US govt probes if ransomware gang stole Change Healthcare data

The U.S. Department of Health and Human Services is investigating whether protected health information was stolen in a ransomware attack that hit UnitedHealthcare Group (UHG) subsidiary Optum, which operates the Change Healthcare platform, in late February.

This investigation is coordinated by HHS' Office for Civil Rights (OCR), which enforces the Health Insurance Portability and Accountability Act (HIPAA) rules that protect patients' health information from being disclosed without their knowledge or consent.

UnitedHealth Group confirmed in late February that Change Healthcare systems and services were shut down after a cyberattack by "nation-state" hackers, which was later linked to the BlackCat (ALPHV) ransomware gang.

Change Healthcare is the largest payment exchange platform used by doctors, healthcare providers, and patients in the U.S. healthcare system and by more than 70,000 pharmacies, while UHG has contracts with over 1.6 million health professionals and 8,000 healthcare facilities across all 50 U.S. states.

"We cannot say this more clearly – the Change Healthcare cyberattack is the most significant and consequential incident of its kind against the U.S. health care system in history," said Rick Pollack, the President and CEO of the American Hospital Association, last week.

"For nearly two weeks, this attack has made it harder for hospitals to provide patient care, fill prescriptions, submit insurance claims, and receive payment for the essential health care services they provide."

Even though UHG has brought some of the impacted systems back online after the crippling February ransomware attack, the resulting outage is still impacting operations across the U.S. healthcare industry, with the company estimating that it will be able to revive its payments platform on March 15 and medical claims network and software on March 18.

"Given the unprecedented magnitude of this cyberattack, and in the best interest of patients and health care providers, OCR is initiating an investigation into this incident," said OCR head Melanie Fontes Rainer.

"OCR's investigation of Change Healthcare and UHG will focus on whether a breach of protected health information occurred and Change Healthcare's and UHG's compliance with the HIPAA Rules."

Claims of 6TB data theft

The investigation follows the BlackCat ransomware gang's claims that they stole 6TB of data from Change Healthcare's network belonging to "thousands of healthcare providers, insurance providers, pharmacies, etc."

They said they stole source code for Change Healthcare solutions and sensitive information from many partners, including the U.S. military's Tricare healthcare program, the Medicare federal health insurance program, CVS Caremark, MetLife, Health Net, and many other healthcare insurance providers.

Sensitive data stolen from Change Healthcare's compromised systems allegedly includes information on millions of people, such as PII data, medical records, insurance records, dental records, payment information, claims information, and PII data of active U.S. military/navy personnel.

Earlier this month, BlackCat ransomware shut down in an exit scam amidst claims that they stole the $22 million ransom paid by Optum to the operator behind the Change Healthcare attack.

This wouldn't be unusual since BlackCat is believed to be a rebrand of the DarkSide and BlackMatter ransomware operations, with the former also shutting down after their attack on Colonial Pipeline in May 2021.

However, the ransomware affiliate behind the attack claims that they still have Change Healthcare's stolen data, indicating they may attempt to extort the company again.

The FBI says this ransomware gang raked in at least $300 million in ransoms from over 1,000 victims until September 2023, while the U.S. State Department now offers up to $15 million for tips that could help locate BlackCat gang leaders and anyone linked to the group's attacks.

"Ransomware and hacking are the primary cyber-threats in health care. Over the past five years, there has been a 256% increase in large breaches reported to OCR involving hacking and a 264% increase in ransomware," HHS added today.

"In 2023, hacking accounted for 79% of the large breaches reported to OCR. The large breaches reported in 2023 affected over 134 million individuals, a 141% increase from 2022."