Change Healthcare Ransomware Attack Spotlights Single Point of Failure with Third-Party Vendor

A core claims-processing unit of UnitedHealth Group was hit with a ransomware attack that cost some hospitals millions of dollars a day 

The ongoing cyberattack on Change Healthcare, a major player in medical claims processing in the United States, had profound repercussions across the healthcare sector. With the company forced to disconnect over 100 systems, medical claims processing ground to a halt. This disruption, termed by the president and chief executive of the American Hospital Association as “the most serious incident of its kind” in healthcare, brought many medical providers to the brink of closure. 

An AHA survey of 1,000 hospitals found that 60% of respondents said the impact on revenue was $1 million or more a day.

On February 21, Change Healthcare began experiencing a cybersecurity issue and isolated its systems to prevent further impact. The company, a subsidiary of United Healthcare, is the largest clearinghouse for insurance billing and payments in the U.S. The attack, which is still ongoing, has already had profound consequences across the healthcare sector. Change later disclosed that it had been impacted by a ransomware attack claimed by the threat actor group BlackCat/ALPHV and allegedly paid a ransom payment of roughly $22 million USD (in the form of 350 Bitcoins). 

BlackCat: The group behind the hack

SecurityScorecard’s Threat Research STRIKE Team has tracked BlackCat for years, outlining the group’s exploits multiple times (read this post for more information). BlackCat targeting healthcare organizations is nothing new; in January 2023, SecurityScorecard’s threat researchers investigated the group’s targeting of an electronic health record (EHR) vendor. 

The BlackCat ransomware-as-a-service operation, also known as ALPHV, first surfaced in November 2021. It is widely understood to be a successor to the BlackMatter operation, which succeeded the DarkSide ransomware group and achieved widespread notoriety for its role in the Colonial Pipeline attack.

Since its appearance, the group has targeted U.S. organizations particularly heavily, including local governments and educational institutions. Although a spokesperson for BlackCat has declared that the group would not target medical institutions, the U.S. Department of Health and Human Services (HHS) identified BlackCat as a threat to the health sector on January 12, 2023.

RaaS groups and repeat extortion attempts

In the last few days, a different threat actor group has initiated another extortion attempt against Change Healthcare. The Ransomware-as-a-Service (RaaS) group RansomHub has listed Change on its leak site and claims to be in possession of 4TB of stolen data. The group is threatening to make the data public unless a ransom is paid. According to RansomHub, former members of the BlackCat group have now joined its ranks. 

Double extortion 

Though extremely concerning, cyber experts are unsurprised that Change is being extorted a second time. If the company did indeed make its original ransom payment relatively quickly back in early March, cybercriminals may believe that it is willing to make additional payments to keep its customers’ information private.

Additionally, ransomware groups are increasingly causing major disruptions to the digital supply chain and, by extension, the world economy. SecurityScorecard’s recent Global Third-Party Cyber Breach report found that more than 29% of all breaches are attributable to a third-party vector. According to the report, the healthcare industry has emerged as the most popular target for third-party breaches. This is most likely because this field, in particular, has more numerous, diverse, and specialized third-party relationships that enable third-party breaches. Simply put: they have more third-party risk because they have more third parties. 

The danger of concentrated cyber risk

This ongoing cyberattack highlights the reliance of many healthcare providers on Change Healthcare for claims processing. This reliance created a single point of failure, leaving physician-owned medical groups, psychiatry practices, and private practitioners across the U.S. stranded as their cash flow dried up. Faced with such financial strain, many healthcare organizations were forced to take drastic measures – including staff furloughs and dipping into personal funds to meet payroll.

According to our Global Cyber Resilience Scorecard study, ten threat actor groups are responsible for 44% of global cyber incidents. The prevalence of just a few groups being responsible for such large-scale supply disruptions points to much larger concerns about the concentration of risk in the global economy. 

75% of third-party breaches targeted the software and technology supply chain. 

– SecurityScorecard Global Third-Party Breach Report, 2024

STRIKE Team recommendations to stay safe

In the wake of this incident, corporate security executives are doubling down on efforts to bolster supplier oversight and cybersecurity measures. Every organization must scrutinize its data security practices, assess third- and fourth-party access to sensitive data, and identify critical vendors essential to revenue. Additionally, organizations should take the following steps to boost not only their cybersecurity but that of their vendors:

• Identify and monitor both internal systems and your third-party ecosystem, update software regularly, and advise your third parties to do the same. 
• Early in the reporting surrounding the Change Healthcare incident, claims that it had involved the exploitation of vulnerabilities in ConnectWise’s ScreenConnect software surfaced. Although SecurityScorecard has not been able to confirm these claims using its internal data, they may nonetheless highlight the importance of rapidly mitigating new vulnerabilities and identifying possibly affected services throughout your ecosystem.
• Don’t pay ransoms to ransomware operators or attackers, if you can avoid it. These criminals might not keep their word and still might be unable or unwilling to decrypt encrypted files, or they might sell your data anyway. Furthermore, paying a ransom suggests to threat actors that you are vulnerable to extortion attempts and, and a more desirable target for future attacks.