How Could This Happen?! A Deep Dive into the Change Healthcare Attack

Written by

Geoff Halstead

Published on

March 21, 2024

Reading time

11 min.

It’s not an aberration – it WILL happen again

As many of you have no doubt heard or read about, the healthcare system in the United States – and most of its providers and patients – has been living through one of the gravest and most damaging cyberattacks in history over the last few weeks. 

On February 21, 2024, Change Healthcare, a unit of insurance giant UnitedHealth Group’s Optum division, suffered a major cybersecurity breach by the group behind the BlackCat ransomware. This attack encrypted data on the company’s systems, holding it hostage until a ransom was paid. Change Healthcare is one of the largest health information exchange (HIE) platforms in the U.S., managing health care technology pipelines connected to tasks such as processing insurance claims and billing, payment and revenue cycle management.  The company manages 15 billion claims a year, totaling over $1.5 trillion and touching over half of all providers and patients in the United States.

The American Hospital Association calls the ransomware attack on Change Healthcare “the most significant and consequential incident of its kind against the U.S. health care system in history.” Hospitals, pharmacies, small practices and providers of all kinds were unable to process claims and payments, with catastrophic disruption of their businesses which rippled down to patients.

Although Change Healthcare has not confirmed this, security researchers have suggested that the attackers were paid a $22 million ransom in Bitcoin.

What Happened?

“On Feb. 21, 2024, we discovered a threat actor gained access to one of our Change Healthcare environments,” UnitedHealth Group said. “Once we became aware of the outside threat, in the interest of protecting our partners and patients, we took immediate action to disconnect Change Healthcare’s systems to prevent further impact.”

So, while this was certainly an appropriate action in the circumstances, the direct effect of it was to bring all billing and payments for care providers and patients that rely upon the Change Healthcare processing system to a complete stop:

  • Pharmacy Services: Electronic prescriptions, including claim submissions and insurance reimbursements.
  • Medical Claims: Claims network connectivity and software which helps healthcare providers with claims processing and payments as well as integrating a system for appeals management from claimants for denied claims.
  • Payments Platform: The electronic payment processing systems.

This was not a 1 or 2 day event, it took weeks to resolve – and in fact Change Healthcare cyberattack fallout continues to this day (March 19th). 

What’s the Impact of the Attack?

Many physician practices have not been able to submit claims, according to the AMA, and “a considerable proportion of revenue cycle processes have ground to a halt.” The group in a March 1 letter to HHS identified top concerns among practices since the incident, including the interruption of administrative and billing processes, practices having to take on “enormous” administrative burdens and significant data privacy fears.

The outage cost some health care providers over $100 million a day, according to an estimate from First Health Advisory, a digital health risk assurance firm.  The Massachusetts Health and Hospital Association on Monday pegged the average daily costs stemming from the attack at $24,154,000, based on a survey that reflects responses from just12 hospitals and health systems – in one state.  And that is not to mention then $22,000,000 ransom payment! 

Keep in mind not just direct costs of the hacks we have already seen, but also the costs of recovery and remediation. This attack had huge negative financial consequences for medical care providers and vendors, with impacts rippling out from there to patients – something close to half of all in the US! And of course, lawsuits have started rolling in – at least five federal lawsuits have been filed this month against the healthcare claims and payment processing company, court records show. 

Senate Majority Leader Schumer, in a March 1 letter to the federal Centers for Medicare & Medicaid Services, said Change Healthcare had suspended more than 100 services and that hospitals and other providers were facing adverse impacts on their financial solvency.

“Hospitals are struggling to process claims, bill patients, and receive electronic payments, leaving them financially vulnerable,” Schumer said. “Many hospitals are approaching a financial cliff where they will no longer be able to rely on their cash on hand.”

How did they hack it?

Alas, the Change Healthcare hack was preventable. The company negligently failed to do basic updates to software. Basically, there was a known major flaw in screen connect application (a program where IT can remotely connect to and control your computer) called ConnectWise

  • The update had been out for days and Change/UHC did not act. This allowed the hackers to simply create a new user and get full access with almost no real “hacking”. 
  • The update had been out for long enough for Change/UHC to fix it or at least deactivate screen connect and they did nothing. 

Timeline of Events by ConnectWise

In initial statements, ConnectWise tried to distance itself:

“The company is unaware of any confirmed connection between the ScreenConnect vulnerability disclosed on February 19th, 2024, and the incident at Change Healthcare. We welcome the opportunity to collaborate with any cyber researcher who claims to know this situation. Security remains a top priority for ConnectWise, and our prompt response showcases our commitment to mitigating the ScreenConnect vulnerability.”

