Change Healthcare Breach: Data in the Hands of a New Ransomware Group

Introduction

The healthcare industry has once again been targeted by cybercriminals, with Change Healthcare falling victim to a second ransomware attack. This time, a new group called RansomHub has claimed responsibility for the breach, demanding a ransom payment in exchange for not selling the stolen data. The breach has put Change Healthcare, a subsidiary of UnitedHealth Group, in a difficult position as it tries to recover from the previous attack by ALPHV/BlackCat. This article provides an overview of the breach, its impact on the organization, and potential steps for remediation.

Overview of the Breach

RansomHub, the new ransomware group, has allegedly stolen approximately 4TB of sensitive data from Change Healthcare, as claimed earlier this week. The stolen information includes the personal and medical records of US military personnel, patients, financial information, and more. RansomHub has threatened to sell the data to the highest bidder if a ransom payment is not made within 12 days. The group claims that the data has not been leaked or shared anywhere, but this assertion cannot be independently verified.

There is speculation about whether RansomHub and ALPHV/BlackCat are part of the same ransomware group or if there is any connection between them. However, there is no confirmation at this time, and it is too early to tell. RansomHub claims to have gained access to the Change Healthcare data that ALPHV/BlackCat stole, but the exact relationship between the two groups is still unclear.

Impact on Change Healthcare

The breach has put Change Healthcare in a precarious position, as it has only recently recovered from the previous attack by ALPHV/BlackCat. The company is now faced with the difficult decision of whether to pay the ransom or not. The stolen data contains highly sensitive information, and the potential exposure of this data could have severe consequences for both the affected individuals and the reputation of Change Healthcare. Additionally, the breach has disrupted the organization's operations, causing financial losses and impacting its ability to provide healthcare support services.

Based on the provided context, here are some key points that other organizations should know in terms of protecting themselves against a similar breach:

1. Assume Intrusion: Organizations should recognize and understand that attackers are likely to make their way into their environment. Adopting an "assume breach" mentality can help organizations focus on containing the impact of an intrusion and proactively prepare for attacks.

2. Incident Response Plan: Developing an incident response plan is crucial. This plan should outline the steps to be taken in the event of a data breach, including notifying the necessary parties and mitigating the damage caused.

3. Record Audit Trails: Keeping records of internal and external audits can help organizations identify areas that need improvement and track the effectiveness of their compliance processes.

4. Dedicated Staff and Resources: Having dedicated and knowledgeable staff, as well as sufficient resources, is essential for a successful compliance program. Compliance responsibilities should not be added to an employee's existing workload.

5. Address Human Vulnerabilities: Human error continues to be a significant vulnerability in cybersecurity efforts. Organizations should prioritize training and awareness programs to educate employees about potential risks and best practices for maintaining security.

6. Multi-Factor Authentication: Implementing multi-factor authentication can help prevent account takeover attacks by requiring users to verify themselves through multiple factors, such as passwords, security tokens, or biometrics.

7. Network Detection and Response: Having complete visibility across the entire enterprise is crucial for identifying and preventing breaches. Network detection and response tools can help detect and respond to threats that may be hiding within the network.

8. Software Bill of Materials (SBOM): Organizations should consider requesting a software bill of materials from third-party vendors to assess and manage vulnerabilities. Early detection of vulnerable components can help mitigate or prevent incidents.

9. Transparency and Timely Disclosure: Organizations should prioritize transparency and timely disclosure in the event of a breach. Delayed disclosure can erode trust and negatively impact the relationship between the organization and its users.

It's important to note that these points are general recommendations based on the provided context. Each organization should assess its specific needs and consult with cybersecurity professionals to develop a comprehensive security strategy.

Conclusion

The second ransomware attack on Change Healthcare by RansomHub has once again highlighted the vulnerabilities within the healthcare industry. The breach has exposed sensitive data, putting both patients and the organization at risk. Change Healthcare must take immediate steps to remediate the breach, enhance its cybersecurity measures, and restore its systems to ensure the protection of sensitive information. By ensuring the right methods and protocols are in place as outlined above, organizations can take steps to protect themselves from a similar attack.

References

• “Change Healthcare faces second ransomware dilemma weeks after ALPHV attack“ from cybernews_theregister, published on April 8th, 2024 by Connor Jones

• “A Second Gang Shakes Down UnitedHealth Group for Ransom“ from cybernews_bankinfosecurity, published on April 8th, 2024 by Marianne Kolbasuk McGee

• “Round 2: Change Healthcare Targeted in Second Ransomware Attack“ from cybernews_darkreading, published on April 8th, 2024 by DarkReading

• alphv - Taken from Cybersixgill’s proprietary threat entity data

• “Change Healthcare faces second ransomware dilemma weeks after ALPHV attack“ from cybernews_theregister, published on April 8th, 2024 by Connor Jones

• blackcat - Taken from Cybersixgill’s proprietary threat entity data

• “Round 2: Change Healthcare Targeted in Second Ransomware Attack“ from cybernews_darkreading, published on April 8th, 2024 by DarkReading

• “A Second Gang Shakes Down UnitedHealth Group for Ransom“ from cybernews_bankinfosecurity, published on April 8th, 2024 by Marianne Kolbasuk McGee

• “HIPAA Compliance: Why It Matters and How to Obtain It“ from cybernews_securityboulevard, published on March 26th, 2024 by Hyperproof Team

• “Confidence in the Cloud Starts With Visibility and Zero-Trust“ from cybernews_securityboulevard, published on April 1st, 2024 by Raghu Nandakumara

• “Cyber-Risk Is Getting Personal“ from cybernews_darkreading, published on February 19th, 2024 by DarkReading