The Change Healthcare Breach: What Happened and How Could It Be Prevented

In February 2024, Change Healthcare was hacked by a ransomware gang to steal personal health data that included, according to parent company UnitedHealth, a “substantial proportion of people in America.” This attack resulted in months of disruption and concern in multiple areas throughout the U.S. healthcare system. Ultimately, due to the seriousness of the attack and potential risk to citizens nationwide, a House subcommittee hearing was called to require testimonies and make assessments about how the attack occurred and what could be done to prevent it from happening again in the future. This hearing was the first time that insight had been provided into how the hackers made their way into the company’s network and how they were able to gain access to such large amounts of patient and billing data.

Who is Change Healthcare and What Do They Do?

The healthcare industry in the United States is massive, consisting of a wide range of personal medical and financial data for millions of Americans. Working under parent company UnitedHealth, a well-known healthcare insurance giant, Change Healthcare processes health insurance and billing claims for approximately half of all residents in the country. In May 2024, three months after the initial attack, UnitedHealth’s CEO, Andrew Witty, testified before the committee that it would most likely take several months of continued analysis to determine which individuals were impacted by the breach so they could issue notifications.

A lot of companies use remote-access technology to allow their trusted employees to work remotely, even those that have sensitive data on their networks. Since COVID-19, more businesses have made the move to allow employees to work from home, either full or part time. Advances in technology, software, and security protocols have made it safer for companies to take advantage of all the benefits associated with remotely located staff. So how did the Change Healthcare attack happen, even with all of the available opportunities to secure the network from unauthorized remote access?

Why Was the Attack Able to Occur?

According to the information provided by the CEO of UnitedHealth, the hackers gained access by using compromised credentials to access a portal remotely. This remote-access system was set up to allow Change Healthcare employees to access work computers remotely via the internal network. Unfortunately, the Change Healthcare system did not include a basic security feature that might have prevented the attack from occurring. Multifactor authentication is used to prevent the misuse of stollen passwords and credentials by requiring a secondary code to be sent to the employee’s trusted device, such as a smartphone or mobile device.

According to the testimony and information provided:

  • The ransomware group used compromised credentials to gain access to the system.
  • Once they were able to get in, they moved throughout the connected systems laterally, using sophisticated methods to exfiltrate the data.
  • Nine days after the initial attack, on February 21, 2024, the hackers deployed their ransomware exploit, which resulted in the shut down of the network by Change Healthcare in an attempt to contain the breach.
  • Ultimately, Change Healthcare decided to pay the ransom to the ransomware gang that claimed responsibility for the attack to retrieve access to the terabytes of data that was stolen in the attack.
  • The group of hackers, who calls themselves BlackCat, was the second group to claim responsibility for the attack, proved their claim by posting some of the stolen data to the dark web before demanding a ransom.
  • According to UnitedHealth, the ransomware attack cost more than $870 million in the first quarter of 2024, $22 million of which was paid to the hackers.

Looking to the Future by Understanding the Past

Investigators continue to assess the security protocols and system for Change Healthcare to gain a better understanding of the potential deficiencies so they can be corrected. Prevention of any future attacks is essential, as these ransomware gangs are only encouraged by big multi-million dollar payouts. The safety and security of patient data, billing information, and financial or payment data is of utmost importance. While Change Healthcare was able to sever connections with the data center as soon as the attack was discovered to prevent the malware from spreading to other UnitedHealth Group systems, the damage was already done. When it comes to cyberattacks, malware, ransomware, and viruses, the old saying, “an ounce of prevention is worth a pound of cure” definitely applies.

This wasn’t the ransomware gang’s first major hack, as they have a history of gaining access to servers within multiple industries, including healthcare, government, manufacturing, hospitality, and education. They have even been involved in previous attacks were financial data and sensitive medical data was leaked. The proprietary ransomware that BlackCat uses has been recognized by X-Force Threat Intelligence Index as a top ransomware family. It is very challenging to detect and analyze and the group frequently attempts double extortion schemes as part of its overall attacks. The files that were compromised in this most recent attack against Change Healthcare contain what is known in the industry as protected health information or PHI. Additionally, personally identifiable information was also retrieved by the hackers that could include a substantial portion of Americans.

How Can We Prevent Future Attacks?

As more information continues to come to light about what occurred in the Change Healthcare breach, security specialists are learning more about what can be done to prevent future attacks. Following the House subcommittee meeting, much was discussed about potential threats of other large databases being hacked and how they might be stopped. One representative stated that this attack was a warning about the consequences of mega-corporations like UnitedHealth and Change Healthcare that are considered “too big to fail.” Allowing these companies to continue to absorb smaller healthcare industry businesses and put them all under one umbrella makes them an attractive target.

Business owners, managers, and IT experts around the globe should pay close attention to what happened with Change Healthcare and do everything they can to create a multi-faceted, layered approach to security, whether they use remote-access systems or not. One way to ensure that your system is as secure as possible is to partner with a service provider like Synivate, who can offer innovative technology solutions designed to protect your system and make efficiency improvements along the way. Our team of highly trained and experienced engineers and technicians can assist you in achieving your goals. Simply contact our team to speak with a consultant about your concerns or to receive a free evaluation of your existing network.

What We Do at Synivate

We offer a wide range of professional services designed to deliver a comprehensive approach to IT. Not only can we help you to maximize the potential of your current system, but we can also connect you and your team to all of the technology-based services, options, and opportunities needed to prepare your business for and carry you into the future.

Whether you require monitoring and management services to augment your existing IT department or if you require IT services, but do not have the finances or options available to do it in-house, we can help you achieve your goals. We start by gathering information about you and your business, as well as your existing IT infrastructure, to deliver a complete assessment of what is needed to improve security by identifying vulnerabilities, gaps, and other areas at-risk. If you would like to learn more about all of the services we provide, from business continuity to virtualization and everything in between, give us a call at 617-517-0704. Our team of friendly and knowledgeable consultants will work with you to find the solutions you require to protect and prepare your business for the future. We can answer any questions you might have about our services and provide you with a list of options that would suit your needs best.

We design a custom solution for each client according to their unique needs and any industry or budgetary requirements. We have helped countless small, medium, and large businesses to increase their security and maximize their potential with our innovative technology solutions. Give us a call today to find out what Synivate can do for you and your organization.

Posted in

Sean Maguire