"I write to request that your agencies investigate UnitedHealth Group’s (UHG) negligent cybersecurity practices, which caused substantial harm to consumers, investors, the healthcare industry, and U.S. national security. The company, its senior executives, and board of directors must be held accountable," declared Senator Ron Wyden, Chairman of the Senate Committee on Finance, in a letter to federal regulators on May 30. This urgent plea follows the devastating cyberattack on Change Healthcare, a subsidiary of UHG, raising critical questions about the company's cybersecurity integrity. In a four-page letter, Senator Wyden linked the recent cyberattack on Change Healthcare to the infamous SolarWinds data breach, blaming UHG's leadership for a series of risky decisions that ended in this tragic cyberattack. [caption id="attachment_73457" align="aligncenter" width="1024"] Source: SEC[/caption]

Broader Context of Cyberattack on Change Healthcare

At the heart of the criticism is the appointment of a Chief Information Security Officer (CISO) who had no prior full-time experience in cybersecurity before assuming the role in June 2023. This, according to Wyden, epitomizes the corporate negligence that has placed countless stakeholders at risk. Wyden argues that Martin's appointment exemplifies a broader pattern of poor decision-making by UHG’s senior executives and board of directors, who should be held accountable for the company’s cybersecurity lapses. The comparison to SolarWinds is particularly telling. The SolarWinds incident exposed vulnerabilities in software supply chains, leading to widespread consequences across multiple sectors. Similarly, UHG's data breach, if proven to result from preventable lapses, highlights the critical need for stringent cybersecurity practices in healthcare, an industry that handles sensitive personal and medical data.

The Incident and Initial Reactions

The incident in question involved hackers exploiting a remote access server at Change Healthcare, which lacked multi-factor authentication (MFA). This basic cybersecurity lapse allowed the attackers to gain an initial foothold, leading to a ransomware infection that crippled UHG’s operations. During testimony before the Senate Finance Committee on May 1, 2024, UHG CEO Andrew Witty admitted that the company’s MFA policy was not uniformly implemented across all external servers. Witty's revelations highlighted a broader issue of inadequate cybersecurity defenses at UHG, despite the industry's reliance on MFA as a fundamental safeguard.

Industry Standards and Regulatory Expectations

Wyden’s letter points out that the Federal Trade Commission (FTC) has mandated MFA for financial services companies under the Safeguards Rule and has enforced its use in cases against companies like Drizly and Chegg. These precedents establish MFA as a non-negotiable standard for protecting consumer data. UHG's failure to implement this basic security measure on all its servers is a glaring oversight, suggesting a disconnect between its stated policies and actual practices. Moreover, Wyden highlights the necessity of multiple lines of defense in cybersecurity. The fact that hackers could escalate their access from one compromised server to the entire network indicates a lack of network segmentation and other best practices designed to contain breaches. This deficiency exacerbates the initial failure to secure remote access points.

Consequences and Broader Implications

The implications of UHG’s cybersecurity failures are profound. The immediate aftermath saw significant disruptions, with some of UHG's systems taking weeks to restore. Witty admitted that while cloud-based systems were quickly recovered, many critical services running on UHG's own servers were not engineered for rapid restoration. This lack of resilience in UHG’s infrastructure planning highlights a failure to anticipate and mitigate the risk of ransomware attacks, a known and escalating threat. Wyden’s letter also addresses the financial fallout. UHG has already estimated the breach's cost at over a billion dollars, reflecting the significant economic impact of the cyberattack. This financial burden, coupled with negative media coverage, exposes UHG to substantial political and market risks. The case echoes the SEC’s stance in the SolarWinds case, where cybersecurity practices were deemed crucial for investor decisions. Investors in UHG would similarly consider enhanced cybersecurity practices essential, given the potential for massive breaches to affect stock value and company reputation.

