CEO Andrew Witty testified before Congress on Wednesday, disclosing a significant cyberattack on Change Healthcare, a subsidiary of UnitedHealth Group. UnitedHealth Group CEO revealed that hackers breached the company's computer system, releasing ransomware after stealing someone's password.

The cybercriminals exploited a portal lacking multifactor authentication (MFA), a basic cybersecurity safeguard.

During an hour-long congressional hearing, Witty informed lawmakers that the company has not yet determined how many patients and healthcare professionals were impacted by the cyberattack on Change Healthcare in February. The hearing, which focused on how hackers gained access to Change Healthcare, a separate division of UnitedHealth, raised questions about the lack of basic cybersecurity measures before the cyberattack. "Change Healthcare was a relatively older company with older technologies, which we had been working to upgrade since the acquisition," Witty explained. But for some reason, which we continue to investigate, this particular server did not have MFA on it.

Multifactor Authentication and Cybersecurity

Multifactor authentication adds a second layer of security to password-protected accounts by requiring users to enter an auto-generated code sent to their phone or email. Despite being a common feature on apps, this safeguard was not in place on the compromised server. Witty assured that all logins for Change Healthcare now have multifactor authentication enabled. The cyberattack on Change Healthcare was attributed to the Russia-based ransomware gang ALPHV or BlackCat. The group claimed responsibility for the cyberattack, alleging it stole more than six terabytes of data, including "sensitive" medical records. The attack caused a disruption of payment and claims processing across the country, stressing doctor's offices and healthcare systems by interfering with their ability to file claims and get paid. UnitedHealth paid a $22 million ransom in Bitcoin to BlackCat, a decision made by Witty himself. However, despite the ransom payment, some sensitive records from patients were still posted by hackers on the dark web. The ransom payment was one of the hardest decisions I've ever had to make and I wouldn't wish it on anyone," Witty stated.

Scope of the Cyberattack on Change Healthcare and Financial Impact

Change Healthcare processes 15 billion transactions a year, according to the American Hospital Association, meaning that even patients who weren't customers of UnitedHealth were potentially affected. The company revealed earlier this month that personal information covering a "substantial portion of people in America" may have been taken in the attack. The breach has cost UnitedHealth Group nearly $900 million, excluding the ransom paid, according to company officials in the first-quarter earnings report last week.

Rising Threat of Ransomware Attacks

Ransomware attacks have become increasingly common within the healthcare industry. According to a 2022 study published in JAMA Health Forum, the annual number of ransomware attacks against hospitals and other healthcare providers doubled from 2016 to 2021. This escalation in cyber threats highlights the urgent need for enhanced cybersecurity measures across the industry.

The breach at Change Healthcare echoes a similar incident in March 2024, where Refuah Health Center faced a cyberattack due to the lack of MFA. The New York Attorney General's office intervened, resulting in a $1.2 million investment by Refuah in enhancing cybersecurity measures. The health center also agreed to pay $450,000 in penalties and costs, resolving allegations of inadequate cybersecurity controls.

Prioritizing Cybersecurity in Healthcare Both incidents highlight the critical importance of implementing strong cybersecurity measures, especially in the healthcare sector. With patient data at stake, organizations must invest in multifactor authentication and other advanced security protocols to safeguard sensitive information. As cyber threats continue to evolve, proactive measures are essential to protect the privacy and security of patient data. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

In response to this growing threat, the Cybersecurity and Infrastructure Security Agency (CISA) has launched the Ransomware Vulnerability Warning Pilot (RVWP). This initiative focuses on proactive risk reduction through direct communication with the federal government, state, local, tribal, territorial (SLTT) government, and critical infrastructure entities. The goal is to prevent threat actors from accessing and deploying ransomware on their networks.

Ransomware, a persistent threat to critical services, businesses, and communities worldwide, continues to evolve, causing costly and disruptive incidents. Recent industry reports estimate that businesses spend an average of $1.85 million to recover from a ransomware attack.

Moreover, a staggering 80% of victims who paid a ransom were targeted again by these criminals. The economic, technical, and reputational impacts of ransomware incidents pose significant challenges for organizations large and small.

CISA's Ransomware Vulnerability Warning Pilot 

Aligned with the Joint Ransomware Task Force, RVWP provides timely notifications to critical infrastructure organizations, allowing them to mitigate vulnerabilities and protect their networks and systems. By leveraging existing services, data sources, technologies, and authorities, CISA aims to reduce the attack surface and impact of ransomware attacks. A key component of Pilot is the Cyber Hygiene Vulnerability Scanning service, which monitors internet-connected devices for known vulnerabilities. This service, available to any organization, has proven highly effective in reducing risk and exposure. Organizations typically see a 40% reduction in risk within the first 12 months, with most experiencing improvements within the first 90 days. By identifying exposed assets and vulnerabilities, Cyber Hygiene Vulnerability Scanning helps organizations manage risks that would otherwise go unnoticed. Specifically for Pliot, this service notifies organizations of vulnerabilities commonly associated with ransomware exploitation.

The Success of RVWP in 2023

In Calendar Year (CY) 2023, RVWP completed 1,754 notifications to entities operating vulnerable internet-connected devices. Following these notifications, CISA conducted regular vulnerability scans to assess mitigation efforts. Of the 1,754 notifications, 49% of vulnerable devices were either patched, implemented compensating controls, or taken offline after CISA's intervention. CISA's regional teams collaborate closely with notified entities to ensure timely mitigation efforts, enhancing the overall effectiveness of the Ransomware Vulnerability Warning Pilot. RVWP enables organizations across critical infrastructure sectors to strengthen their networks against known ransomware vulnerabilities. By reducing the effectiveness of ransomware tools and procedures, Pliot increases operational costs for ransomware gangs and contributes to deterrence by denial.

Taking Action to #StopRansomware

CISA urges organizations to take proactive measures to protect against ransomware. These measures can include:

1. Enroll in CISA Cyber Hygiene Vulnerability Scanning: This no-cost service helps organizations raise their cybersecurity posture and reduce business risk by identifying and mitigating vulnerabilities.
2. Review the #StopRansomware Guide: Utilize the valuable checklist on how to respond to a ransomware incident and protect your organization.
3. Report Ransomware Activity: Always report observed ransomware activity, including indicators of compromise and tactics, techniques, and procedures (TTPs), to CISA and federal law enforcement partners.

By partnering with CISA and implementing these measures, organizations can effectively combat ransomware and safeguard their digital assets and future. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.