A Landmark Ransom Attack On Healthcare

In February this year, Change Healthcare suffered a ransomware attack so large and complex that it was feared - according to estimates from Andrew Witty, CEO of parent company UnitedHealth Group (UHG) - to involve the data of up to 1 in 3 Americans.

Now six months later, and the full scale of the breach is still undetermined, with fallout continuing.

Change Healthcare has only recently (July 29) begun mailing written notices to individuals affected by the incident - which could take considerable time considering the 100s of millions potentially involved - while the financial implications are unfolding in the billions. UHG’s second quarter earnings report, released last month, reveals the total impact of the cyberattack will cost the company between $2.3 billion and $2.45 billion in 2024 (more than $1 billion higher than previously projected).

Suffice to say, it’s easy to see why this particular incident is being labelled the worst cyberattack to ever hit the US healthcare industry.

While it may be one of the worst, it’s certainly not a one-off. There’s no question that due to the growth of remote care, connected medical devices and complex IT environments, healthcare is facing an expanding attack surface, with these new technologies and processes creating more opportunities for cyberattacks. However, this situation is not exclusive to healthcare. Manufacturing, professional services, finance and technology all consistently remain among the top targeted industries for the same reasons.

So what can all types of businesses and organisations learn from this case going forward?

All organisations must strengthen their cybersecurity defences:  It may sound simple and somewhat obvious, but weak cybersecurity defences are often overlooked. With the Change Healthcare case, cybercriminals took advantage of a server that wasn’t protected by multi-factor authentication (MFA). MFA is not only a common and low-cost security measure, but is relatively easy to deploy. While MFA significantly enhances security and reduces the risk of unauthorised access in case passwords are compromised, it should also be part of a broader, multi-layered security strategy that includes encryption, robust firewalls, regular software updates, network monitoring and regular security audits to proactively identify and mitigate potential threats.

Be aware of vulnerabilities in widely-used enterprise software: The threat landscape is evolving, with threat actors increasingly targeting vulnerabilities in third-party software, such as managed file transfer (MFT) services. The recent attacks by the CL0P ransomware group on Fortra's GoAnywhere and Progress Software's MOVEit were a stark reminder of the potential impact of such exploits and led to the Cybersecurity Advisory (CSA)’s #StopRansomware efforts, which involved publishing advisories for network defenders that detail various ransomware variants and ransomware threat actors, as well as solid cyber hygiene advice.

Their advice includes the fact that businesses should be regularly updating and patching systems to address known vulnerabilities, especially in third-party software, as cyberattacks often exploit these weaknesses.

Implementing robust vendor risk management is also essential to ensure software providers prioritise security and provide timely updates, while proactive threat detection tools and strategies can help identify breaches early, reducing potential damage. 

Educate your workforce on the importance of security measures: Does everyone in your organisation know what MFA is and where it should be in place? Do they know how to recognise sophisticated phishing and social engineering attempts? Even for those who are more tech-savvy, recent advancements in GenAI have improved the format and grammar of phishing messages, making them extremely difficult to spot. More up-to-date education is needed alongside clear instructions on what internal security measures should be taken, such as double-checking the sender's email address or using MFA to prevent unauthorised access if your credentials are compromised. It’s also important to educate employees about the risks of third-party software vulnerabilities, as mentioned above, and ensure they follow best practices here too, to avoid security lapses.

Stay adaptable and prepared: Ransomware is a persistent and evolving threat, with a 30% global increase in the number of groups that focus on targeted ransomware and a 71% rise in attacks in 2023 compared to 2022. As authorities collaborate to disrupt more extensive operations, the ransomware ecosystem is fragmenting into smaller, more elusive groups. Threat actors are now adopting multi-extortion tactics, such as data theft and harassment, to pressure victims into paying - as we saw with Change Healthcare. Attackers are also moving at an alarming pace, often exfiltrating data within hours or days of the initial compromise. In a staggering 45% of cases in 2023, data was exfiltrated less than a day after the compromise, leaving incident response teams with little time to contain the threat. As such, organisations need to stay adaptable and be prepared with swift and efficient response measures, so that they’re ready to respond to new tactics as they emerge. Having reliable backup and recovery plans in place - that are frequently updated - is one of the best ways to minimise the impact of ransomware attacks. A good cyber incident response plan (IRP) should detail communication strategies, legal considerations, and recovery procedures. It should define the goals, scope, and types of incidents the IRP covers, and assign specific roles and responsibilities within the incident response team.