Accountability and Regulatory Action

Senator Wyden calls for the FTC and SEC to investigate UHG’s cybersecurity and technology practices, aiming to determine if any federal laws were violated and to hold senior officials accountable. This push for accountability highlights the role of corporate governance in cybersecurity. The Audit and Finance Committee of UHG’s board, responsible for overseeing cybersecurity risks, is criticized for its apparent failure to fulfill its duties. Wyden suggests that the board's lack of cybersecurity expertise likely contributed to the oversight failures, a critical point in an era where cybersecurity threats are increasingly sophisticated and pervasive.

The impact of the Cencora data breach is far more widespread than earlier thought as more than a dozen pharmaceutical giants including Novartis and GlaxoSmithKline disclose personal and health information data leaks stemming from the February breach incident. Cencora Inc., formerly recognized as AmerisourceBergen, and its Lash Group affiliate announced in a February filing with the Securities and Exchange Commission (SEC) that the company faced a cybersecurity incident where “data from its information systems had been exfiltrated.” Cencora is a major pharmacy company with over 46,000 employees and approximately $262.2 billion in revenue in 2023. Based in Pennsylvania, it operates in around 50 countries globally. The popular American drug wholesaler did not disclose the extent of the data breach in its February SEC filing but did confirm at the time that some of the data exfiltrated in the attack could contain personal information. Last week, however, Cencora and The Lash Group clients began notifying state Attorneys General about a data breach that stemmed from the February cybersecurity incident at Cencora. At least 15 pharmaceutical companies reported that the personal data of hundreds of thousands of individuals were compromised. Notifications identified the following affected companies:

• AbbVie Inc.
• Acadia Pharmaceuticals Inc.
• Bayer Corporation
• Bristol Myers Squibb Company and Bristol Myers Squibb Patient Assistance Foundation
• Dendreon Pharmaceuticals LLC
• Endo Pharmaceuticals Inc.
• Genentech, Inc.
• GlaxoSmithKline Group of Companies and the GlaxoSmithKline Patient Access Programs Foundation
• Incyte Corporation
• Marathon Pharmaceuticals, LLC/PTC Therapeutics, Inc.
• Novartis Pharmaceuticals Corporation
• Pharming Healthcare, Inc.
• Regeneron Pharmaceuticals, Inc.
• Sumitomo Pharma America, Inc. / Sunovion Pharmaceuticals Inc.
• Tolmar

State Attorneys General often announce data breaches without specifying the number of affected people but AG’s office in Texas does disclose the number impacting the state residents. Based on these partial numbers, at least 542,000 individuals seem to be impacted from the Cencora data breach, till date. The Cyber Express reached out to Cencora for confirming the total number of individuals impacted to understand the full extent of the data breach but did not receive any communication till the time of publishing the article.

Cyber Forensic Findings from the Cencora Data Breach

Cencora detected the cyberattack on February 21, and took immediate action to contain and prevent further unauthorized access. Based on the investigation that likely concluded in April, Cencora said personal information including first name, last name, address, date of birth, health diagnosis, and medications and prescriptions was compromised in the attack. AmerisourceBergen Specialty Group (ABSG), a unit of Cencora, said Friday the breach involved data of a prescription supply program run by the now defunct subsidiary, Medical Initiatives Inc. Further details on how the supply program was exploited remain unclear. U.S. has been rocked by a host of cybersecurity breaches linked to the healthcare industry in recent days. While Change Healthcare cyberattack was one of the most notable ones, the Medstar and Ascension breaches have displayed the vulnerability of the healthcare sector to cyberattacks. The latest in the list of healthcare data breaches is the Sav-Rx data breach that compromised the health data of more than 2.8 million people. Cencora’s investigation, however, found no connection with other major healthcare cyberattacks and, in its notifications, said they were unaware of any actual or attempted misuse of the stolen data. The company said it has not seen any public disclosure of the stolen data, till date. The affected individuals have been offered 24 months of credit monitoring and identity theft remediation services at no cost and steps have also been taken to harden defenses to prevent such security breaches in the future. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

