How the ransomware assault at Change Healthcare went down: A timeline

Date:

Share post:

A ransomware assault earlier this yr on UnitedHealth-owned well being tech firm Change Healthcare doubtless stands as one of many largest information breaches of U.S. well being and medical information in historical past.

Months after the February information breach, a “substantial proportion of people living in America” are receiving discover by mail that their private and well being data was stolen by cybercriminals through the cyberattack on Change Healthcare. Not less than 100 million individuals at the moment are identified to be affected by the breach.

Change Healthcare processes billing and insurance coverage for a whole bunch of hundreds of hospitals, pharmacies and medical practices throughout the U.S. healthcare sector. As such, it collects and shops huge quantities of extremely delicate medical information on sufferers in the US. By means of a sequence of mergers and acquisitions, Change turned one of many largest processors of U.S. well being information, dealing with between one-third and one-half of all U.S. well being transactions.

Right here’s what has occurred for the reason that ransomware assault started.

February 21, 2024

First report of outages as safety incident emerges

It appeared like an abnormal Wednesday afternoon, till it wasn’t. The outage was sudden. On February 21, billing methods at medical doctors workplaces and healthcare practices stopped working, and insurance coverage claims stopped processing. The standing web page on Change Healthcare’s web site was flooded with outage notifications affecting each a part of its enterprise, and later that day the corporate confirmed it was “experiencing a network interruption related to a cyber security issue.” Clearly one thing had gone very unsuitable.

It seems that Change Healthcare invoked its safety protocols and shut down its complete community to isolate intruders it present in its methods. That meant sudden and widespread outages throughout the healthcare sector that depends on a handful of corporations — like Change Healthcare — to deal with healthcare insurance coverage and billing claims for huge swathes of the US. It was later decided that the hackers initially broke into the corporate’s methods over per week earlier, on or round February 12.

February 29, 2024

UnitedHealth confirms it was hit by ransomware gang

After initially (and incorrectly) attributing the intrusion to hackers working for a authorities or nation-state, UnitedHealth later stated on February 29 that the cyberattack was in actual fact the work of a ransomware gang. UnitedHealth stated the gang “represented itself to us as ALPHV/BlackCat,” an organization spokesperson informed TechCrunch on the time. A darkish net leak website related to the ALPHV/BlackCat gang additionally took credit score for the assault, claiming to have stolen thousands and thousands of Individuals’ delicate well being and affected person data, giving the primary indication of what number of people this incident had affected.

ALPHV (aka BlackCat) is a identified Russian-speaking ransomware-as-a-service gang. Its associates — contractors who work for the gang — break into sufferer networks and deploy malware developed by ALPHV/BlackCat’s leaders, who take a reduce of the earnings collected from the ransoms collected from victims to get their information again. 

Figuring out that the breach was brought on by a ransomware gang modified the equation of the assault from the form of hacking that governments do — generally to ship a message to a different authorities as a substitute of publishing thousands and thousands of individuals’s non-public data — to a breach brought on by financially motivated cybercriminals, who’re prone to make use of a wholly completely different playbook to get their payday. 

March 3-5, 2024

UnitedHealth pays a ransom of $22 million to hackers, who then disappear

In early March, the ALPHV ransomware gang vanished. The gang’s leak website on the darkish net, which weeks earlier took credit score for the cyberattack, was changed with a seizure discover claiming that U.Ok. and U.S. legislation enforcement took down the gang’s website. However each the FBI and U.Ok. authorities denied taking down the ransomware gang as that they had tried months earlier. All indicators pointed to ALPHV working off with the ransom and pulling an “exit scam.”

In a posting, the ALPHV affiliate who carried out the hack on Change Healthcare claimed that the ALPHV management stole $22 million paid as a ransom and included a hyperlink to a single bitcoin transaction on March 3 as proof of their declare. However regardless of shedding their share of the ransom fee, the affiliate stated the stolen information is “still with us.” UnitedHealth had paid a ransom to hackers who left the information behind and disappeared.

A pretend legislation enforcement seizure discover posted on BlackCat’s darkish net leak website quickly after receiving a ransom fee of $22 million.Picture Credit:TechCrunch (screenshot)

March 13, 2024

Widespread disruption throughout U.S. healthcare amid fears of information breach

In the meantime, weeks into the cyberattack, outages had been nonetheless ongoing with many unable to get their prescriptions stuffed or having to pay money out of pocket. Navy medical insurance supplier TriCare stated “all military pharmacies worldwide” had been affected as properly. 

The American Medical Affiliation was saying there was little data from UnitedHealth and Change Healthcare in regards to the ongoing outages, inflicting huge disruption that continued to ripple throughout the healthcare sector

By March 13, Change Healthcare had obtained a “safe” copy of the stolen information that it had simply days earlier paid $22 million for. This allowed Change to start the method of poring by way of the dataset to find out whose data was stolen within the cyberattack, with the intention of notifying as many affected people as potential.  

March 28, 2024

U.S. authorities ups its bounty to $10 million for data resulting in ALPHV seize

By late March, the U.S. authorities stated it was upping its bounty for data on key management of ALPHV/BlackCat and its associates. 

By providing $10 million to anybody who can determine or find the people behind the gang, the U.S. authorities appeared to hope that one of many gang’s insiders would activate their former leaders. It additionally may very well be seen because the U.S. realizing the specter of having a big variety of Individuals’ well being data doubtlessly printed on-line. 

