How the ransomware attack at Change Healthcare went down: A timeline



A ransomware attack earlier this year on UnitedHealth-owned health tech company Change Healthcare likely stands as one of the largest data breaches of U.S. health and medical data in history.

Months after the February data breach, a “substantial proportion of people living in America” are receiving notice by mail that their personal and health information was stolen by cybercriminals during the cyberattack on Change Healthcare.

Change Healthcare processes billing and insurance for hundreds of thousands of hospitals, pharmacies and medical practices across the U.S. healthcare sector. As such, it collects and stores vast amounts of highly sensitive medical data on patients in the United States. Through a series of mergers and acquisitions, Change became one of the largest processors of U.S. health data, handling between one-third and one-half of all U.S. health transactions.

Here’s what has happened since the ransomware attack began.

February 21, 2024

First report of outages as security incident emerges

It seemed like an ordinary Wednesday afternoon, until it wasn’t. The outage was sudden. On February 21, billing systems at doctors offices and healthcare practices stopped working, and insurance claims stopped processing. The status page on Change Healthcare’s website was flooded with outage notifications affecting every part of its business, and later that day the company confirmed it was “experiencing a network interruption related to a cyber security issue.” Clearly something had gone very wrong.

It turns out that Change Healthcare invoked its security protocols and shut down its entire network to isolate intruders it found in its systems. That meant sudden and widespread outages across the healthcare sector that relies on a handful of companies — like Change Healthcare — to handle healthcare insurance and billing claims for vast swathes of the United States. It was later determined that the hackers initially broke into the company’s systems over a week earlier, on or around February 12.

February 29, 2024

UnitedHealth confirms it was hit by ransomware gang

After initially (and incorrectly) attributing the intrusion to hackers working for a government or nation-state, UnitedHealth later said on February 29 that the cyberattack was in fact the work of a ransomware gang. UnitedHealth said the gang “represented itself to us as ALPHV/BlackCat,” a company spokesperson told TechCrunch at the time. A dark web leak site associated with the ALPHV/BlackCat gang also took credit for the attack, claiming to have stolen millions of Americans’ sensitive health and patient information, giving the first indication of how many individuals this incident had affected.

ALPHV (aka BlackCat) is a known Russian-speaking ransomware-as-a-service gang. Its affiliates — contractors who work for the gang — break into victim networks and deploy malware developed by ALPHV/BlackCat’s leaders, who take a cut of the profits collected from the ransoms collected from victims to get their files back. 

Knowing that the breach was caused by a ransomware gang changed the equation of the attack from the kind of hacking that governments do — sometimes to send a message to another government instead of publishing millions of people’s private information — to a breach caused by financially motivated cybercriminals, who are likely to employ an entirely different playbook to get their payday. 

March 3-5, 2024

UnitedHealth pays a ransom of $22 million to hackers, who then disappear

In early March, the ALPHV ransomware gang vanished. The gang’s leak site on the dark web, which weeks earlier took credit for the cyberattack, was replaced with a seizure notice claiming that U.K. and U.S. law enforcement took down the gang’s site. But both the FBI and U.K. authorities denied taking down the ransomware gang as they had attempted months earlier. All signs pointed to ALPHV running off with the ransom and pulling an “exit scam.”

In a posting, the ALPHV affiliate who carried out the hack on Change Healthcare claimed that the ALPHV leadership stole $22 million paid as a ransom and included a link to a single bitcoin transaction on March 3 as proof of their claim. But despite losing their share of the ransom payment, the affiliate said the stolen data is “still with us.” UnitedHealth had paid a ransom to hackers who left the data behind and disappeared.

a screenshot showing a fake law enforcement seizure notice posted on BlackCat's dark web leak site.
A fake law enforcement seizure notice posted on BlackCat’s dark web leak site soon after receiving a ransom payment of $22 million.
Image Credits: TechCrunch (screenshot)

March 13, 2024

Widespread disruption across U.S. healthcare amid fears of data breach

Meanwhile, weeks into the cyberattack, outages were still ongoing with many unable to get their prescriptions filled or having to pay cash out of pocket. Military health insurance provider TriCare said “all military pharmacies worldwide” were affected as well. 

The American Medical Association was saying there was little information from UnitedHealth and Change Healthcare about the ongoing outages, causing massive disruption that continued to ripple across the healthcare sector

By March 13, Change Healthcare had received a “safe” copy of the stolen data that it had just days earlier paid $22 million for. This allowed Change to begin the process of poring through the dataset to determine whose information was stolen in the cyberattack, with the aim of notifying as many affected individuals as possible.  

