Lessons learned from the UnitedHealthcare cyberattack

The cybersecurity pros at Acronis have been shaking our heads for months at the ongoing fiasco at UnitedHealth Group, a U.S. health care conglomerate that suffered a major ransomware attack on February 12, 2024. The BlackCat cybercriminal group (also known as ALPHV) succeeded in stealing six terabytes worth of sensitive health care records — in industry parlance, protected health information (PHI) and personally identifiable information (PII) — of millions of American patients. It also locked up the servers of UnitedHealth’s subsidiary Change Healthcare with strong encryption, demanding a ransom of $22 million for a promise not to leak that data.

The encryption phase of the attack turned out to be a highly consequential problem for the U.S. health care industry. Change Healthcare serves as an intermediary between health care providers (including doctors, hospitals, clinics and pharmacies) and health care insurance companies, that provide verification-of-coverage services that enable providers to get paid for the services they deliver and for patients to get their medications and treatments. Change Healthcare is such a key cog in this system that it handles at least 40% of all such transactions in the U.S., amounting to over 15 billion health insurance claims per year with a value of over $1.5 trillion.

This had immediate and, in some cases, near-disastrous effects across the system. Without Change Healthcare in a functioning state to approve the transactions, American hospitals suffered reimbursement delays totaling millions of dollars per week. Many patients could not get their prescription claims covered and thus could not get their medications dispensed at the pharmacy, or had to pay full price if they could afford to and pray they would get reimbursed later. Hospitals stopped discharging certain patients for fear they would not be able to get necessary post-procedure medications. Some providers tried to cope by filing paper claims with insurers and hoping they would go through. This turned out to be huge unplanned expense for larger institutions, and for smaller institutions that rely on swift reimbursements from insurers, it became an existential cash-flow crisis.

UnitedHealth responded by paying nearly $22 million in Bitcoin to the BlackCat ransomware gang in return for its promise not to leak the stolen data. While these negotiations were ongoing, UnitedHealth struggled to rebuild the encrypted servers at Change Healthcare, an effort hindered by the fact that it clearly had not followed best practices for maintaining reliable backups that otherwise might have quickly restored them.

Recovery costs swiftly mounted for UnitedHealth, with estimated expenses related to the incident totaling an estimated $1.6 billion and counting as of May 2024. The company attributed an $872 million impact on its Q1 earnings to cyberattack response costs and business disruptions. After more than three months, UnitedHealth was still working to restore affected services. For patients whose private health care records might have been compromised, it paid for credit monitoring and identity theft protection services​ and spun up a dedicated call center and support website. External analysts estimate that UnitedHealth will spend another $1.6 billion in 2025 on data breach notifications, dark-web monitoring and litigation costs, none of which will be covered by cyber insurance, as UnitedHealth insures itself.

The BlackCat group is perhaps the best known and most profitable ransomware gang in operation in 2024. By supplying a network of affiliated cybercriminals with ransomware-as-a-service (RaaS) infrastructure and software, it can conduct many simultaneous attacks around the world, typically using phishing, compromise of user credentials and/or exploitation of unpatched vulnerabilities.

One of these affiliate attackers (believed to be the RansomHub group) succeeded in a so-called double extortion attack, first penetrating Change Healthcare's servers, likely through phishing or vulnerability exploitation. It then quietly surveilled the company’s network and servers for nine days before exfiltrating terabytes of sensitive patient data and then activating the encryption attack. While it was negotiating with UnitedHealth for a promise not to leak the stolen data and provide an encryption key, the BlackCat gang initiated direct negotiations with UnitedHealth, which as the RaaS provider it could do, as it had control of the encryption key and stolen data. It thus reneged on its usual promise to cut its affiliate in on the ill-gotten profits. (It appears there is no honor among thieves.)

UnitedHealth responded by paying $22 million in Bitcoin to the BlackCat gang for a promise not to leak the stolen data. Facing glacial progress in rebuilding its servers, it brought in cybersecurity consultants from Mandiant and Palo Alto Networks​ to help. The prolonged outage at Change significantly disrupted the operations of hospitals, pharmacies and health care providers, crimping the flow of medical claims and payment processing, thereby affecting patient care and creating cash flow problems for many small hospital groups. The theft of the PHI and PII of millions of patients raised privacy concerns for them and compliance violation and other regulatory concerns for UnitedHealth.

The attack and UnitedHealth’s snail’s-pace response prompted several actions by regulatory and compliance authorities.

The federal U.S. Department of Health and Human Services (HHS) responded first by publishing short-term steps to help care providers continue to serve patients amidst the claims processing disruptions. These included expediting changes in clearinghouse operations for Medicare and encouraging private insurers to remove or relax prior authorization requirements temporarily to ease the operational burden on providers. In its public communications, HHS outlined the interconnectedness of the health care ecosystem that the attack had laid bare and expressed the urgent need for better cyber resilience across the industry, i.e., the ability to both defend against cyberattacks and to recovery swiftly from ones that do succeed, as specified by President Biden’s 2023 National Cybersecurity Strategy.