ConnectWise Statement Feb. 27, 2024

However, this vulnerability had already been widely reported with urgent warning of catastrophic mass ransomware attacks:

Yelisey Bohuslavskiy, co-founder of RedSense and Advintel, posted on LinkedIn that RedSense was able to identify, map and structure exfiltration-related telemetry for the timeline associated with the Change Healthcare attack, as well as the timeline prior to it. The RedSense findings correlate with the hypothesis put forward by First Health Advisory that the initial access was achieved via a ConnectWise vulnerability.

Subsequent investigation revealed this timeline of events:

  • On February 13th, an independent researcher reported the potential ScreenConnect vulnerability using the ConnectWise vulnerability disclosure process.
  • ConnectWise mitigated all cloud instances of ScreenConnect within 48 hours.
  • On February 19th, ConnectWise released an official patch for all on-prem partners, posted a security bulletin to the ConnectWise Trust Center, and sent partner comms urging all partners to patch.
  • On February 19th, ConnectWise initiated contact with CISA.
  • On February 21st, ConnectWise communicated that “because cybersecurity is essential to ConnectWise and our partners as an interim step, on-prem partners not on maintenance can update to patched ScreenConnect 22.4.20001.8817 at no additional cost.”
  • On February 22nd, for precautionary measures, ConnectWise paused functionality for unpatched versions of on-prem ScreenConnect until customers update to a patched version.

More details here: 

No One Should Be Surprised 

This is not an aberration. The attack comes as experts and regulators have been sounding the alarm about cyber threats against the healthcare sector. 

Over the past five years, the HHS’ Office for Civil Rights tracked a 256% increase in large data breaches involving hacking and a 264% jump in ransomware, a type of malware that denies users access to their data until a ransom is paid.

AlphVhas recently targeted the healthcare industry, according to a bulletin released Tuesday by the HHS, the FBI and the Cybersecurity and Infrastructure Security Agency.  Since the middle of December, healthcare has been the most common victim of the prolific ransomware group, the agencies said. An AlphVadministrator called on affiliates to launch cyberattacks against hospitals after law enforcement infiltrated and shut down the group’s infrastructure.

The bottom line, as The Washington Post comprehensively reported, after years of ransomware attacks, healthcare defenses still fail.

It Will Happen Again

What we are doing is not working. Hundreds of billions of dollars are spent annually for layer upon layer of active defenses, yet not a day goes by without new headlines and personal experiences of successful attacks that continue to multiply. Yes, in this case, there was a combination of a “supply chain attack” and a specific error in human processes to defend against them. 

But that’s just the on the surface – it gets all the attention and headlines. But there are root causes for the current state of affairs which go the very foundations of how the Internet works today.

1. Centralized servers, with human access and control

The “Cloud” infrastructure that we all use today – and the security solutions that attempt to defend it – all rely upon:

  • Centralized servers
  • Centralized Certificate Authorities

These servers, certificates and people can all be compromised. Or no need to bother since certificates can be purchased on the Dark Web!

2. Everything is Visible for study and attack

With Internet Protocol, network addresses and traffic are visible, and connections are insecure by default. So the Bad Guys always have the advantage.

In this case, you can be sure that they had studied and were actively monitoring the activities and devices of admins – and any other users with the kinds of super powers that are always the achilles heel of centralized architectures. As soon as this vulnerability was discovered, they could pounce.

Or no need – thanks to this situation, there is an entire industry of initial access brokers (IABs) to do this work for them! When a vulnerability like this is announced, they started pouncing on the bugs to set up shop inside various endpoints, with the intent of selling that access to ransomware groups.

3. Data is Vulnerable

We hear a lot about the big data breaches in Cloud servers. That’s surely a problem – and the primary one here. Because it is either not encrypted or someone else has the access to and control of the keys. Once they hack into the Cloud, they can get control of everything.

But just as concerning is all the data that lies around on endpoint devices (PCs, laptops, tablets, smartphones, etc.) and in Cloud folders.

Why? Because encryption solutions are too complex and painful for end users, so they are rarely used. 

So, What Are the Take-aways for Small Practices?

Well, when it comes to protecting your business from a centralized, Cloud-based system that processes between intermediaries – in this case your invoicing and payments – probably not a lot. We need Change Healthcare and all of the enterprises that run such systems to rethink and refocus on not just active defenses – which will always fail at some point – but to adopting fundamentally sound architectures for passive cyber defense. We will speak to that in a Blog shortly.