Never stand still: The cyber landscape is evolving, not emerging, and so businesses’ approach to preparing, protecting and recovering from a cyberattack must also evolve at the same pace. So as well as continuously updating and auditing cybersecurity measures - not only to ensure nothing is missed, but to adapt to new threats and ensure compliance with the latest security standards - businesses should also be documenting incidents. What lessons can you take from past incidents affecting your business and others, what policies need updating, is training, including simulations for the incident response team, regular enough, is the contact information for your incident response team up-to-date?

Seek expert guidance/support where needed: In statements following the Change Healthcare attack, UnitedHealth said they started working closely with law enforcement and third parties like Palo Alto Networks and Google's Mandiant to assess the damage. Industry associations, crime prevention agencies and cyber insurance providers can all provide businesses with access to expert guidance.

Take cyber insurance providers, for example - as well as financial security, they have cybersecurity analysts and consultants trained in handling cyberattacks and the claims process on hand. These experts can also help victims navigate incident response and recovery.

Most cyber insurance providers also offer free risk prevention services, including vulnerability assessments, threat intelligence, and can assist with cybersecurity training. 

Claud Bilbao is RVP, Underwriting & Distribution UK with Cowbell

Image: Unsplash

You Might Also Read:

Cyber Insurance: What Businesses Need To Know:


If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« 2024 US Presidential Election Cyber Intrusion: Part 3 - Hostile Nation State Actors
CISOs Guide To Compliance & Cyber Hygiene  »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

Sucuri

Sucuri

Sucuri have offered holistic website security solutions since 2008 including malware removal, malware monitoring and website protection services.

Australian Cyber Security Growth Network (AustCyber)

Australian Cyber Security Growth Network (AustCyber)

AustCyber brings together businesses and researchers to develop the next generation of cyber security products and services.

ETAS

ETAS

ETAS (formerly Escrypt) is a pioneer and one of today’s leading solution providers for embedded IT security.

Approachable Certification

Approachable Certification

Approachable Certification is a UKAS accredited certification body offering down-to-earth and competitively priced audits against ISO Management Systems standards.

APT Search

APT Search

APT Search is a recruitment company specialising within the Legal Technology, Cybersecurity and Privacy sectors.

CYRail

CYRail

CYRail project will analyse threats targeting Railway infrastructures and develop innovative attack detection and alerting techniques.

Forgepoint Capital

Forgepoint Capital

ForgePoint Capital is a premier venture investor for early stage cybersecurity companies.

MCPc

MCPc

MCPc improves the security and well-being of our clients. We protect data, manage the complexity and sustainability of technology, empower employee performance, and ultimately reduce business risk.

Real Protect

Real Protect

Real Protect is a Brazilian provider of managed security (MSS) and cyber defense services.

Tromzo

Tromzo

Tromzo's mission is to eliminate the friction between developers and security so you can scale your application security program.

ClearVector

ClearVector

ClearVector is a leading provider of realtime, identity-driven security for the cloud.

LogicBoost Labs

LogicBoost Labs

LogicBoost Labs has the expertise, experience, funding and connections to make your startup succeed. We are always interested in new ways to change the world for the better.

Axiata Digital Labs

Axiata Digital Labs

Axiata Digital Labs is the technology hub of Axiata Group Berhad Malaysia which is one of the leading groups in telecommunication in Asia.

Readynez

Readynez

Readynez is the digital skills concierge service that helps you ensure your workforce has the tech skills and resources needed to stay ahead of the digital curve.

V2X

V2X

V2X delivers IT support, networking, and cybersecurity solutions that ensure optimal mission support and performance.

TRM Labs

TRM Labs

TRM enables risk management and compliance for a global community of financial institutions, cryptocurrency businesses and government agencies.