Ransomware, MSSP, Data Security, Channel technologies

Change Healthcare Cyberattack: Impacts and Threat Actor Theories

3d render, conveyor with the glass jars, modern pharmaceutical factory. Closeup of ampules are being filled with vaccine and closed with blue caps. Medical wallpaper
  • Attackers gained access to some Change Healthcare IT systems.
  • ALPHV/BlackCat ransomware crew suspected as threat actors.
  • Thousands of Optum customers could face major Rx processing delays.
  • No estimate of when systems may be back online.
  • ConnectWise said that it "cannot confirm any direct connection between the vulnerability with ScreenConnect and the incident reported by Change Healthcare.

The massive cyberattack that hit Change Healthcare last week, cascading to hundreds of pharmacies worldwide and impacting patient care, has reportedly been pinned on the ALPHV/BlackCat ransomware crew.

According to Reuters, citing "two people familiar with the matter," the notorious ransomware-as-a-service syndicate was behind the operation. It's not known if BlackCat affiliates carried out the attack, and there's no word if patient records have been stolen.

Change Healthcare is part of insurer UnitedHealth Group’s Optum healthcare business. As of February 27, its systems have been down for seven consecutive days, and Change Healthcare had not offered an estimate of when its systems would be back online.

In 2022, Change Healthcare merged with Optum. It provides prescription processing services through Optum, which in turn supplies technology services for more than 67,000 pharmacies and care to more than 100 million individual customers.

Optum: More Than 100 Change Healthcare Services Impacted

On its incident page, Optum listed more than 100 Change Healthcare services that were affected by the breach. Also disrupted are critical functions such as benefits verification, claims submission and status updates, remittance information transmittal and prior authorization, according to the Healthcare Financial Management Association.

In an 8-K regulatory filing on February 21, UnitedHealthcare said it “suspected” a nation-state threat actor behind the action but did not offer any further details. BlackCat is not typically mentioned in reports of nation-state attackers.

Google's Mandiant unit has confirmed that it is engaged in handling the incident response investigation. Palo Alto Networks is also said to be involved.

The cyberattackers had “gained access to some” of Change Healthcare’s IT systems, the company said in the filing. Upon discovering the intrusion, it had immediately pulled the plug on its networks.

“During the disruption, certain networks and transactional services may not be accessible, UnitedHealth said. According to the filing, UnitedHealth said that it “believes the network interruption is specific to Change Healthcare systems,” as all other systems across the company are still operational.

“Immediately upon detection of this outside threat, the Company proactively isolated the impacted systems from other connecting systems in the interest of protecting our partners and patients, to contain, assess and remediate the incident,” UnitedHealth said in its filing.

Ramifications for Pharmacy Customers

Pharmacies are warning that customer orders for prescriptions could face delays. The American Hospital Association (AHA) sent out a cybersecurity advisory on February 22, alerting of the attack’s impact on Optum’s services.

"Due to the sector-wide presence and the concentration of mission critical services provided by Optum, the reported interruption could have significant cascading and disruptive effects on revenue cycle, certain healthcare technologies and clinical authorizations provided by Optum across the healthcare sector," the AHA said.

In a status update last posted on its website on February 27, Optum said it is “working on multiple approaches” to restore its systems and “will not take any shortcuts or take any additional risk as we bring our systems back online.”

ConnectWise Vulnerability Connection?

SC Magazine, a Cyber Risk Alliance media outlet and affiliate publication of MSSP Alert, reported that the cybersecurity incident at UnitedHealth's Change Healthcare that led to slowdowns at pharmacies was caused by a “strain of LockBit malware” that was used to exploit the vulnerabilities in ConnectWise ScreenConnect.

The LockBit cyber syndicate was recently dismantled by international law enforcement. However, MSSP Alert has reported that the take-down didn't stick and that the group has already reassembled.

It’s not clear that the LockBit type of malware means the malicious code sprung from the crew nor is it clear that the vulnerability in ConnectWise's ScreenConnect has been used in the Change Healthcare attack.

In a statement to MSSP Alert, ConnectWise said that it "cannot confirm any direct connection between the vulnerability with ScreenConnect and the incident reported by Change Healthcare. Our initial review indicates that Change Healthcare is not a direct customer of ConnectWise, and we have not received any reports from our managed service provider partners indicating that Change Healthcare is their customer either."

ConnectWise said it has made "multiple requests" for information from Change Healthcare but has not received any responses to its inquiries.

ConnectWise emphasized that it takes "these matters seriously and are committed to sharing relevant information regarding the ScreenConnect vulnerability. We are actively collaborating with the community and government entities such as CISA (the Cybersecurity and Infrastructure Security Agency) to effectively address this situation."

Government Notifications and Law Enforcement Involvement

Change Healthcare said it has notified law enforcement and customers, clients and certain government agencies. In a nod to new Securities and Exchange Commission (SEC) cyber reporting incident regulation, UnitedHealth said that it had not yet determined whether the incident will materially impact its financial condition or results from operations.

The Change Healthcare cyber strike is reminiscent of the 2021 Colonial Pipeline ransomware event that shut down gas and oil distribution along the mid-Atlantic U.S. seaboard in 2020. So far, there is no indication that the Change Healthcare operation has been presented with a ransom demand as was Colonial.

Joseph Brunsman, founder and managing member of Brunsman Advisory Group, a cyber insurance consultancy, said that the attack has “serious monetary ramifications.”

At this point, there’s no “validity” to the statement that a nation-state attacker is behind the threat action, he said. "This seemingly mundane statement could have serious monetary ramifications for all those involved. Following the NotPetya debacle from 2017, various insurance markets updated their "Cyber War" coverage exclusions to deny insurance coverage. I would be shocked if we do not see cyber insurers looking very closely at how they could deny coverage given how widespread and long lasting this event appears to be.”

Action Plan for Impacted Hospitals

The AHA is advising hospitals to take the following steps to avoid damage to their IT systems springing from the Change Healthcare attack:

  • Ensure that all high criticality, known and exploited vulnerabilities have been patched, especially any which are internet facing.
  • Review and test cyber incident response plans, and ensure they are well coordinated and integrated with emergency management plans. Test callout for activation of incident command structure and backup communications plans should email and VoIP communications fail.
  • Review business and clinical continuity downtime procedures to ensure mission-critical and life-critical functions could sustain a loss of information, operational and medical technology for up to 30 days.
  • Consider designating clinical downtime "coaches" and "safety officers" for each shift. These would be individuals who are experienced and adept at working with downtime, manual procedures, should there be a loss of access to the EMR, and other medical technology. They should be able to guide and lead other less experienced staff in the implementation of downtime procedures to ensure continuation of safe and quality care.
  • Increase threat-hunting and monitoring tools and techniques. Although no specific threat actor has been identified, the joint government agency advisory regarding "living off the land" cyber technique serves as a good general guide.
D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.