Understanding the Change Healthcare Cyberattack

Lessons Learned from the Change Healthcare Breach

A recent cyberattack has put “a substantial proportion of people in America’s” healthcare records at risk of exposure. Change Healthcare, which is part of UnitedHealth Group, got hit by a ransomware attack on February 21. This caused hospitals and pharmacies all over the United States to revert to paper records. For days and weeks as they were unable to verify medical claims. This incident is not an isolated event.  It is a wake-up call on the importance of fostering a strong cybersecurity culture in every company.  The stakes for cybersecurity failure have never been greater.  Cyber attacks are increasing. The impact of those attacks are getting worse. If you operate a business, you must heed the advice in this article.

How did this happen?

According to Wall Street Journal reports, ALPHV hackers used stolen credentials to access Change Healthcare’s network for over a week before detonating their ransomware attack. During that time, the hackers stole a significant amount of data from the company’s systems, all the while evading detection.  It’s unclear how subsequent extortion attempts by RansomHub, a separate Russian hacking group, were able to get hold of the data they published on dark web forums while seeking a second ransom payment.

Understanding the Impact

Security researchers estimate a $22 million ransom payout to BlackCat/ALPHV was made in this attack. This is despite the news that another hacking group, RansomHub,  had leaked a significant portion of patient data allegedly stolen in this attack.  The stolen data included protected health information (PHI) and personally identifiable information (PII) on patients across the United States. It’s likely that another ransom payment may be made to RansomHub, though we might not hear more about that for some time, if ever.

In addition to the financial costs to this attack, Change Health was unable to clear medical coverage inquiries for its subscriber pharmacies and hospitals.  This lead to incredible frustration and anxiety as many medical services continued provided services without authorizations.  Claims for services are behind leading to financial billing losses in the short term.

The attackers are thought to have exfiltrated (stolen) more than 6 TB of patient data and posted extracts in online dark web forums. The leaked screenshots contained PHI and PII raising concerns about the potential misuse of the stolen information which can be used in identity theft, black-mail, and other financial crimes.

Response and Accountability

UnitedHealth Group, in a public statement, expressed its commitment to addressing the fallout from the attack and providing support to affected individuals and entities. However, they said it could take several months before the full extent of the breached data was determined.  This illustrates the difficulty forensics investigations have in understanding the extent of a breach, the data exfiltrated, and proving what was stolen in these ransomware events.

Mitigation Strategies

Basic Mitigation Strategies for Everyone

In the initial breach, stolen credentials were allegedly used to access either VPN infrastructure or some other remote access solution.  As such the following best practices would likely be useful in mitigating this attack:

  1. Enable Multi-factor authentication on all remote access and do not allow for Email or SMS based MFA.  This CyberHoot article explains the top 5 risks to MFA solutions and their related strengths.
  2. Adopt a Password Manager for all Employees.  This will help prevent a breach of credentials for employees from one website from being used to attack other online services such as VPNs.  This is especially effective when combines with an MFA solution.
  3. By Deloitte’s estimates as much as 91% of breaches are tied to Phishing Attacks.  Whether it is 8 out of 10 or 91% is irrelevant.  What is relevant is that you train and test your employees with awareness training and phishing simulations. The ability to spot and avoid phishing emails is a basic cyber literacy skill everyone needs online today. CyberHoot’s patent-pending phishing simulations do exactly this, in a positive, educational way.
  4. Perform vulnerability scanning of your infrastructure from outside going in and inside against your inside networks.  Doing so might have identified weaknesses in the remote access solutions employed at Change Healthcare, possibly the absence of Multi-factor authentication on remote access would have been discovered if present (that has not been confirmed in our research).

Advanced Mitigation Strategies for Healthcare Providers

Using methods like data masking and dynamic access controls can keep unauthorized people out and make it harder for data to be stolen by hackers in breaches like this.

  1. Data masking is a technique used in cybersecurity to protect sensitive information by replacing real data with fictional, masked, or scrambled data. The purpose of data masking is to ensure that sensitive data remains hidden and protected from unauthorized access, while still allowing applications to function normally using the masked data.
  2. Dynamic access controls are security measures that adaptively limit access to data or resources based on the context of the interaction. They consider factors such as user identity, device characteristics, location, time of access, and other contextual information to determine access rights in real-time.

In the breach at Change Healthcare, properly implemented data masking and dynamic access controls would have provided some protection from the massive data theft that occurred.

Future Mitigating Controls:

In the future, artificial intelligence will be used to monitor network and host activities.  It will find the proverbial needle in the haystack when one user, even will elevated privileged, requests or performs a large data export off network.  Monitoring today could detect such activities if properly implemented with a Security Operations Center, but such solutions are very expensive and difficult to operate.  AI should bring the cost of such services down dramatically over the next 12 to 24 months.

Looking Ahead

The fallout from the Change Healthcare cyberattack serves as a stark reminder of the evolving threat landscape and the need for proactive cybersecurity measures. By embracing basic and advanced security technologies outlined above, organizations can better safeguard sensitive information and mitigate the impact of potential breaches.


The cyberattack on Change Healthcare shows how important it is for companies to examine their cybersecurity programs in the face of ongoing cyber attacks. As technology keeps changing, organizations must take action to protect the sensitive information entrusted to them. For all companies, training, testing, and some technical measures can boost protection against compromise.  For hospitals, data masking and dynamic access controls can help a lot in keeping data safe. In today’s world where everything is connected online, staying alert and ready to fight against cyber threats is more important than ever.

Secure your business with CyberHoot Today!!!

Share this on your social networks. Help Friends, Family, and Colleagues become more aware and secure.