But for small to midsized healthcare practices and vendors there are some important take-aways for thinking about an attack on your own business.

1. Yes, You Should Be Worried

Don’t kid yourself. This was a spectacular attack by some big game hunters. But the proliferation of tools and ransomware “service providers” – now powered by AI – means that they are coming after you next.

In fact, the Connectwise application is widely used by managed service providers (MSP) to connect to customer environments, so it can also open the door to threat actors looking to use those MSPs for downstream access, similar to the tsunami of Kaseya attacks that businesses faced in 2021. According to the Shadowserver Foundation, there are at least 8,200 vulnerable instances of the platform exposed to the Internet within its telemetry, with the majority of them located in the US.

2. Hoping You Are Not Next is Not the Answer

For most small to mid-sized business owners, just keeping business and operations running is the primary concern. When one looks at all of the potential threats, and all of the steps that are required to implement a complete and rigorous cybersecurity defense, it can be very hard to know where to start. So, far too often taking any steps gets kicked down the road. And sadly, the results of that are predictable.

3. Focus First on What Matters Most

Here is a simple guideline for the 5 easy first steps you can take to reduce the most critical vulnerabilities that are most likely to directly threaten your business and operations – whether that be a medical practice, manufacturing production line, or otherwise.

Faction Virtual Private Circuit enables you to implement ‘Zero Trust’ security for your networking, critical devices and data – and really mean it! While you can’t protect every part of your business, or stop every staff member or vendor from doing something stupid, you can actually secure the most important things by taking them OFF the Internet and into a secure, invisible network for which only YOU have the keys.

Then you can sleep at night again, and have time and energy to clean up all the loose ends later. So, what are you waiting for?

Related posts

AT&T Admits that Data of “Nearly All” Customers Was Breached in 2022

Reading Time: 2 min.

The New York Times reported today that AT&T disclosed a significant data breach affecting nearly all of its customers. The…

Read more

NSA Report Details the Extent and Effectiveness of PRC Exploitation of the Internet

Reading Time: 2 min.

The NSA release this week a comprehensive report with explicit details of the extent of the activity and ‘Tradecraft” of…

Read more

Chrome Browser Revealed to Secretly Spy on PCs

Reading Time: 1 min.

Luca Casonato 🏳️‍🌈 on Twitter / X Developer Luca Casonato posted a series of tweets on July 9. He revealed…

Read more

How Could This Happen?! A Deep Dive into the Change Healthcare Attack

It’s not an aberration – it WILL happen again As many of you have no doubt heard or read about, the healthcare system in the United States – and most of its providers and patients – has been living through one of the gravest and most damaging cyberattacks in history…

Reading Time: 11 min.

It’s not an aberration – it WILL happen again

As many of you have no doubt heard or read about, the healthcare system in the United States – and most of its providers and patients – has been living through one of the gravest and most damaging cyberattacks in history over the last few weeks. 

On February 21, 2024, Change Healthcare, a unit of insurance giant UnitedHealth Group’s Optum division, suffered a major cybersecurity breach by the group behind the BlackCat ransomware. This attack encrypted data on the company’s systems, holding it hostage until a ransom was paid. Change Healthcare is one of the largest health information exchange (HIE) platforms in the U.S., managing health care technology pipelines connected to tasks such as processing insurance claims and billing, payment and revenue cycle management.  The company manages 15 billion claims a year, totaling over $1.5 trillion and touching over half of all providers and patients in the United States.

The American Hospital Association calls the ransomware attack on Change Healthcare “the most significant and consequential incident of its kind against the U.S. health care system in history.” Hospitals, pharmacies, small practices and providers of all kinds were unable to process claims and payments, with catastrophic disruption of their businesses which rippled down to patients.

Although Change Healthcare has not confirmed this, security researchers have suggested that the attackers were paid a $22 million ransom in Bitcoin.

What Happened?

“On Feb. 21, 2024, we discovered a threat actor gained access to one of our Change Healthcare environments,” UnitedHealth Group said. “Once we became aware of the outside threat, in the interest of protecting our partners and patients, we took immediate action to disconnect Change Healthcare’s systems to prevent further impact.”

