For the first time since news broke about a ransomware attack on Change Healthcare, the company has released details about the data stolen during the attack.

First, a quick refresher: On February 21, 2024, Change Healthcare experienced serious system outages due to a cyberattack. The incident led to widespread billing outages, as well as disruptions at pharmacies across the United States. Patients were left facing enormous pharmacy bills, small medical providers teetered on the edge of insolvency, and the government scrambled to keep the money flowing and the lights on. The ransomware group ALPHV claimed responsibility for the attack.

But shortly after, the ALPHV group disappeared in an unconvincing exit scam designed to make it look as if the FBI had seized control over the group’s website. Then a new ransomware group, RansomHub, listed the organization as a victim on its dark web leak site, saying it possessed 4 TB of “highly selective data,” relating to “all Change Health clients that have sensitive data being processed by the company.”

In April, parent company UnitedHealth Group released an update, saying:

“Based on initial targeted data sampling to date, the company has found files containing protected health information (PHI) or personally identifiable information (PII), which could cover a substantial proportion of people in America.”

Now, Change Healthcare has detailed the types of medical and patient data that was stolen. Although Change cannot provide exact details for every individual, the exposed information may include:

• Contact information: Names, addresses, dates of birth, phone numbers, and email addresses.
• Health insurance information: Details about primary, secondary, or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers.
• Health information: Medical record numbers, providers, diagnoses, medicines, test results, images, and details of care and treatment.
• Billing, claims, and payment information: Claim numbers, account numbers, billing codes, payment card details, financial and banking information, payments made, and balances due.
• Other personal information: Social Security numbers, driver’s license or state ID numbers, and passport numbers.

Change Healthcare added:

“The information that may have been involved will not be the same for every impacted individual. To date, we have not yet seen full medical histories appear in the data review.”

Change Healthcare says it will send written letters—as long as it has a person’s address and they haven’t opted out of notifications—once it has concluded the data review.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

Malwarebytes has a new free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

---

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Change Healthcare is starting to notify hospitals, insurers and other customers that they may have had patient information exposed in a massive cyberattack.

The post Change Healthcare to Start Notifying Customers Who Had Data Exposed in Cyberattack appeared first on SecurityWeek.

Senator Ron Wyden (D-Ore.) is pressing the U.S. government to accelerate cybersecurity enhancements within the healthcare sector following the devastating Change Healthcare ransomware attack that exposed the protected health information of nearly a third of Americans. In a letter to Xavier Becerra, secretary of the U.S. Department of Health and Human Services, Wyden urged HHS to implement immediate, enforceable steps to improve “lax cybersecurity practices” of large healthcare organizations.

“It is clear that HHS’ current approach to healthcare cybersecurity — self-regulation and voluntary best practices — is woefully inadequate and has left the health care system vulnerable to criminals and foreign government hackers.” - Wyden.

He stated that the sub-par cybersecurity standards have allowed hackers to steal patient information and disrupt healthcare services, which has caused “actual harm to patient health.”

MFA Could Have Stopped Change Healthcare Attack

The call from Wyden comes on the back of the ransomware attack on Change Healthcare — a subsidiary of UnitedHealth Group — which, according to its Chief Executive Officer Andrew Witty, could have been prevented with the basic cybersecurity measure of Multi-Factor Authentication (MFA). The lack of MFA on a Citrix remote access portal account that Change Healthcare used proved to be a key vulnerability that allowed attackers to gain initial access using compromised credentials, Witty told the Senate Committee on Finance in a May 1 hearing.

“HHS’ failure to regulate the cybersecurity practices of major health care providers like UHG resulted in what the American Hospital Association has described as the worst cyberattack against the healthcare sector in U.S. history.” - Wyden

The use of MFA is a fundamental cybersecurity practice that HHS should mandate for all healthcare organizations, Wyden argued. He called for the implementation of broader minimum and mandatory technical cybersecurity standards, particularly for critical infrastructure entities that are designated as "systemically important entities" (SIE) by the U.S. Cybersecurity and Infrastructure Security Agency. “These technical standards should address how organizations protect electronic information and ensure the healthcare system’s resiliency by maintaining critical functions, including access to medical records and the provision of medical care,” Wyden noted. He suggested that HHS enforce these standards by requiring Medicare program participants to comply.