The federal U.S. Centers for Medicare and Medicaid (CMS) responded by implementing specific flexibilities for the duration of the outage, allowing Medicare providers to use alternate clearinghouses for claims processing, and asking Medicare Advantage and Part D sponsors to relax preauthorization requirements for claims.

Biden administration officials met with UnitedHealth CEO Andrew Witty in March 2024, urging him to address the disruptions caused by the attack and to provide emergency financial support for providers affected by the ongoing outage.

The U.S. House of Representatives’ Energy and Commerce Committee summoned Witty to testify before its Subcommittee on Oversight and Investigation in May 2024. On the same day, Witty faced similar scrutiny from the U.S. Senate’s Finance Committee. In testimony, Witty conceded that lack of multifactor authentication may have contributed to the success of the attack, publicly apologized to affected providers and patients, and admitted that his company still didn’t know how much and what kind of data had been compromised. Some senators suggested that UnitedHealth’s massive size had contributed to its poor response to the attack and that perhaps it should be forced to divest some of its subsidiaries. UnitedHealth was already under investigation by the federal U.S. Justice Department over anti-trust concerns.

Because the attack compromised PII and PHI, UnitedHealth is facing penalties under the Health Insurance Portability and Accountability Act (HIPAA). HIPAA requires entities to safeguard medical information, and violations can result in significant fines depending on the severity and extent of the breach.

The federal U.S. Federal Trade Commission may take action if it finds that UnitedHealth failed to adequately protect consumer data. The FTC often issues fines and demands corrective actions from companies that fail to protect consumer privacy.

Several U.S. states may also impose their own penalties, notably under the California Consumer Privacy Act (CCPA), which levies hefty fines for privacy violations of California residents’ personal information.

Beyond these actions, UnitedHealth also faces other consequences, including private lawsuits and potential class-action lawsuits from affected individuals and groups that could result in costly settlements or court-ordered damages. Damage to its reputation could affect customer and partner trust, causing some of its many affiliates to switch to competitors. Regulators are likely to respond with more stringent oversight, imposing costly requirements for mandatory audits, increased reporting and enhanced security measures. The value of the company’s publicly-traded stock initially fell by 15% following news of the attack but has since rebounded somewhat.

An old saying goes, “No one is completely useless: they can always serve as a bad example.” The UnitedHealth attack provides some useful lessons for other businesses, particularly but not exclusively in the health care industry. Acronis recommends that businesses take the following five steps to improve their cyber resilience to avoid suffering an expensive and humiliating cyberattack like UnitedHealth:

1.       Shore up cybersecurity defensive measures. Potential areas to strengthen include endpoint behavioral anti-malware, EDR, multifactor authentication, strong encryption of data both in transit and at rest, and automated vulnerability scanning and patch management. Improving visibility of data flows can improve detection of sophisticated, multistage, stealthy cyberattacks as well as potential insider threats. As email-based phishing is the most popular attack vector, now is a good time to refresh email security and URL filtering systems.

2.       Reinforce backup and recovery capabilities for when attacks do succeed. This includes scrupulously observing the 3-2-1 principal of backup and deploying cloud disaster recovery services. Conduct routine tests to ensure backup archives and processes are functional, and scan backups for malware and unpatched vulnerabilities prior to restoral operations.

3.       Take advantage of advances in machine learning and artificial intelligence to help improve cyber resilience. These include the use of ML and AI to aid behavioral detection of malware in endpoints, providing a skills assist in EDR management, writing scripts to help automate routine cybersecurity and IT operations processes, and providing analytical support to help digest huge amounts of threat alerts and intelligence.

4.       Invest in cyber resilience people skills. Malicious use of AI has greatly improved social engineering attacks like phishing and deepfake impersonation of executives, so every employee from board members on down needs routine refreshing of their cybersecurity awareness skills. Include education on newer techniques like the use of MFA fatigue attacks, and phishing via text and social media messaging.

5.       Revisit cyber resilience processes. Every business should develop and regularly refresh an incident response plans, particularly in the wake of a breach or other cyberattack. Take advantage of forensics to identify and remediate vulnerabilities after an attack. Look to cybersecurity frameworks like NIST CSF 2.0, ISO 27001, and CIS Controls to help identify potential areas for improvement and implement best practices honed by your peers in the industry.

Ready to learn more? Consider downloading the following complimentary resources:

White paper: Is your business ready for NIS 2 compliance?

White paper: Acronis Cyberthreats Report H2 2023

White paper: Business continuity: Shifting from passive planning to active risk mitigation and ensuring resilience

Infographic: Top 5 reasons your business needs to be protected with EDR right now

White paper: Overcoming the 7 critical challenges facing health care IT today

James Slaby is Director of Cyber Protection, Acronis