March 28, 2024

U.S. government ups its bounty to $10 million for information leading to ALPHV capture

By late March, the U.S. government said it was upping its bounty for information on key leadership of ALPHV/BlackCat and its affiliates. 

By offering $10 million to anyone who can identify or locate the individuals behind the gang, the U.S. government seemed to hope that one of the gang’s insiders would turn on their former leaders. It also could be seen as the U.S. realizing the threat of having a significant number of Americans’ health information potentially published online. 

April 15, 2024

Contractor forms new ransom gang and publishes some stolen health data

And then there were two — ransoms, that is. By mid-April, the aggrieved affiliate set up a new extortion racket called RansomHub, and since it still had the data that it stole from Change Healthcare, it demanded a second ransom from UnitedHealth. In doing so, RansomHub published a portion of the stolen files containing what appeared to be private and sensitive patient records as proof of their threat. 

Ransomware gangs don’t just encrypt files; they also steal as much data as possible and threaten to publish the files if a ransom isn’t paid. This is known as “double extortion.” In some cases when the victim pays, the ransomware gang can extort the victim again — or, in others, extort the victim’s customers, known as “triple extortion.”

Now that UnitedHealth was willing to pay one ransom, there was a risk that the healthcare giant would be extorted again. It’s why law enforcement have long advocated against paying a ransom that allows criminals to profit from cyberattacks.

April 22, 2024

UnitedHealth says ransomware hackers stole health data on a “substantial proportion of people in America”

For the first time, UnitedHealth confirmed on April 22 — more than two months after the ransomware attack began — that there was a data breach and that it likely affects a “substantial proportion of people in America,” without saying how many millions of people that entails. UnitedHealth also confirmed it paid a ransom for the data but would not say how many ransoms it ultimately paid.

The company said that the stolen data includes highly sensitive information, including medical records and health information, diagnoses, medications, test results, imaging and care and treatment plans, and other personal information.

Given that Change Healthcare handles data on about one-third of everyone living in the United States, the data breach is likely to affect more than 100 million people at least. When reached by TechCrunch, a UnitedHealth spokesperson did not dispute the likely affected number but said that the company’s data review was ongoing. 

May 1, 2024

UnitedHealth Group chief executive testifies that Change wasn’t using basic cybersecurity

Perhaps unsurprisingly when your company has had one of the biggest data breaches in recent history, its chief executive is bound to get called to testify before lawmakers. 

That’s what happened with UnitedHealth Group (UHG) chief executive Andrew Witty, who on Capitol Hill admitted that the hackers broke into Change Healthcare’s systems using a single set password on a user account not protected with multi-factor authentication, a basic security feature that can prevent password reuse attacks by requiring a second code sent to that account holder’s phone. 

One of the biggest data breaches in U.S. history was entirely preventable, was the key message. Witty said that the data breach was likely to affect about one-third of people living in America — in line with the company’s previous estimates that the breach affects around as many people that Change Healthcare processes healthcare claims for.

1: UnitedHealth CEO Andrew Witty testifies before the Senate Finance committee on Capitol Hill on May 1, 2024 in Washington, DC.
UnitedHealth CEO Andrew Witty testifies before the Senate Finance committee on Capitol Hill on May 1, 2024, in Washington, D.C.
Image Credits: Kent Nishimura / Getty Images

June 20, 2024

UHG starts notifying affected hospitals and medical providers what data was stolen

It took Change Healthcare until June 20 to begin formally notifying affected individuals that their information was stolen, as legally required under a law commonly known as HIPAA, likely delayed in part by the sheer size of the stolen dataset. 

The company published a notice disclosing the data breach and said that it would begin notifying individuals it had identified in the “safe” copy of the stolen data. But Change said it “cannot confirm exactly” what data was stolen about each individual and that the information may vary from person to person. Change says it was posting the notice on its website, as it “may not have sufficient addresses for all affected individuals.”

The incident was so big and complex that the U.S. Department of Health and Human Services stepped in and said that affected healthcare providers, whose patients are ultimately affected by the breach, can ask UnitedHealth to notify affected patients on their behalf, an effort seen at lessening the burden on smaller providers whose finances were hit amid the ongoing outage. 

July 29, 2024

Change Healthcare begins notifying known affected individuals by letter

The health tech giant confirmed in late June that it would begin notifying those whose healthcare data was stolen in its ransomware attack on a rolling basis. That process began in late July. 

The letters going out to affected individuals will most likely come from Change Healthcare, if not the specific healthcare provider affected by the hack at Change. The letter confirms what kinds of data was stolen, including medical data and health insurance information, and claims and payment information, which Change said includes financial and banking information.




Source