Wyden’s Proposed Cybersecurity Measures for HHS

Wyden said HHS should mandate a range of cybersecurity measures as a result of the attack. “HHS must follow the lead of other federal regulators in mandating cybersecurity best practices necessary to protect the healthcare sector from further, devastating, easily-preventable cyberattacks,” Wyden argued. The Democratic senator proposed several measures to enhance cybersecurity in the healthcare sector, including:

• Mandatory Minimum Standards: Establish mandatory cybersecurity standards, including MFA, for critical healthcare infrastructure.
• Rapid Recovery Capabilities: Ensure that organizations can rebuild their IT infrastructure within 48 to 72 hours following an attack.
• Regular Audits: Conduct regular audits of healthcare organizations to assess and improve their cybersecurity practices.
• Technical Assistance: Provide technical security support to healthcare providers.

Wyden criticized HHS for its current insufficient regulatory oversight, which he believes contributes to the ongoing cyberattacks harming patients and national security. “The current epidemic of successful cyberattacks against the health care sector is a direct result of HHS’s failure to appropriately regulate and oversee this industry, harming patients, providers, and our national security,” Wyden said. He urged HHS to use all of its authorities to protect U.S. healthcare providers and patients from mounting cybersecurity risks.

The State of Ransomware in Healthcare

The healthcare sector was the most common ransomware target among all critical infrastructure sectors, according to FBI’s Internet Crime Report 2023. The number of attacks and individuals impacted have grown exponentially over the last three years. [caption id="attachment_75474" align="aligncenter" width="1024"] Ransomware attacks on healthcare in last three years. (Source: Emsisoft)[/caption]

“In 2023, 46 hospital systems with a total of 141 hospitals were impacted by ransomware, and at least 32 of the 46 had information, including protected health information, stolen.” - Emsisoft

A study from McGlave, Neprash, and Nikpay from the University of Minnesota School of Public Health found that in a five-year period starting in 2016, ransomware attacks likely killed between 42 and 67 Medicare patients. Their study further observed a decrease in hospital volume and services by 17-25% during the week following a ransomware attack that not only hit revenue but also increased in-hospital mortality among patients who were already admitted at the time of attack.

HHS Cybersecurity Response

HHS announced in December plans to update its cybersecurity regulations for the healthcare sector for the first time in 21 years. These updates would include voluntary cybersecurity performance goals and efforts to improve accountability and coordination. The Healthcare and Public Health Sector Coordinating Council also unveiled a five-year Health Industry Cybersecurity Strategic Plan in April, which recommends 10 cybersecurity goals to be implemented by 2029. Wyden acknowledged and credited the latest reform initiatives from HHS and the HSCC, but remains concerned about the lengthy implementation timeline, which he said requires urgency when it comes to the healthcare sector. The latest letter follows Wyden’s request last week to the SEC and FTC to investigate for any negligence in cybersecurity practices of UnitedHealth Group. HHS is currently investigating the potential UHG breach that resulted in the exposure of protected health information of hundreds of thousands of Americans.

Last week on Malwarebytes Labs:

• How to change your Social Security Number
• Apple warns people of mercenary attacks via threat notification system
• How to check if your data was exposed in the AT&T breach
• Microsoft’s April 2024 Patch Tuesday includes two actively exploited zero-day vulnerabilities
• How to protect yourself from online harassment
• Introducing the Digital Footprint Portal
• New ransomware group demands Change Healthcare ransom
• Active Nitrogen campaign delivered via malicious ads for PuTTY, FileZilla
• 35-year long identity theft leads to imprisonment for victim
• Porn panic imperils privacy online, with Alec Muffett (re-air): Lock and Code S05E08

Stay safe!

---

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

There are indications that U.S. healthcare giant Change Healthcare has made a $22 million extortion payment to the infamous BlackCat ransomware group (a.k.a. “ALPHV“) as the company struggles to bring services back online amid a cyberattack that has disrupted prescription drug services nationwide for weeks. However, the cybercriminal who claims to have given BlackCat access to Change’s network says the crime gang cheated them out of their share of the ransom, and that they still have the sensitive data Change reportedly paid the group to destroy. Meanwhile, the affiliate’s disclosure appears to have prompted BlackCat to cease operations entirely.

In the third week of February, a cyber intrusion at Change Healthcare began shutting down important healthcare services as company systems were taken offline. It soon emerged that BlackCat was behind the attack, which has disrupted the delivery of prescription drugs for hospitals and pharmacies nationwide for nearly two weeks.

On March 1, a cryptocurrency address that security researchers had already mapped to BlackCat received a single transaction worth approximately $22 million. On March 3, a BlackCat affiliate posted a complaint to the exclusive Russian-language ransomware forum Ramp saying that Change Healthcare had paid a $22 million ransom for a decryption key, and to prevent four terabytes of stolen data from being published online.

