Image copyright @BluOcean Digital

Do you have UnitedHealthCare insurance? If yes, are you having issues with getting your pharmacy order filled? Some even report having significant challenges in getting admitted to hospitals.

On February 21, 2024 Change Healthcare’s had a cyber attack which has crippled its business operations. Interestingly, that company is the technology unit backing UnitedHealth Group.  

Who was breached?

On February 21st Change Healthcare began warning customer of disruptions to their services, a cyberattack was confirmed in the 8-K SEC filing submitted by UnitedHealth Group on February 22 stating that they had “identified a suspected nation-state associated cyber security threat actor had gained access to some of the Change Healthcare information technology systems.” The SEC Rule on Material Incident Disclosure enacted in December 2023 has mandated organizations into swift disclosure of cyber attacks and classification of material incidents as seen in this report. 

It has been alleged that United Healthcare made a ransom payment of 22 million dollars on March 1st, and as of March 5th, 2024 many of the disrupted services are beginning to work towards normal operations. Currently over 3 million online prescriptions have been processed and 90% of claims are flowing without disruption. However UHG is still dealing with payment issues relying on temporary funding assistance while working towards restoration of Change payments. At this time the organization claims only Change Healthcare has been impacted, and that Optum, UnitedHealthcare, and United Health Group remain unaffected. 

How did this attack happen?

UnitedHealth Group officially attributed the hack to BlackCat ransomware group on February 29th.  This was not surprising news because on February 28th the BlackCat ransomware group posted on a dark web forum that they had stolen over 8 terabytes of data with millions of sensitive records from partner’s like Medicare, US military healthcare agency Tricare, and CVS Health. The group also claimed they stole the source code of Change Healthcare applications. This post was soon deleted for unknown reasons. 

Sources have speculated the BlackCat was able to compromise Change Healthcare’s network through a critical authentication bypass vulnerability in ScreenConnect, a remote desktop software application. This vulnerability was originally published by ConnectWise with a security advisory only a day before it was allegedly exploited on Change Healthcare servers, possibly hosted by a managed service provider. While this attack vector is not yet confirmed, in general most organizations attempt to patch critical vulnerabilities within 24-72 hours making this attack nearly unavoidable to a victim being targeted by a highly skilled nation state attacker. 

One of the indicators of compromise is presumed to be a critical ScreenConnect auth bypass flaw (CVE-2024-1709) actively exploited in attacks to deploy ransomware on unpatched servers. This vulnerability can be combined to conduct a chained attack using CVE-2024-1708 which allows the attacker to do path traversal due to improper limitation of a pathname to a restricted directory.

A security advisory for these vulnerabilities was first released on February 19, 2024 which creates a concern that most security operations teams may not have patched these over the timeframe of the last two weeks.

ScreenConnect provides remote access functionality, attackers targeting ConnectWise ScreenConnect may seek to compromise critical systems for organizations with on-premises or self-hosted deployments.

BlackCat is notorious for targeting victims that are large in size and revenue. UnitedHealth Group (UHG) is the world’s largest healthcare by revenue, ​​$324.2 billion in 2022, with presence across all 50 U.S. states that has contracts with more than 1.6 million healthcare professionals, 8000 hospitals and care facilities, and has over 440,000 employees. They also have a history of aiming to disrupt business operations responsible for the destructive attacks on two major casinos, MGM Resorts and Caesars Entertainment, along with numerous other organizations targeted in 2023.

How did UnitedHealth Group respond?

Public Response

UnitedHealth Group has been swift and transparent in their disclosure of the attack with an initial notification on February 21st, the SEC 8-K filing on February 22nd, and official attribution on February 29th with numerous other status updates in between and beyond.

The February 22nd SEC Filing stated “The Company is working diligently to restore those systems and resume normal operations as soon as possible, but cannot estimate the duration or extent of the disruption at this time.”

After this disclosure, the American Hospital Association released a warning leading many major hospitals and healthcare providers to disconnect their assets from UHG systems.

In response to disrupted operations the company has established a temporary loan program to help providers who cannot submit insurance claims while Change Healthcare is offline. This program is expected to continue in the following weeks as operations resume to normal.

Optum also engaged the U.S. Department of Health and Human Services to further assess the impact of the incident. The agency stated, “the incident is a reminder to all healthcare providers and contractors to stay vigilant.”

