Lessons from the Change Healthcare Cyber Attack – Unprecedented Impacts and Financial Costs

The Change Healthcare cyber attack has highlighted the widespread consequences of cyber attacks targeted at a critical part of an industry’s technology supply chain. Additionally, recent reports of a second ransomware demand raise new challenges and will increase the financial and reputational impacts to Change Healthcare.  While the events are still unfolding, the Alliant Cyber team shares some insights below on developments to date and how organizations in the healthcare industry and beyond can identify, manage and mitigate the impacts of a systemic cyber attack.

Background
Change Healthcare is a leading healthcare claims processing provider, processing 15 billion claims annually in North America.  On February 21, Change Healthcare discovered cyber criminals (BlackCat ransomware group) had gained access to its IT environment, encrypting key systems across the Change Healthcare network and also claiming to have stolen 6TB of sensitive information, including personally identifiable information (including U.S. military personnel), insurance records and source code. In response, Change Healthcare disconnected its IT systems , causing enormous industry disruptions, and reportedly paid a ransom of $22M to reduce the risk of the stolen data being publicly disclosed.

Recent reports indicate that another ransomware group (RansomHub) has demanded a second ransomware payment from Change Healthcare based on sensitive data they claim to have obtained. It is currently unknown if this data overlaps with the data stolen in the initial attack or is the result of a new attack against Change Healthcare systems resulting in additional data being stolen. 

Industry Disruption
Following the shutdown of Change Healthcare networks, the impacts on patients and healthcare providers were widespread and immediate. Healthcare providers across the country were unable to process claims and receive payments, causing enormous financial impacts to thousands of national hospitals, medical clinics, pharmacies and healthcare providers, many of which went without revenue while systems were unavailable. Patients were also affected; co-pays for prescriptions could not be determined, insurance approvals for procedures were not obtained and some health providers had to turn away new patients. Due to the national impacts to patient care and the financial impact on health providers, the Federal government became involved and industry groups have stated that long term financial support will be necessary to many medical providers affected by the cyber attack. The outage lasted for weeks and by mid-March, systems remained limited with slow restoration and system testing occurring.

Financial Costs for Health Providers and Change Healthcare
The financial impacts of the attack to date are significant. For health providers nationally, many have struggled to pay expenses and are still facing uncertainty on the financial impacts of the incident.  Financial losses for Change Healthcare are also enormous: the company has reimbursed $3.3B to affected providers since the incident and there are indications that a ransomware payment of $22M may have been paid. These losses do not include the significant additional costs incurred in forensic, legal and incident response costs as well as the costs for likely future legal and regulatory actions.  

Continuing Impacts
In addition to the unprecedented costs of the system outage, the BlackCat Ransomware group has also claimed to have stolen 6 TB of data prior to launching the ransomware attack. This data allegedly includes personally identifiable information (including U.S. military personnel), insurance records and source code. The ongoing ramifications and financial costs from this data theft are unknown but will substantially increase the overall costs of the incident. Additionally, federal agencies have commenced investigations into the attack and Change Healthcare is facing significant potential legal liabilities from individuals and organizations impacted by the incident. In addition to the significant industry impacts to date, the continuing financial, operational and reputational impacts from this cyber attack will likely continue for many months.

Second Attack
In recent weeks, reports suggest that Change Healthcare was faced with a second ransom demand from a separate ransomware group (RansomHub) claiming to hold 4TB of sensitive data that it would publicly disclose unless a ransom is paid. At the time of writing, it is unknown if the data held by RansomHub is the same data stolen in the initial attack or is the result of a new cyber attack against Change Healthcare systems. There are reports that this is also related to a dispute between ransomware groups or individuals and the two groups may be related (or previously affiliated). This subsequent attack compounds the enormous financial and reputational damage to Change Healthcare and may result in disclosure of sensitive data despite a ransom being paid.

Cyber Risk Considerations and Preventive Actions
It’s currently unknown how BlackCat gained unauthorized access to Change Healthcare’s IT systems to steal confidential data and launch the ransomware attack. Additionally, it is unknown whether the data held by the RansomHub group is part of the data stolen initially or is the result of a separate attack against Change Healthcare systems. Regardless, this incident dramatically highlights the potential impacts of a significant cyber attack for both technology service providers (Change Healthcare) and organizations reliant on third-party IT providers for core operational activities. Below are some practical steps that organizations can take to manage the impacts of a ransomware attack:

• Assess current cybersecurity approaches across core systems and data: Organizations should review core cybersecurity approaches, focusing on effective management of core systems and data that could pose significant business risks if compromised. Alongside technical protections, organizations should implement executive sponsored training and awareness, governance and business continuity planning processes to align with core business goals.
  
  
• Cyber incident planning: Proactive planning for cyber incidents is critically important, taking into account all phases of a cyber incident, including pre-incident planning, crisis management, response, recovery and business continuity processes following the incident. Organizations should develop cross organizational incident response plans, carry out tabletop exercises and have clear processes for communication, key decision-making authority and cross organizational alignment throughout a cyber incident.
  
  
• Assessing third-party risks and operational impact planning: As organizations become increasingly reliant on third-party providers for core technology needs, it is important to conduct third-party cyber risk assessments and understand the operational impact if these systems become unavailable. Proactively addressing ‘single points of failure’ and having business continuity and contingency planning in place can effectively minimize the financial impact of a cyber incident affecting an organization’s critical third-party vendors.
  
  
• Assess cyber insurance options to manage financial risk: Cyber insurance may be a cost-effective method of managing the financial risks from third parties and substantially reduce the financial impacts of a cyber incident. Assessing cyber insurance options, reviewing insurance terms and building coverage limits that align with business goals will enhance organizational resilience when faced with a significant cyber incident.

Alliant Cyber helps clients identify, evaluate, remediate, transfer and respond to the cyber risks that matter most to their organization, while driving optimized cyber risk management and insurability outcomes. For more information, please contact a member of the Alliant Cyber team.