Week 2 of the Change Healthcare Cyber Attack

The cyber attack on Change Healthcare, reported to have begun on February 21, 2024, has been attributed to the Blackcat ransomware gang, also known as ALPHV. This incident has caused significant disruptions across the healthcare sector, affecting pharmacies and healthcare providers throughout the United States. The cybercriminal group is known for its “double extortion” tactic, where they encrypt the victim’s files and also steal sensitive data, demanding a ransom for both the decryption key and the non-release of the stolen data. In this case, there’s a possibility of a data breach, although it hasn’t been officially confirmed by Change Healthcare at this stage​​.

Mandiant, Alphabet’s cybersecurity unit, is spearheading the investigation and response to this attack. Despite a massive law enforcement takedown of Blackcat’s infrastructure in December 2023, the group has continued its criminal activities, with this attack underscoring the persistent threat posed by ransomware gangs. This takedown had led to the seizure of several of the group’s websites and hundreds of decryption keys, but it did not permanently disrupt the gang’s operations. Blackcat had even threatened to retaliate by targeting critical infrastructure and healthcare organizations​​​​. The Blackcat group is notorious for its double extortion tactics, which involve encrypting victims’ data and exfiltrating sensitive information to demand ransom. Although Change Healthcare has not confirmed a data breach, the involvement of Blackcat suggests a high risk of sensitive data exposure​.

The American Hospital Association (AHA) has advised healthcare organizations affected by the outage to disconnect from specific Change Healthcare applications still offline due to the cyberattack. They also recommended preparing downtime procedures and contingency plans for an extended service outage, although a specific timeline for service restoration has not been provided. The AHA has been in direct communication with Change Healthcare and is seeking assurances on the security of systems not directly impacted by the attack​​.

This cyberattack has not only disrupted prescription processing services, affecting thousands of pharmacies and healthcare providers, but also raised significant concerns regarding the security of sensitive healthcare data and the resilience of healthcare IT infrastructure against sophisticated cyber threats. As the situation evolves, healthcare organizations are urged to remain vigilant and follow the guidance of cybersecurity professionals and law enforcement agencies to mitigate the impact of this and future cyber threats.

View all Articles by: Melissa Clark, CCS-P