MedStar Health, a prominent non-profit healthcare provider disclosed a data breach that impacts more than 183,000 patients from its hundreds of care locations which it operates in the Baltimore-Washington area in the U.S. The not-for-profit healthcare provider is worth $7.7 billion and is one of the largest employers in the region with more than 34,000 associates working across 300 care locations including 10 hospitals and 33 urgent care clinics, ambulatory care centers and primary and specialty care providers. They together treat hundreds of thousands of patients on a yearly basis. The impacted individuals' personal data may have been compromised when an outsider gained access to emails and files of three employees, MedStar Health said in a statement on the data breach. MedStar Health reported notifying 183,709 affected patients via letters and filed a notice with the Department of Health and Human Services. The unauthorized access occurred sporadically between January and October last year, with patient information found in breached files and emails. Although there's no indication of actual acquisition or viewing of patient data, the company couldn't rule out such access. Patient information including names, addresses, dates of birth, service dates, provider names and insurance details, were contained in the compromised emails and files, MedStar Health said. The healthcare provider urged affected patients to monitor healthcare statements for any unusual activities and assured implementation of new safeguards to prevent future breaches.

Earlier MedStar Health Data Breach

The digital woes of the healthcare provider are not new. In fact, this is the second time in a decade that MedStar Health is facing a massive data breach scare. In 2016, a virus, likely a ransomware malware infected the computer network of MedStar Health. This prompted a complete shutdown of services for the healthcare giant, which resulted in diversion of new patients to other hospitals and the care givers had to resort to pen and paper to continue regular operations. The impact was such that the FBI was called in to investigate the MedStar Health data breach, which followed similar cyberattacks on at least three other medical institutions in California and Kentucky.

Healthcare Breaches on the Rise

This incident adds to a growing list of healthcare breaches and ransomware attacks, including the Change Healthcare that caused widespread disruptions across U.S. Initially described as an “enterprise-wide connectivity issue,” the severity of the attack went a bar above when Blackcat – also known as Alphv – ransomware gang claimed responsibility for it. The Russia-based ransomware and extortion gang claimed to have stolen millions of Americans’ sensitive health and patient information, a tactic commonly employed by ransomware gangs to exert pressure on victims. However, on February 29, Blackcat withdrew its claim on the breached data of the healthcare group, raising questions if a ransom was paid. The company did confirm that is paid a $22 million ransom later but it now faces multiple lawsuits for alleged negligence in safeguarding clients' personal information. The parent company UnitedHealth has allocated over $2 billion to fight the fallout of the Change Healthcare data breach. The company last week also stated that a lack of multi-factor authentication (MFA) resulted into the massive hack. Blackcat in September 2023 claimed a similar data breach on McLaren Healthcare, where nearly 6 terabytes worth of data was siphoned. Owing to such large scale healthcare data breaches, the U.S. Cybersecurity and Infrastructure Security Agency in March unveiled a cybersecurity toolkit for healthcare sector that would help them implement advanced tools, that fortify their defenses against evolving threats. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

UnitedHealth CEO Andrew Witty said in a U.S. Senate hearing that his company is still trying to understand why the server did not have the additional protection.

The post Change Healthcare Cyberattack Was Due to a Lack of Multifactor Authentication, UnitedHealth CEO says appeared first on SecurityWeek.

Last week on Malwarebytes Labs:

• How to change your Social Security Number
• Apple warns people of mercenary attacks via threat notification system
• How to check if your data was exposed in the AT&T breach
• Microsoft’s April 2024 Patch Tuesday includes two actively exploited zero-day vulnerabilities
• How to protect yourself from online harassment
• Introducing the Digital Footprint Portal
• New ransomware group demands Change Healthcare ransom
• Active Nitrogen campaign delivered via malicious ads for PuTTY, FileZilla
• 35-year long identity theft leads to imprisonment for victim
• Porn panic imperils privacy online, with Alec Muffett (re-air): Lock and Code S05E08

Stay safe!

