Article Details

US govt probes if ransomware gang stole Change Healthcare data. The U.S. Department of Health and Human Services is investigating whether protected health information was stolen in a ransomware attack that hit UnitedHealthcare Group (UHG) subsidiary Optum, which operates the Change Healthcare platform, in late February. This investigation is coordinated by HHS' Office for Civil Rights (OCR), which enforces the Health Insurance Portability and Accountability Act (HIPAA) rules that protect patients' health information from being disclosed without their knowledge or consent. UnitedHealth Group confirmed in late February that Change Healthcare systems and services were shut down after a cyberattack by "nation-state" hackers, which was later linked to the BlackCat (ALPHV) ransomware gang. Change Healthcare is the largest payment exchange platform used by doctors, healthcare providers, and patients in the U.S. healthcare system and by more than 70,000 pharmacies, while UHG has contracts with over 1.6 million health professionals and 8,000 healthcare facilities across all 50 U.S. states. Even though UHG has brought some of the impacted systems back online after the crippling February ransomware attack, the resulting outage is still impacting operations across the U.S. healthcare industry, with the company estimating that it will be able to revive its payments platform on March 15 and medical claims network and software on March 18. "Given the unprecedented magnitude of this cyberattack, and in the best interest of patients and health care providers, OCR is initiating an investigation into this incident," said OCR head Melanie Fontes Rainer. "OCR's investigation of Change Healthcare and UHG will focus on whether a breach of protected health information occurred and Change Healthcare's and UHG's compliance with the HIPAA Rules." Claims of 6TB data theft The investigation follows the BlackCat ransomware gang's claims that they stole 6TB of data from Change Healthcare's network belonging to "thousands of healthcare providers, insurance providers, pharmacies, etc." They said they stole source code for Change Healthcare solutions and sensitive information from many partners, including the U.S. military's Tricare healthcare program, the Medicare federal health insurance program, CVS Caremark, MetLife, Health Net, and many other healthcare insurance providers. Sensitive data stolen from Change Healthcare's compromised systems allegedly includes information on millions of people, such as PII data, medical records, insurance records, dental records, payment information, claims information, and PII data of active U.S. military/navy personnel. Earlier this month, BlackCat ransomware shut down in an exit scam amidst claims that they stole the $22 million ransom paid by Optum to the operator behind the Change Healthcare attack. This wouldn't be unusual since BlackCat is believed to be a rebrand of the DarkSide and BlackMatter ransomware operations, with the former also shutting down after their attack on Colonial Pipeline in May 2021. The FBI says this ransomware gang raked in at least $300 million in ransoms from over 1,000 victims until September 2023, while the U.S. State Department now offers up to $15 million for tips that could help locate BlackCat gang leaders and anyone linked to the group's attacks. "Ransomware and hacking are the primary cyber-threats in health care. Over the past five years, there has been a 256% increase in large breaches reported to OCR involving hacking and a 264% increase in ransomware," HHS added today. "In 2023, hacking accounted for 79% of the large breaches reported to OCR. The large breaches reported in 2023 affected over 134 million individuals, a 141% increase from 2022."