the ConnectWise ScreenConnect vulnerabilities exploited earlier this month. Health-ISAC shared in a Feb. 26 bulletin that cyber intelligence company RedSense identified Change Healthcare as a victim of the CVE-2024-1708 and CVE-2024-1709 vulnerabilities. On Feb. 27, ConnectWise published a statement stating it “is unaware of any confirmed connection between the ScreenConnect vulnerability disclosed on February 19th, 2024, and the incident at Change Healthcare.” 

Related:Will More Threat Actors Weaponize Cybersecurity Regulations?

An ALPHV/Blackcat Comeback 

UHG confirmed that ALPHV/Blackcat is behind the cyberattack. UHG allegedly paid a $22 million ransom, according to Reuters. ALPHV/Blackcat’s attack on Change Healthcare marks a significant return for the group following disruption by law enforcement in December 2023.  

“You can look at the Change Healthcare hit as a bit of a response from Blackcat to what the FBI … takedown was,” says Nic Finn, senior threat intelligence consultant at GuidePoint Security, a cybersecurity consulting services company. 

Following the attack on Change Healthcare, the ransomware group appears to be burning down its own infrastructure. ALPHV/Blackcat administrators have been accused of keeping the $22 million ransom to themselves, cutting out their affiliates.  

Related:2023 Ransomware Payments Hit $1.1B Record

“I think it’s still too early to say whether there’s actually infighting and we’re about to see the demise of ALPHV/Blackcat, or if this is more their craft of sending out misinformation,” says Marc Bleicher, CTO of cybersecurity company Surefire Cyber.  

The ransomware group’s leak site has been shut down, and it has put its ransomware-as-service source code up for sale at $5 million. Experts believe this move to be an exit scam. The group blamed the FBI for shutting its doors, but law enforcement confirmed it has not been involved in recent disruption of the group’s operations, according to Bleeping Computer.  

“Now that they’ve had a successful takedown at that scale, and it looks like they're kind of selling off all their assets. They’re even stealing from their own affiliates, and they’re just exit scamming pretty much everyone involved so that they can probably get away from this before they get caught,” says Finn.  

If ALPHV/Blackcat follows past patterns, it is possible the group could resurface. “I personally do think that we’re about to see a rebrand,” says Bleicher. “This is in their history.” ALPHV/Blackcat is linked to BlackMatter/DarkSide, the ransomware group behind the Colonial Pipeline cyberattack.  

If the group’s administrators did take off with the $22 million ransom as it suspected, it has likely burnt the bridge with its affiliates.  

“The affiliates are probably going to move on to other groups. Some of them definitely might splinter off and create their own variants … especially the ones that have that lost money to ALPHV,” says Finn. “It's not too likely that they’re going to go to some other ransomware as a service group and risk having their money, their ransoms, stolen from them by those groups as well.” 

Health Care and Ransomware Risk 

Of the 5,559 global ransomware events Health-ISAC tracked in 2023, 459 occurred in the health care sector, according to the 2023: Q4 Cybersecurity Trends and Threats in the Healthcare Sector report.  

In the past, some ransomware groups have given health care organizations a pass. When the children’s hospital SickKids was hit with LockBit ransomware in 2022, the ransomware group publicly apologized, published a decryptor, and blocked the affiliate behind the attack. That leniency has not seemed to last. In 2024, LockBit claimed responsibility for an attack on a Chicago children’s hospital with no intention of backing down. Now, the Change Healthcare ransomware attack has had a significant impact on not just a single hospital or health system but many health care providers.  

“I think that when we see events like this happening … it just underscores the fact that they're [ransomware groups] willing to go after any organization … if they can generate a buck doing that, and we’ll continue to see that,” says Weiss.  

UHG has set up a temporary funding assistance program via Optum Financial Services to support impacted providers. Health care is a critical infrastructure sector, and questions have arisen about the role government should play in supporting health care entities as they navigate this kind of fallout.   

“I’d much rather see UHG focusing on restoration efforts and getting systems back up and running and not have to worry about the logistics and implications of putting together a loan program to try to help out their customers and partners,” says Weiss. “So, I would look to HHS to step in to be able to do something like that to help carry that cash-flow problem.” 

The US Department of Health and Human Services (HHS) released a statement on the cyberattack, detailing ways that the Centers for Medicare and Medicaid Services (CMS) can help providers. 

The American Hospital Association (AHA) has responded: “The magnitude of this moment deserves the same level of urgency and leadership our government has deployed to any national event of this scale before it. The measures announced today do not do that and are not an adequate whole of government response.”  

The AHA, a trade group representing hospitals and health care networks, continued its statement by stressing its plans to work with Congress.  

The Ongoing Battle 

The attack on Change Healthcare is a stark example of how high the financial and human cost ransomware can be in the health care space. And these attacks are not going to stop. “The attacks, I think, will get more sophisticated, and they will continue to be successful because organizations across the board -- not just health care -- are just underfunded, under-resourced when it comes to cybersecurity,” says Weiss.  

Operating with ongoing risk, vulnerability management and incident response planning are vital for health care cybersecurity leaders and their organizations. “It really just comes down to the fundamentals when we talk about incident response, having valid backups, having really good controls, being able to identify incidents,” says Finn. “You have to expect that something like this can happen to you, and you have to have a plan in place to quickly address it and remediate it.”