---

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

There are indications that U.S. healthcare giant Change Healthcare has made a $22 million extortion payment to the infamous BlackCat ransomware group (a.k.a. “ALPHV“) as the company struggles to bring services back online amid a cyberattack that has disrupted prescription drug services nationwide for weeks. However, the cybercriminal who claims to have given BlackCat access to Change’s network says the crime gang cheated them out of their share of the ransom, and that they still have the sensitive data Change reportedly paid the group to destroy. Meanwhile, the affiliate’s disclosure appears to have prompted BlackCat to cease operations entirely.

In the third week of February, a cyber intrusion at Change Healthcare began shutting down important healthcare services as company systems were taken offline. It soon emerged that BlackCat was behind the attack, which has disrupted the delivery of prescription drugs for hospitals and pharmacies nationwide for nearly two weeks.

On March 1, a cryptocurrency address that security researchers had already mapped to BlackCat received a single transaction worth approximately $22 million. On March 3, a BlackCat affiliate posted a complaint to the exclusive Russian-language ransomware forum Ramp saying that Change Healthcare had paid a $22 million ransom for a decryption key, and to prevent four terabytes of stolen data from being published online.

The affiliate claimed BlackCat/ALPHV took the $22 million payment but never paid him his percentage of the ransom. BlackCat is known as a “ransomware-as-service” collective, meaning they rely on freelancers or affiliates to infect new networks with their ransomware. And those affiliates in turn earn commissions ranging from 60 to 90 percent of any ransom amount paid.

“But after receiving the payment ALPHV team decide to suspend our account and keep lying and delaying when we contacted ALPHV admin,” the affiliate “Notchy” wrote. “Sadly for Change Healthcare, their data [is] still with us.”

Change Healthcare has neither confirmed nor denied paying, and has responded to multiple media outlets with a similar non-denial statement — that the company is focused on its investigation and on restoring services.

Assuming Change Healthcare did pay to keep their data from being published, that strategy seems to have gone awry: Notchy said the list of affected Change Healthcare partners they’d stolen sensitive data from included Medicare and a host of other major insurance and pharmacy networks.

On the bright side, Notchy’s complaint seems to have been the final nail in the coffin for the BlackCat ransomware group, which was infiltrated by the FBI and foreign law enforcement partners in late December 2023. As part of that action, the government seized the BlackCat website and released a decryption tool to help victims recover their systems.

BlackCat responded by re-forming, and increasing affiliate commissions to as much as 90 percent. The ransomware group also declared it was formally removing any restrictions or discouragement against targeting hospitals and healthcare providers.

However, instead of responding that they would compensate and placate Notchy, a representative for BlackCat said today the group was shutting down and that it had already found a buyer for its ransomware source code.

“There’s no sense in making excuses,” wrote the RAMP member “Ransom.” “Yes, we knew about the problem, and we were trying to solve it. We told the affiliate to wait. We could send you our private chat logs where we are shocked by everything that’s happening and are trying to solve the issue with the transactions by using a higher fee, but there’s no sense in doing that because we decided to fully close the project. We can officially state that we got screwed by the feds.”

BlackCat’s website now features a seizure notice from the FBI, but several researchers noted that this image seems to have been merely cut and pasted from the notice the FBI left in its December raid of BlackCat’s network. The FBI has not responded to requests for comment.

Fabian Wosar, head of ransomware research at the security firm Emsisoft, said it appears BlackCat leaders are trying to pull an “exit scam” on affiliates by withholding many ransomware payment commissions at once and shutting down the service.

“ALPHV/BlackCat did not get seized,” Wosar wrote on Twitter/X today. “They are exit scamming their affiliates. It is blatantly obvious when you check the source code of their new takedown notice.”

Dmitry Smilyanets, a researcher for the security firm Recorded Future, said BlackCat’s exit scam was especially dangerous because the affiliate still has all the stolen data, and could still demand additional payment or leak the information on his own.

“The affiliates still have this data, and they’re mad they didn’t receive this money, Smilyanets told Wired.com. “It’s a good lesson for everyone. You cannot trust criminals; their word is worth nothing.”

