Breach Notification , Healthcare , Industry Specific

UnitedHealth Admits Patient Data Was 'Taken' in Mega Attack

US Government Offers $10M Bounty to Track Down Leadership of BlackCat Crime Group
UnitedHealth Admits Patient Data Was 'Taken' in Mega Attack
Image: UnitedHealth Group

UnitedHealth Group has publicly acknowledged that data was "taken" in the cyberattack on its Change Healthcare unit and said it has started analyzing the types of sensitive personal, financial and health information potentially compromised.

See Also: OnDemand | The Cost of Underpreparedness to Your Business

Meanwhile, the U.S. Department of State is offering a reward of up to $10 million for information leading to the identification or location of leadership of ransomware-as-a-service group BlackCat/Alphv, which claimed to be behind the attack.

The State Department announced the bounty offer Feb. 15, about a week prior to the Change Healthcare attack, which UnitedHealth Group said occurred on Feb. 21.

UnitedHealth Group in its latest attack update on Wednesday said it is "prioritizing" the review of affected data the company believes would likely have contained health information, personal identifiable information, claims and eligibility or financial information.

"To be clear, we are still determining the content of the data that was taken by the threat actor, including any protected health information or personally identifiable information," the company said.

So far, UnitedHealth Group has not seen evidence of any of the stolen data being published on the dark web. "We are committed to providing appropriate support to people whose data is found to have been compromised," it said.

The process of reviewing information affected by the attack "is taking time because Change Healthcare's own systems were impacted by the event and difficult to access, so it was not safe to immediately pull data directly from the Change systems," UnitedHealth Group said.

“We recently obtained a dataset that is safe for us to access and analyze. Because of the mounting and decompression procedures needed as a first step, we have only recently reached a position to begin analyzing the data."

BlackCat - aka Alphv - last month claimed to have exfiltrated 6 terabytes of "highly selective data" relating to "all" Change Healthcare clients, including Tricare, Medicare, CVS Caremark, MetLife, Loomis, Davis Vision, Health Net, Teachers Health Trusts "and tens of insurance and other companies (see: BlackCat Pounces on Health Sector After Federal Takedown).

The type and amount of PHI and PII potentially compromised in the Change Healthcare attack could range widely, said attorney Sara Goldstein of the law firm BakerHostetler.

Change Healthcare boasts on its website that it processes 15 billion transactions annually and touches 1 in 3 patients.

So, if BlackCat's claims of exfiltrating 6 terabytes of data are accurate, "the scope of data that was accessed or exfiltrated - in the grand scheme of things - could potentially be a small amount, because, as Change says, they process 15 billion transactions a year," Goldstein said.

"There's the potential it could be small, or it could be a tremendous amount of data. There's also the potential that Change will not be able to definitively identify what was accessed or exfiltrated."

BlackCat Wanted

UHG reported that Change Healthcare's payment systems were directly targeted by the attack, which indicates something about the motives of the affiliate that used the BlackCat infrastructure in the attack, said Mike Hamilton, founder and CISO of security firm Critical Insight.

"A criminal gang would be more focused on a monetizable outcome, and not disruption of the entire healthcare system," he said. "Having seen multiple reports about Chinese and Russian goals of destabilization, this appears to be more than a ransomware event with records theft and suggests strategic targeting to achieve that outcome."

BlackCat claimed credit for the Change Healthcare attack.

One of the affiliates of BlackCat who claimed to be behind the attack reported that UnitedHealth Group paid a $22 million ransom for a decryptor key and to prevent leakage of data stolen in the incident. But the affiliate alleges that BlackCat kept all of the ransom payment, rather than sharing the affiliate's cut.

Soon after those claims, BlackCat's Tor-based data leak site resolved to a page that reads: "The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action taken against Alphv Blackcat ransomware."

While a joint law enforcement operation did seize BlackCat's infrastructure last December, temporarily disrupting the group, the recent notice appears to be recycled and perhaps part of an exit scam, some experts have said (see: BlackCat Ransomware Group 'Seizure' Appears to Be Exit Scam).

The State Department is also offering a bounty of up to $5 million for information leading to the arrest or conviction of anyone participating in, conspiring or attempting to participate in an attack using the BlackCat/AlphV ransomware variant.

To date, more than 1,000 entities globally have been compromised by BlackCat threat actors, the State Department said.

"Rewards are a very useful tool," said Brett Callow, threat analyst at security firm Emsisoft. "They not only help law enforcement gather information, they also make life very uncomfortable for the subjects - and that means they may have a broader deterrence effect," he said.

"While the subjects may, in some cases, be sheltering in countries from which they cannot be extradited, they’ll know that there are people who would happily bash them on the head and drive them across the border for $10 million."

The U.S. government has offered $10 million in reward money for other ransomware groups, including the LockBit and Hive gangs, Hamilton said.

"That seems to be the going rate, however it's not clear that a reward has ever been paid out or that we would know if one was," he said.

Restoration Update

UnitedHealth Group said Wednesday that it's making "substantial progress" in restoring various "core" Change Healthcare systems affected by the attack. The attack and subsequent outage while the company responded to the attack affected more than 100 Change Healthcare IT products and services.

"Our focus has been on ensuring access to care and medications by addressing challenges to pharmacy, medical claims and payment systems targeted by the attack," the company said.

UnitedHealth Group also provided an updated, three-week timeline for restoration of other key products, including eligibility processing, clinical data exchange and retrospective episode-based payment models. The restoration timeline for other products is still being worked out, the company said.

The U.S. Department of Health and Human Services on Wednesday released new guidance for entities affected by the Change Healthcare disruption.

The document - among other things - provides resources such as contact information and links to payers and information pertaining to alternate data clearinghouse services to help affected entities handle various processes while Change Healthcare recovers.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.