The affiliate claimed BlackCat/ALPHV took the $22 million payment but never paid him his percentage of the ransom. BlackCat is known as a “ransomware-as-service” collective, meaning they rely on freelancers or affiliates to infect new networks with their ransomware. And those affiliates in turn earn commissions ranging from 60 to 90 percent of any ransom amount paid.

“But after receiving the payment ALPHV team decide to suspend our account and keep lying and delaying when we contacted ALPHV admin,” the affiliate “Notchy” wrote. “Sadly for Change Healthcare, their data [is] still with us.”

Change Healthcare has neither confirmed nor denied paying, and has responded to multiple media outlets with a similar non-denial statement — that the company is focused on its investigation and on restoring services.

Assuming Change Healthcare did pay to keep their data from being published, that strategy seems to have gone awry: Notchy said the list of affected Change Healthcare partners they’d stolen sensitive data from included Medicare and a host of other major insurance and pharmacy networks.

On the bright side, Notchy’s complaint seems to have been the final nail in the coffin for the BlackCat ransomware group, which was infiltrated by the FBI and foreign law enforcement partners in late December 2023. As part of that action, the government seized the BlackCat website and released a decryption tool to help victims recover their systems.

BlackCat responded by re-forming, and increasing affiliate commissions to as much as 90 percent. The ransomware group also declared it was formally removing any restrictions or discouragement against targeting hospitals and healthcare providers.

However, instead of responding that they would compensate and placate Notchy, a representative for BlackCat said today the group was shutting down and that it had already found a buyer for its ransomware source code.

“There’s no sense in making excuses,” wrote the RAMP member “Ransom.” “Yes, we knew about the problem, and we were trying to solve it. We told the affiliate to wait. We could send you our private chat logs where we are shocked by everything that’s happening and are trying to solve the issue with the transactions by using a higher fee, but there’s no sense in doing that because we decided to fully close the project. We can officially state that we got screwed by the feds.”

BlackCat’s website now features a seizure notice from the FBI, but several researchers noted that this image seems to have been merely cut and pasted from the notice the FBI left in its December raid of BlackCat’s network. The FBI has not responded to requests for comment.

Fabian Wosar, head of ransomware research at the security firm Emsisoft, said it appears BlackCat leaders are trying to pull an “exit scam” on affiliates by withholding many ransomware payment commissions at once and shutting down the service.

“ALPHV/BlackCat did not get seized,” Wosar wrote on Twitter/X today. “They are exit scamming their affiliates. It is blatantly obvious when you check the source code of their new takedown notice.”

Dmitry Smilyanets, a researcher for the security firm Recorded Future, said BlackCat’s exit scam was especially dangerous because the affiliate still has all the stolen data, and could still demand additional payment or leak the information on his own.

“The affiliates still have this data, and they’re mad they didn’t receive this money, Smilyanets told Wired.com. “It’s a good lesson for everyone. You cannot trust criminals; their word is worth nothing.”

BlackCat’s apparent demise comes closely on the heels of the implosion of another major ransomware group — LockBit, a ransomware gang estimated to have extorted over $120 million in payments from more than 2,000 victims worldwide. On Feb. 20, LockBit’s website was seized by the FBI and the U.K.’s National Crime Agency (NCA) following a months-long infiltration of the group.

LockBit also tried to restore its reputation on the cybercrime forums by resurrecting itself at a new darknet website, and by threatening to release data from a number of major companies that were hacked by the group in the weeks and days prior to the FBI takedown.

But LockBit appears to have since lost any credibility the group may have once had. After a much-promoted attack on the government of Fulton County, Ga., for example, LockBit threatened to release Fulton County’s data unless paid a ransom by Feb. 29. But when Feb. 29 rolled around, LockBit simply deleted the entry for Fulton County from its site, along with those of several financial organizations that had previously been extorted by the group.

Fulton County held a press conference to say that it had not paid a ransom to LockBit, nor had anyone done so on their behalf, and that they were just as mystified as everyone else as to why LockBit never followed through on its threat to publish the county’s data. Experts told KrebsOnSecurity LockBit likely balked because it was bluffing, and that the FBI likely relieved them of that data in their raid.

Smilyanets’ comments are driven home in revelations first published last month by Recorded Future, which quoted an NCA official as saying LockBit never deleted the data after being paid a ransom, even though that is the only reason many of its victims paid.

“If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future,” LockBit’s extortion notes typically read.

Hopefully, more companies are starting to get the memo that paying cybercrooks to delete stolen data is a losing proposition all around.