BlackCat’s apparent demise comes closely on the heels of the implosion of another major ransomware group — LockBit, a ransomware gang estimated to have extorted over $120 million in payments from more than 2,000 victims worldwide. On Feb. 20, LockBit’s website was seized by the FBI and the U.K.’s National Crime Agency (NCA) following a months-long infiltration of the group.

LockBit also tried to restore its reputation on the cybercrime forums by resurrecting itself at a new darknet website, and by threatening to release data from a number of major companies that were hacked by the group in the weeks and days prior to the FBI takedown.

But LockBit appears to have since lost any credibility the group may have once had. After a much-promoted attack on the government of Fulton County, Ga., for example, LockBit threatened to release Fulton County’s data unless paid a ransom by Feb. 29. But when Feb. 29 rolled around, LockBit simply deleted the entry for Fulton County from its site, along with those of several financial organizations that had previously been extorted by the group.

Fulton County held a press conference to say that it had not paid a ransom to LockBit, nor had anyone done so on their behalf, and that they were just as mystified as everyone else as to why LockBit never followed through on its threat to publish the county’s data. Experts told KrebsOnSecurity LockBit likely balked because it was bluffing, and that the FBI likely relieved them of that data in their raid.

Smilyanets’ comments are driven home in revelations first published last month by Recorded Future, which quoted an NCA official as saying LockBit never deleted the data after being paid a ransom, even though that is the only reason many of its victims paid.

“If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future,” LockBit’s extortion notes typically read.

Hopefully, more companies are starting to get the memo that paying cybercrooks to delete stolen data is a losing proposition all around.

Last week on Malwarebytes Labs:

• PikaBot malware on the rise: What organizations need to know
• Malicious meeting invite fix targets Mac users
• Pig butchering scams, how they work and how to avoid them
• Airbnb scam sends you to a fake Tripadvisor site, takes your money
• Facebook bug could have allowed attacker to take over accounts
• Stopping a targeted attack on a Managed Service Provider (MSP) with ThreatDown MDR
• ALPHV is singling out healthcare sector, say FBI and CISA
• One year later, Rhadamanthys is still dropped via malvertising
• Change Healthcare outages reportedly caused by ransomware
• Android banking trojans: How they steal passwords and drain bank accounts
• Identity theft is number one threat for consumers, says report
• How to make a fake ID online, with Joseph Cox: Lock and Code S05E05

Stay safe!

---

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

On Wednesday February 21, 2024, Change Healthcare—a subsidiary of UnitedHealth Group—experienced serious system outages due to a cyberattack.

In a Form 8-K filing the company said it:

“identified a suspected nation-state associated cyber security threat actor had gained access to some of the Change Healthcare information technology systems.”

Change Healthcare is one of the largest healthcare technology companies in the United States. Its subsidiary, Optum Solutions, operates the Change Healthcare platform. This platform is the largest payment exchange platform between doctors, pharmacies, healthcare providers, and patients in the US healthcare system.

The incident led to widespread billing outages, as well as disruptions at pharmacies across the United States.

According to Reuters, the group behind the attack is the ALPHV/BlackCat ransomware group. ALPHV is currently one of the most active groups, and generally associated with Russia. They are certainly no strangers to attacking healthcare providers. In our monthly ransomware reviews you will typically find them in the top five of ransomware groups. Even after a disruption in December 2023 they returned and maintained a high level of activity.

BleepingComputer confirmed Reuters assertion, saying it had received information from forensic experts involved in the incident response that linked the attack to the ALPHV ransomware gang.

It would certainly make more sense to us that the attacker was a ransomware group than a nation-state associated group, but both ALPHV and UnitedHealth have not commented on this. That’s no surprise since the investigation is probably still ongoing and solving the security issue is a higher priority.

What the ramifications of any stolen data are, remains to be seen, but they could be very serious given the size of the company and the nationwide application of their electronic health record (EHR) systems, payment processing, care coordination, and data analytics.

In a February 26 update the company says it took immediate action to disconnect Change Healthcare’s systems in order to prevent further impact. You can follow updates about the issue on the dedicated incident report site.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

---

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.