Key lessons from the Change Healthcare cyberattack

On February 21st, 2024, Change Healthcare, a significant entity within the United States healthcare system, fell victim to a ransomware attack, causing disruptions for healthcare organizations nationwide. Deemed as the most severe incident of its nature by the American Hospital Association, this cyber breach threatens a vast network managing 1 in 3 patient records and 15 billion healthcare transactions annually.

The impact extended throughout the sector, affecting approximately 800,000 physicians, 117,000 dentists, 60,000 pharmacies, 5,500 hospitals, and virtually all government and commercial stakeholders.

By actively engaging with the ongoing developments of this cyber attack, healthcare practices can extract invaluable lessons to enhance their resilience against future threats. 

This article looks at the proactive measures practices can take to safeguard patient care continuity, mitigate financial risks, and counteract potential adverse impacts on operations.

Change Healthcare, a subsidiary responsible for managing patient records, revenue cycles, and prescriptions for Optum, fell victim to a ransomware assault orchestrated by ALPHV/BlackCat. In response, United Healthcare Group (UHG), the parent company of Optum, swiftly disconnected Change Healthcare to contain the breach. 

The repercussions of this shutdown are estimated to be disrupting over $100 million in daily provider reimbursement, potentially leading to various provider-related ramifications, such as:

A recent announcement from Change Healthcare stated that they expect to begin testing and reestablish connectivity to their claims network and software on March 18, restoring service through that week.

The attack on Change Healthcare highlights the ever-present threat of cyberattacks in the healthcare industry. What can we learn from this catastrophic event? 

Learn key takeaways from the Change Healthcare outage to better protect your practice.

The Change Healthcare incident serves as a stark reminder that simply having backups isn't enough. 

Recovery from ransomware attacks may take longer than expected. Having a well-defined BCDR plan outlines the steps to take in the event of a cyberattack or other disaster. 

This plan should include:

Ransomware attacks can exploit various vulnerabilities, so a layered security approach that combines firewalls, intrusion detection systems, data encryption, and employee training can significantly reduce the risk of successful attacks.

Not all systems are equally critical. That’s why a BCDR plan should prioritize restoring the most essential functions to minimize disruption and patient safety concerns.

The recent Change Healthcare breach offers a chilling example of why paying a ransom is a gamble with potentially devastating consequences. 

Despite reportedly paying $22 million to the ALPHV/BlackCat ransomware gang, Change Healthcare finds itself in a precarious position. Despite the massive payment, a BlackCat affiliate claims that BlackCat kept the full ransom while still retaining possession of over 4TB of stolen data from insurance companies and pharmacies.

"This leaves Change Healthcare vulnerable to regulatory penalties, lawsuits, and disastrous consequences if that sensitive data is leaked — even after paying a king's ransom. And with the disgruntled attacker controlling the data, the extortion risks remain," Jesse Salmon, Manager of Information Security at Tebra, says.

Here's specifically what Change Healthcare could be exposed to:

The case underscores the importance of a proactive approach to cybersecurity. Investing in robust defenses, maintaining secure backups, and having a solid incident response plan are far more effective strategies than succumbing to extortion.

While sophisticated hacking techniques exist, a surprising number of ransomware attacks exploit human vulnerabilities. Criminals keep improving at looking and appearing like normal actors.

A growing trend is an increasingly sophisticated set of identity-fraud and social engineering hacks. "Criminals are also becoming more aggressive in setting up seemingly real interactions for soliciting personal information they can use to get access to accounts," Anthony Comfort, VP of Product Management at Tebra, says.

Criminals are using AI tools to fake government IDs and other identification means. Comfort also explains another common cyberattack:

"They’ll set up email addresses that look exactly like your bank, solicit information from you by requesting you 'follow a link,' which then takes you to a website that looks exactly like your bank’s — only it is not. You’ll attempt to login and they’ll capture your username and password. You’ll even be redirected to a bank account homepage with some kind of error message. At this point, they have your username/password and can start trying those credentials on many different websites. This is also why it is important to use a different password on each site — something that a password manager makes it easy to accommodate."

This highlights the importance of following best practices — like not clicking on suspicious links and also having unique passwords for each website.

Here's some other examples of why human error plays such a significant role:

By focusing solely on complex technical defenses, practices miss a crucial element of the cybersecurity equation: the human factor. 

Effective ransomware prevention requires a layered approach that combines robust technical solutions with comprehensive employee training.  This "defense in depth" strategy significantly reduces the risk of human error becoming the entry point for a devastating attack.

Consider engaging a vendor to provide security awareness training on a recurring basis. "These services can provide comprehensive reviews of the latest learnings about different security threats and show your staff how to be vigilant for them," Comfort notes.

For ongoing vigilance about new cyber threats and evolving security best practices, subscribe to authoritative threat intelligence feeds and advisories from trusted sources such as:

For more tips on how to stay informed on cyberattacks, check out our guide "Physician cybersecurity: 9 tips to protect patient health records from cyberattacks."