It’s not often that we cover specific breaches, but sometimes one comes along that is so substantial and insightful that we believe it’s worth talking about. Such is the case with the recent Change Healthcare ransomware attack. This attack disrupted the entire U.S. healthcare system, forcing facilities to shut down, leaving patients without access to medication and care, and costing large hospitals and pharmacies upwards of $100 million per day.
In many ways, the Change attack was nothing new. Bad actors have long targeted healthcare companies because they know that when lives are on the line, healthcare entities can’t afford to be offline. (According to the IBM 2023 Cost of a Data Breach Report, the healthcare industry faces the highest average data breach cost at $10.93 million.) Beyond that, ransomware attacks are tried and true ways of getting money from large companies fast. SC Magazine has found that 66% of organizations were targeted by ransomware in 2023 and the average payout was more than $1.5 million.
However, even though this attack seemed like one of many, there are important lessons that companies of all sizes — especially those in the healthcare industry — should be noting. So what exactly happened with Change Healthcare and what should companies be thinking about in the future? Let’s start with the basics.
Change Healthcare is a technology company and clearinghouse that processes provider claims and issues payments, provides patient financial clearance, and runs one of the most widely used electronic prescribing services for pharmacies. Additionally, it’s owned by UnitedHealth Group, the largest insurance company in the U.S. with $350B reported in revenue last year.
On February 21, Change had to disconnect more than 100 systems because they were hit with ransomware. This shutdown of systems — and months-long delay in getting some back online — has had a massive impact on the healthcare system nationwide.
Due to the system disruption hospitals and healthcare providers couldn’t handle insurance claims and pharmacies weren’t able to process prescriptions. Daily operations were halted, patients couldn’t get pre-authorized for surgeries, medications, or healthcare services, and providers weren’t receiving payments from insurance carriers.
One month following the attack, at least 11 lawsuits have been filed against UnitedHealth Group, and the Office for Civil Rights within the U.S. Department of Health and Human Services launched an investigation to determine whether protected health information was compromised and to see if Change Healthcare and UnitedHealth Group complied with Health Insurance Portability and Accountability Act (HIPAA) rules.
At the time of this writing, Change Healthcare has restored many of its systems and UnitedHealth Group has advanced payments to many affected companies, but some are still not 100% recovered, which just shows the severity of the attack. So what can we take away from this?
BlackCat may have attacked Change Healthcare, but the entire healthcare industry is paying for it. Hospitals, private practices, as well as psychiatric and psychology offices are leaking millions per day as payments from insurers and patients are held up. The hacking group knew that by attacking one entity, they could cause maximum damage and disrupt the entire industry. This is a perfect example of why supply chain attacks continue to be a major issue.
It’s also important to note how this attack occurred. Bad actors will continue to target small and mid-sized businesses because they tend to have weaker security postures and also because they can serve as doorways to larger companies. Small and mid-sized companies need to implement basic security programs to remain safe. Larger corporations, with strong security programs, should vet vendors to ensure they meet minimum cybersecurity requirements, knowing that any vulnerabilities in their supply chains are threats to company and customer data.
In roughly one month, the Change cyberattack resulted in billions of dollars of delayed payments. Every day that goes by, that number goes up. These costs are all in addition to ransoms paid, remediation fees, potential fines, and the legal fees coming Change and UnitedHealth Group’s way.
Though the attack was originally found on February 21, Change’s pharmacy services weren’t back online until two weeks later. The company has been slowly reinstating its services, but as of April 17, 18 of Change’s 27 products have not yet been fully restored. The longer these systems are down, the worse the outcome, for Change’s finances as well as its reputation.
It’s no secret that breaches and cyberattacks are costly. The National Cyber Security Alliance found that 60% of companies experiencing a data breach go out of business within six months. This Change attack proves just how devastating those costs can be.
Because payments were withheld, smaller providers have been forced to furlough staff, dip into personal savings, or even close their doors. One AHA survey of 1,000 hospitals found that 60% of respondents report that the impact of the Change breach to their revenue has been $1 million or more per day. To minimize the industry impact, UnitedHealth Group claims it has already issued more than $6B to providers in need and will continue to financially support providers while they aim to have full system recovery. This is in addition to the $22M experts believe UnitedHealth has paid to BlackCat (though the company has refused to comment on it).
We’re talking about millions and billions of dollars as a result of a single attack. This is far less than the cost of setting up and maintaining a cybersecurity program.
Though there are many benefits from the interconnectedness of our technology-driven world, it also creates significantly more access points for hackers. This is especially true in consolidated industries like healthcare. Change processes 15 billion healthcare transactions annually, touches one in three patient records, and processes about half of all medical claims in the U.S. This vast reach and influence make Change a significant part of the healthcare supply chain, and now we know what happens when it falls to a cyber attack. Most consolidated industries are full of these single points of failure, making all of them enticing targets for threat actors.
Cybersecurity leaders at large organizations in healthcare and other consolidated industries need to take extra precautions to make sure their organization — and supply chain — is secure. This is in addition to contingency plans required to minimize downtime and costs should a breach occur.
Breaches are a huge threat to daily operations, reputation, and profits. The damages of the Change attack were so widespread, that even regulators and the federal government are getting involved. The events of the last two months should have every business leader thinking about cybersecurity more proactively.
Security should no longer be an isolated function of IT teams. It needs to be a consideration across all teams, and ownership needs to fall on every employee. Leaders should drive home the importance of cybersecurity best practices and commit to building effective cybersecurity programs. Organizations that don’t have cybersecurity programs in place need to invest in tools, processes, response strategies, and training to ensure they are ready should their company, or a partner, fall victim to an attack.
One place to start is with a managed security partner who can assess your existing (or non-existent) program, find gaps, and fill them with the appropriate tools. They can then manage those tools and provide 24/7 monitoring and detection services to ensure breaches are detected and remediated as quickly as possible.
SolCyber is the first-of-its-kind outsourced security program partner. With our 24/7 detection and response services and Foundational Coverage, businesses of all sizes in the healthcare industry can beef up their security posture in weeks.
Ready to get started? Reach out to the experts at SolCyber today.