April 15, 2024

Contractor types new ransom gang and publishes some stolen well being information

After which there have been two — ransoms, that’s. By mid-April, the aggrieved affiliate arrange a brand new extortion racket referred to as RansomHub, and because it nonetheless had the information that it stole from Change Healthcare, it demanded a second ransom from UnitedHealth. In doing so, RansomHub printed a portion of the stolen information containing what gave the impression to be non-public and delicate affected person information as proof of their menace. 

Ransomware gangs don’t simply encrypt information; additionally they steal as a lot information as potential and threaten to publish the information if a ransom isn’t paid. This is named “double extortion.” In some circumstances when the sufferer pays, the ransomware gang can extort the sufferer once more — or, in others, extort the sufferer’s clients, often known as “triple extortion.”

Now that UnitedHealth was keen to pay one ransom, there was a danger that the healthcare big can be extorted once more. It’s why legislation enforcement have lengthy advocated towards paying a ransom that permits criminals to revenue from cyberattacks.

April 22, 2024

UnitedHealth says ransomware hackers stole well being information on a “substantial proportion of people in America”

For the primary time, UnitedHealth confirmed on April 22 — greater than two months after the ransomware assault started — that there was a knowledge breach and that it doubtless impacts a “substantial proportion of people in America,” with out saying what number of thousands and thousands of those who entails. UnitedHealth additionally confirmed it paid a ransom for the information however wouldn’t say what number of ransoms it in the end paid.

The corporate stated that the stolen information consists of extremely delicate data, together with medical information and well being data, diagnoses, medicines, check outcomes, imaging and care and remedy plans, and different private data.

Provided that Change Healthcare handles information on about one-third of everybody dwelling in the US, the information breach is prone to have an effect on greater than 100 million individuals at the least. When reached by TechCrunch, a UnitedHealth spokesperson didn’t dispute the doubtless affected quantity however stated that the corporate’s information evaluation was ongoing. 

Might 1, 2024

UnitedHealth Group chief government testifies that Change wasn’t utilizing primary cybersecurity

Maybe unsurprisingly when your organization has had one of many greatest information breaches in latest historical past, its chief government is certain to get referred to as to testify earlier than lawmakers. 

That’s what occurred with UnitedHealth Group (UHG) chief government Andrew Witty, who on Capitol Hill admitted that the hackers broke into Change Healthcare’s methods utilizing a single set password on a consumer account not protected with multi-factor authentication, a primary safety function that may stop password reuse assaults by requiring a second code despatched to that account holder’s cellphone. 

One in all the largest information breaches in U.S. historical past was totally preventable, was the important thing message. Witty stated that the information breach was prone to have an effect on about one-third of individuals dwelling in America — in keeping with the corporate’s earlier estimates that the breach impacts round as many individuals that Change Healthcare processes healthcare claims for.

1: UnitedHealth CEO Andrew Witty testifies before the Senate Finance committee on Capitol Hill on May 1, 2024 in Washington, DC.
UnitedHealth CEO Andrew Witty testifies earlier than the Senate Finance committee on Capitol Hill on Might 1, 2024, in Washington, D.C.Picture Credit:Kent Nishimura / Getty Photographs

June 20, 2024

UHG begins notifying affected hospitals and medical suppliers what information was stolen

It took Change Healthcare till June 20 to start formally notifying affected people that their data was stolen, as legally required below a legislation generally often known as HIPAA, doubtless delayed partially by the sheer dimension of the stolen dataset. 

The corporate printed a discover disclosing the information breach and stated that it could start notifying people it had recognized within the “safe” copy of the stolen information. However Change stated it “cannot confirm exactly” what information was stolen about every particular person and that the knowledge could differ from individual to individual. Change says it was posting the discover on its web site, because it “may not have sufficient addresses for all affected individuals.”

The incident was so massive and complicated that the U.S. Division of Well being and Human Providers stepped in and stated that affected healthcare suppliers, whose sufferers are in the end affected by the breach, can ask UnitedHealth to inform affected sufferers on their behalf, an effort seen at lessening the burden on smaller suppliers whose funds had been hit amid the continued outage. 

July 29, 2024

Change Healthcare begins notifying identified affected people by letter

The well being tech big confirmed in late June that it could start notifying these whose healthcare information was stolen in its ransomware assault on a rolling foundation. That course of started in late July. 

The letters going out to affected people will almost certainly come from Change Healthcare, if not the precise healthcare supplier affected by the hack at Change. The letter confirms what varieties of information was stolen, together with medical information and medical insurance data, and claims and fee data, which Change stated consists of monetary and banking data.

October 24, 2024

UnitedHealth confirms at the least 100 million individuals affected by information breach

It took the medical insurance big greater than eight months to announce, nevertheless it has now confirmed that the information breach impacts greater than 100 million people. The variety of these affected is anticipated to rise, given some have obtained information breach notifications as just lately as October. The U.S. Division of Well being and Human Providers reported the up to date quantity on its information breach portal on October 24.

Because it stands, the information breach at Change Healthcare is now the most important digital theft of U.S. medical information, and one of many greatest information breaches in dwelling historical past.

Related articles

Nvidia advances robotic studying and humanoid improvement with AI and simulation instruments

Be part of our every day and weekly newsletters for the most recent updates and unique content material...

This Week in AI: It is shockingly straightforward to make a Kamala Harris deepfake

Hiya, people, welcome to TechCrunch’s common AI publication. If you need this in your inbox each Wednesday, join right...

The very best early offers we might discover from Amazon, Greatest Purchase and extra

Black Friday might technically simply be in the future, but it surely’s advanced to devour your complete month...

Uncapped Video games reveals off new gameplay for Battle Aces RTS

Uncapped Video games confirmed off gameplay for Battle Aces, its motion real-time technique (RTS) sport for PC and is launching a brand...