So, while this was certainly an appropriate action in the circumstances, the direct effect of it was to bring all billing and payments for care providers and patients that rely upon the Change Healthcare processing system to a complete stop:

  • Pharmacy Services: Electronic prescriptions, including claim submissions and insurance reimbursements.
  • Medical Claims: Claims network connectivity and software which helps healthcare providers with claims processing and payments as well as integrating a system for appeals management from claimants for denied claims.
  • Payments Platform: The electronic payment processing systems.

This was not a 1 or 2 day event, it took weeks to resolve – and in fact Change Healthcare cyberattack fallout continues to this day (March 19th). 

What’s the Impact of the Attack?

Many physician practices have not been able to submit claims, according to the AMA, and “a considerable proportion of revenue cycle processes have ground to a halt.” The group in a March 1 letter to HHS identified top concerns among practices since the incident, including the interruption of administrative and billing processes, practices having to take on “enormous” administrative burdens and significant data privacy fears.

The outage cost some health care providers over $100 million a day, according to an estimate from First Health Advisory, a digital health risk assurance firm.  The Massachusetts Health and Hospital Association on Monday pegged the average daily costs stemming from the attack at $24,154,000, based on a survey that reflects responses from just12 hospitals and health systems – in one state.  And that is not to mention then $22,000,000 ransom payment! 

Keep in mind not just direct costs of the hacks we have already seen, but also the costs of recovery and remediation. This attack had huge negative financial consequences for medical care providers and vendors, with impacts rippling out from there to patients – something close to half of all in the US! And of course, lawsuits have started rolling in – at least five federal lawsuits have been filed this month against the healthcare claims and payment processing company, court records show. 

Senate Majority Leader Schumer, in a March 1 letter to the federal Centers for Medicare & Medicaid Services, said Change Healthcare had suspended more than 100 services and that hospitals and other providers were facing adverse impacts on their financial solvency.

“Hospitals are struggling to process claims, bill patients, and receive electronic payments, leaving them financially vulnerable,” Schumer said. “Many hospitals are approaching a financial cliff where they will no longer be able to rely on their cash on hand.”

How did they hack it?

Alas, the Change Healthcare hack was preventable. The company negligently failed to do basic updates to software. Basically, there was a known major flaw in screen connect application (a program where IT can remotely connect to and control your computer) called ConnectWise

  • The update had been out for days and Change/UHC did not act. This allowed the hackers to simply create a new user and get full access with almost no real “hacking”. 
  • The update had been out for long enough for Change/UHC to fix it or at least deactivate screen connect and they did nothing. 

Timeline of Events by ConnectWise

In initial statements, ConnectWise tried to distance itself:

“The company is unaware of any confirmed connection between the ScreenConnect vulnerability disclosed on February 19th, 2024, and the incident at Change Healthcare. We welcome the opportunity to collaborate with any cyber researcher who claims to know this situation. Security remains a top priority for ConnectWise, and our prompt response showcases our commitment to mitigating the ScreenConnect vulnerability.”

ConnectWise Statement Feb. 27, 2024

However, this vulnerability had already been widely reported with urgent warning of catastrophic mass ransomware attacks:

Yelisey Bohuslavskiy, co-founder of RedSense and Advintel, posted on LinkedIn that RedSense was able to identify, map and structure exfiltration-related telemetry for the timeline associated with the Change Healthcare attack, as well as the timeline prior to it. The RedSense findings correlate with the hypothesis put forward by First Health Advisory that the initial access was achieved via a ConnectWise vulnerability.

Subsequent investigation revealed this timeline of events:

  • On February 13th, an independent researcher reported the potential ScreenConnect vulnerability using the ConnectWise vulnerability disclosure process.
  • ConnectWise mitigated all cloud instances of ScreenConnect within 48 hours.
  • On February 19th, ConnectWise released an official patch for all on-prem partners, posted a security bulletin to the ConnectWise Trust Center, and sent partner comms urging all partners to patch.
  • On February 19th, ConnectWise initiated contact with CISA.
  • On February 21st, ConnectWise communicated that “because cybersecurity is essential to ConnectWise and our partners as an interim step, on-prem partners not on maintenance can update to patched ScreenConnect 22.4.20001.8817 at no additional cost.”
  • On February 22nd, for precautionary measures, ConnectWise paused functionality for unpatched versions of on-prem ScreenConnect until customers update to a patched version.

More details here: 

No One Should Be Surprised 

This is not an aberration. The attack comes as experts and regulators have been sounding the alarm about cyber threats against the healthcare sector. 

Over the past five years, the HHS’ Office for Civil Rights tracked a 256% increase in large data breaches involving hacking and a 264% jump in ransomware, a type of malware that denies users access to their data until a ransom is paid.

