Cybercriminals pose a threat to both businesses and individuals, and occasionally they pose a threat to both at the same time. With many businesses, particularly in the healthcare field, storing a wealth of personal data on their patients, cybercriminals are hitting the healthcare industry hard. The recent cyberattack on Change Healthcare in February is proof of advancing cybercriminals’ attempts and successes at breaching major computer systems.
According to a study done in 2022 and published in JAMA Health Forum, “The annual number of ransomware attacks on health care delivery organizations more than doubled from 2016 to 2021, exposing the personal health information of nearly 42 million patients,” proving that ransomware attacks, a type of malware that permanently blocks access to a target’s computer systems unless a ransom is paid, are becoming increasingly common in the healthcare industry,
Impact of the Change Healthcare Cyberattack
On this past February 21, Change Healthcare, a UnitedHealth Group subsidiary that the company acquired in October 2022, announced some of their applications were “currently unavailable,” and by the afternoon, the subsidiary described a cybersecurity issue that has continued to blossom into a major problem since.
During an hours-long hearing this past Wednesday, CEO of UnitedHealth Group, Andrew Witty, testified that cybercriminals were able to breach the Change Healthcare computer system after stealing someone’s password, entering through a portal that did not have a multifactor authentication (MFA) enabled.
The focus of the hearing was centered on exactly how hackers were able to gain access to Change Healthcare, with members of the House Energy and Commerce Committee asking Witty how the nation’s largest healthcare insurer did not have the basic cybersecurity protection in place before the attack.
Financial and Data Security Repercussions
MFA is a second layer of security to password-protected accounts, requiring users to enter an auto-generated code that is sent to their phone or email to gain access to personal accounts. This feature is a common safeguard used to protect accounts against hackers who either obtain or guess passwords.
According to Witty, “Change Healthcare was a relatively older company with older technologies, which we had been working to upgrade since the acquisition… But for some reason, which we continue to investigate, this particular server did not have MFA on it.” Witty went on to further explain that Change Healthcare now has MFA enabled.
But the damage has been done and remains a large concern for individuals whose information was gathered by the Russian-based ransomware gana ALPHV or BlackCat, the group that claimed responsibility for the attack, alleging they stole more than six terabytes of data which included highly sensitive medical records.
Unfortunately, Witty told lawmakers during the hearing that the company has not yet determined how many patients and healthcare professionals were violated by the breach, but confirmed that UnitedHealth paid a $22 million ransom in the form of bitcoin to BlackCat, a decision Witty made himself. Yet, despite the ransom payment, lawmakers drew attention to the fact that some of the sensitive records from patients have still been posted by hackers on the dark web.
This breach has already cost UnitedHealth more than $900 million, excluding the ransom payment, with the scale of the attack potentially containing personal information that could cover a “substantial portion of people in America.”