Episode Description

Forecast = Expect continued turbulence in the healthcare sector with a high chance of regulatory scrutiny and potential for scattered patient data leaks.

On this episode of the Storm⚡️Watch we re-visits the Change Healthcare cyberattack which continues to have major impacts across the U.S. healthcare system. The attack, discovered in February 2024, was carried out by the ALPHV/BlackCat ransomware group and has disrupted healthcare operations nationwide. The breach potentially compromised sensitive data for up to one-third of the U.S. population, including personal information, health records, and financial data. Change Healthcare and UnitedHealth Group have faced criticism for their handling of the incident, including a delayed public disclosure. The attack has highlighted vulnerabilities in centralized healthcare data systems and the need for stronger cybersecurity measures industry-wide.

In the Tool Time segment, the hosts will discuss OpenSSF Siren, a new resource to help keep open source projects safe.

We close out the episode covering recent cybersecurity trends and active campaigns in the Tag Roundup section, as well as provide an update on known exploited vulnerabilities (KEVs) that organizations should be aware of.

About the Change Healthcare Cyberattack

The Change Healthcare cyberattack, discovered on February 21, 2024, is considered one of the most impactful healthcare data breaches in history. The attack, attributed to the ALPHV/BlackCat ransomware group, has caused widespread disruption to healthcare operations across the United States, affecting patient care, claims processing, and financial operations for hospitals, insurers, pharmacies, and medical groups.

The initial breach occurred on February 12, 2024, when attackers exploited a Change Healthcare Citrix remote access portal lacking multi-factor authentication (MFA). Using stolen credentials, they gained unauthorized access and remained undetected for nine days. During this time, the hackers moved laterally within the network, gradually exfiltrating massive amounts of sensitive data before deploying ransomware on February 21.

The compromised data potentially includes personal details, health insurance information, medical records, billing and claims data, and sensitive personal information like Social Security numbers for up to one-third of the U.S. population. The full extent of the data breach is still being determined, but it's estimated to affect a "substantial proportion of people in America."

The attack caused significant disruptions to critical healthcare systems. Providers reported difficulties in verifying patient eligibility, filling prescriptions electronically, and receiving reimbursements from insurers. Many healthcare organizations were forced to implement manual workarounds, increasing administrative burdens and potentially impacting patient care. Small and mid-sized practices were particularly vulnerable due to their reliance on reimbursement cash flow.

Change Healthcare and its parent company, UnitedHealth Group, responded by immediately disconnecting affected systems and engaging cybersecurity firms to investigate the breach. UnitedHealth Group advanced over $2 billion to healthcare providers to mitigate financial disruptions and launched a temporary funding assistance program. By March 18, 2024, 99% of pharmacy network services were restored, and major clearinghouse platforms began to be reinstated by March 22.

The breach has sparked discussions about the vulnerability of centralized healthcare data processors and the need for more robust cybersecurity measures in the industry. It has also highlighted the importance of implementing multi-factor authentication, continuous monitoring, and rapid incident response capabilities.

Change Healthcare faced criticism for its delayed public disclosure of the data breach, raising concerns about compliance with the HIPAA Breach Notification Rule. The company plans to begin notifying affected individuals in late July 2024 and will offer two years of complimentary credit monitoring and identity theft protection services.

The incident has underscored the need for healthcare organizations to prioritize cybersecurity, implement strong authentication measures, and develop comprehensive incident response and business continuity plans. It has also emphasized the importance of third-party risk management and the potential benefits of more distributed healthcare data systems to reduce the impact of centralized breaches.

Can't Watch? Listen Here

View episode Slides
Link to GreyNoise Twitter account
Link to GreyNoise Twitter account