AlphVhas recently targeted the healthcare industry, according to a bulletin released Tuesday by the HHS, the FBI and the Cybersecurity and Infrastructure Security Agency.  Since the middle of December, healthcare has been the most common victim of the prolific ransomware group, the agencies said. An AlphVadministrator called on affiliates to launch cyberattacks against hospitals after law enforcement infiltrated and shut down the group’s infrastructure.

The bottom line, as The Washington Post comprehensively reported, after years of ransomware attacks, healthcare defenses still fail.

It Will Happen Again

What we are doing is not working. Hundreds of billions of dollars are spent annually for layer upon layer of active defenses, yet not a day goes by without new headlines and personal experiences of successful attacks that continue to multiply. Yes, in this case, there was a combination of a “supply chain attack” and a specific error in human processes to defend against them. 

But that’s just the on the surface – it gets all the attention and headlines. But there are root causes for the current state of affairs which go the very foundations of how the Internet works today.

1. Centralized servers, with human access and control

The “Cloud” infrastructure that we all use today – and the security solutions that attempt to defend it – all rely upon:

  • Centralized servers
  • Centralized Certificate Authorities

These servers, certificates and people can all be compromised. Or no need to bother since certificates can be purchased on the Dark Web!

2. Everything is Visible for study and attack

With Internet Protocol, network addresses and traffic are visible, and connections are insecure by default. So the Bad Guys always have the advantage.

In this case, you can be sure that they had studied and were actively monitoring the activities and devices of admins – and any other users with the kinds of super powers that are always the achilles heel of centralized architectures. As soon as this vulnerability was discovered, they could pounce.

Or no need – thanks to this situation, there is an entire industry of initial access brokers (IABs) to do this work for them! When a vulnerability like this is announced, they started pouncing on the bugs to set up shop inside various endpoints, with the intent of selling that access to ransomware groups.

3. Data is Vulnerable

We hear a lot about the big data breaches in Cloud servers. That’s surely a problem – and the primary one here. Because it is either not encrypted or someone else has the access to and control of the keys. Once they hack into the Cloud, they can get control of everything.

But just as concerning is all the data that lies around on endpoint devices (PCs, laptops, tablets, smartphones, etc.) and in Cloud folders.

Why? Because encryption solutions are too complex and painful for end users, so they are rarely used. 

So, What Are the Take-aways for Small Practices?

Well, when it comes to protecting your business from a centralized, Cloud-based system that processes between intermediaries – in this case your invoicing and payments – probably not a lot. We need Change Healthcare and all of the enterprises that run such systems to rethink and refocus on not just active defenses – which will always fail at some point – but to adopting fundamentally sound architectures for passive cyber defense. We will speak to that in a Blog shortly.

But for small to midsized healthcare practices and vendors there are some important take-aways for thinking about an attack on your own business.

1. Yes, You Should Be Worried

Don’t kid yourself. This was a spectacular attack by some big game hunters. But the proliferation of tools and ransomware “service providers” – now powered by AI – means that they are coming after you next.

In fact, the Connectwise application is widely used by managed service providers (MSP) to connect to customer environments, so it can also open the door to threat actors looking to use those MSPs for downstream access, similar to the tsunami of Kaseya attacks that businesses faced in 2021. According to the Shadowserver Foundation, there are at least 8,200 vulnerable instances of the platform exposed to the Internet within its telemetry, with the majority of them located in the US.

2. Hoping You Are Not Next is Not the Answer

For most small to mid-sized business owners, just keeping business and operations running is the primary concern. When one looks at all of the potential threats, and all of the steps that are required to implement a complete and rigorous cybersecurity defense, it can be very hard to know where to start. So, far too often taking any steps gets kicked down the road. And sadly, the results of that are predictable.

3. Focus First on What Matters Most

Here is a simple guideline for the 5 easy first steps you can take to reduce the most critical vulnerabilities that are most likely to directly threaten your business and operations – whether that be a medical practice, manufacturing production line, or otherwise.

Faction Virtual Private Circuit enables you to implement ‘Zero Trust’ security for your networking, critical devices and data – and really mean it! While you can’t protect every part of your business, or stop every staff member or vendor from doing something stupid, you can actually secure the most important things by taking them OFF the Internet and into a secure, invisible network for which only YOU have the keys.

Then you can sleep at night again, and have time and energy to clean up all the loose ends later. So, what are you waiting for?

If you liked this post, Share it on: