Do you find it annoying when you need your phone to login to your bank account? Me too.
This year United HealthCare’s data subsidiary, Change, was the victim of the largest infrastructural cyberattack to date. The access point of the attack? Two-step verification had been turned off.
Ransomware cyber-attacks on hospitals and healthcare have escalated the last couple of years. In this case, the attack was carried out by a loose affiliation of hackers, BlackCat, who use a code called Rust to infiltrate systems. Rust is a coding language invented in 2006 as a personal project by an employee at Mozilla, and is commonly used by most of the Big Tech majors. BlackCat is also connected to the Las Vegas casino shut-downs and loosely connected to the 2021 Colonial Pipeline hack that created a short fuel shortage to East Coast cities.
The difference between financial attacks and medical is the sensitivity of the information gathered and it’s target on the infrastructure that affects average civilians. Remote tampering on American hospitals has caused fatalities by malfunctioning equipment, removing access to patient files, and inability to access medication. The high stakes usually make hospitals an easy target that will pay out. In Vegas, Ceasar’s paid the ransom, MGM did not pay their ransom and took the grunt of lost revenue – however lives weren’t at stake.
Change holds approximately one-third of Americans medical history and it, “serves as a digital highway between health insurers and hospitals and doctors. Patients could not fill prescriptions, and hospitals and doctors faced a severe cash crunch because they could not be paid for their care.” (NYT)
Consumers won’t know if their insurance coverage has been manipulated until they try to use it for medical care. Eventually, UnitedHealth paid out a $22 billion ransom for the attack to stop, but it was still too late to minimize the damage done.
When UnitedHealth acquired Change, the Justice Department tried to block the merger. Elizabeth Warren called it, “a monopoly on steroids”. UnitedHealth is the 11th largest company in the world, although they are quick to point out that they don’t own any hospitals or pharmaceutical manufacturers. Instead, they are embedded in every facet of American healthcare. In the 18 months UnitedHealth acquired Change, the operating systems hadn’t been converted to UnitedHealth’s system. This simultaneously made Change more vulnerable to attack but may have prevented access for BlackCat into other UnitedHealth systems, like Optum.
In recent months and at a congressional hearing in early May, UnitedHealth has received vast criticism for negligence. A congressman berated Change while holding up the book, Hacking for Dummies, saying “we missed some simple stuff.”
However, the two-step verification system had most likely been turned off by someone who leaked the credentials to do so. Once in Change’s operating system, the hackers collected data for nine days undetected and working across software systems laterally. The hack was only detected when BlackCat asked for their ransom.
Experts from Google, Microsoft, Cisco, and Amazon came to Change’s assistance to stop the data breach but it was far too late. The breach will continue to affect the majority of 6,000 hospitals and 80,000 pharmacies that use Change. Medical records sell for $60/person and social security numbers $15/person on the dark web, which adds up if a cybercriminal group has billions of identifiable patient information to sell. Change paid the ransom to prevent the selling of this information, but there’s usually no guarantee a cybergang will follow through on the agreement.
UnitedHealth has loaned $4.4 billion to healthcare providers that are known to be affected, but the total extent of damage is unknown. It’s also up for debate if UnitedHealth made the right call by paying the ransom. Brett Callow, a ransomware researcher, told Wired Magazine that paying the ransom is very problematic. “Every ransomware payment both funds future attacks by the group responsible and suggests to other ransomware predators that they should try the same playbook—in this case, attacking health care services that patients depend on… It highlights the profitability of attacks on the healthcare sector. Ransomware gangs are nothing if not predictable: If they find a particular sector to be lucrative, they’ll attack it over and over again, rinse and repeat.”
Messages have been found on the dark web by disgruntled cybercriminals posting that they didn’t get their share of the $22 billion payout. What’s more concerning in the future of cybersecurity is that similar attacks are sometimes sponsored by foreign governments, particularly China which has been honing in on acquiring information in biotechnology and stealing genetic data from patients in Europe and around the world.