Partners called out in the post by BlackCat on February 28th have not responded to the claims of stolen data. Tricare did confirm all military pharmacies were impacted by the hack in a separate statement.

Ransom Payment Claims

In more recent developments of this incident, there are unsubstantiated claims that UnitedHealth has paid ransom to the BlackCat group. On March 1st, a bitcoin wallet address associated with the hacker group received 22 million dollars in a single payment. A self reported hacker stated they were not properly paid for their attack efforts in this incident and brought the payment to the public eye as proof of their claims. While these claims are not confirmed the size and timing of this payment points to ransom. Many are worried for the precedent this will set for other healthcare institutions in future attacks. 

Key Takeaways and Lessons

Continued Attacks on Business Operations

We have seen hacks continue to move beyond data breaches to destruction of business operations and the Change Healthcare incident is a prime example. They have lost weeks of business across numerous functions including pharmacy orders, claims, electronic health records and other key processes. It is unclear what the true financial impact of this incident will be, but if the ransom payment claims are true it is likely far beyond 22 million dollars. 

Organizations need to begin treating their key revenue generating processes as a critical asset or crown jewel when it comes to cyber strategy. Without layered defense around critical processes more and more cyber incidents with widespread and lasting impacts will continue to make headlines.

Motivated and Sophisticated Hackers

Change Healthcare was breached from a vulnerability only a day after the security advisory was published by the vendor. This was such a small window of time that many organizations would have also struggled with locating impacted assets and patching vulnerabilities. 

Hackers know most organizations will be struggling to patch all impacted assets in a timely manner regardless of criticality, so acting early and aggressively is advantageous for attack groups. 

This clearly puts pressure on security leaders to ensure that the cyber program is focused on protecting against breaches, but if a breach happens which is quite possible, how effective is the program in protecting critical business operations and high value assets.

SEC Material Disclosures Putting Pressure on Incident Response Processes

UHG disclosed the cyber incident a day after detection on February 22nd in an 8-K SEC filing in order to comply with the 2023 SEC Rule on Material Incident Disclosure. Organizations are now having to detect, determine materiality, and disclose within a four day time window. This includes any incident that may have a material impact, not just data breaches, and puts incidents in the public eye for scrutiny while giving hackers understanding of response and remediation efforts. 

The rule is putting pressure on organizations to shape up incident response practices beyond just the security team. Defining a material incident requires critical inputs from finance, legal, and business leaders. UHG business leaders were forced to create a temporary funding assistance program for payments and create new technical workarounds for filing claims. Business leaders must take more responsibility and create stronger response plans to survive cyber incidents.

Understanding Cyber Risk Exposure as Complex Enterprises

UnitedHealth Group is the world’s largest healthcare company by revenue and exists as a complex organization with many subsidiaries from 25 acquisitions. 

The open questions are – What was known and what were unknown cyber deficiencies in technologies supporting critical business processes?

Do we need a proactive approach?  We need to know how effective are cyber controls in reducing risk to my business?  Is my business safe?  Unfortunately these questions can’t be answered by SOC reports, NIST assessments or other compliance exercises.

Conclusion

It is time for CEO’s to ensure that business leaders and cyber risk leaders have their rewards and penalties tied together in a way that assigns joint accountability to build and operate a single business+cyber strategy.

Building a strong cyber risk governance program that focuses on protecting key business operations will be key in organizations surviving the fallout of these attacks. 

To learn more about BluOcean Business Driven Cyber Risk Governance Planning https://bluoceancyber.com/cyber-resilience-for-mission-critical-operations/

Resources

• Information on the Change Healthcare Cyber Response – UnitedHealth Group

• Steve Alder. UHG Identifies Attack Vector Used in Change Healthcare Ransomware Attack – HIPAA Journal

• Andy Greenberg. Hackers Behind the Change Healthcare Ransomware Attack Just Received a $22 Million Payment – WIRED

• UnitedHealth says ‘Blackcat’ ransomware group behind hack at tech unit – REUTERS

• Sergiu Gatlan. UnitedHealth subsidiary Optum hack linked to BlackCat ransomware – BEEPING COMPUTER

‌Note: This blog post is based on information available as of March 1st, 2024, from various news sources. The situation might evolve, and readers are advised to stay updated through official channels.