Executive Summary
In February 2024, Change Healthcare, a subsidiary of UnitedHealth Group, suffered a ransomware attack by the ALPHV/BlackCat group. The attackers exploited compromised credentials lacking multi-factor authentication to access the company's systems, exfiltrated sensitive data, and deployed ransomware that severely disrupted operations. This breach halted electronic payments and medical claims processing, forcing patients to pay out-of-pocket for medications and healthcare services. The attack had an unprecedented impact on the U.S. healthcare system, causing widespread disruptions in healthcare delivery. The financial fallout was equally staggering, with UnitedHealth Group incurring approximately $2.87 billion in response costs during 2024. Additionally, the company paid $22 million in ransom to the attackers and provided over $6 billion in assistance to affected healthcare providers. The incident garnered global attention, highlighting the vulnerabilities in healthcare cybersecurity and underscoring the critical need for robust defenses in this sector, where the consequences of cyberattacks extend far beyond financial losses to directly affect patient care and safety. This incident underscores the growing dangers of ransomware attacks targeting healthcare data.
Why This Matters Now
The Change Healthcare attack highlights the critical need for robust cybersecurity measures in the healthcare sector, as such breaches can have severe implications for patient care and safety.
Attack Path Analysis
In February 2024, the BlackCat ransomware group exploited stolen credentials to access Change Healthcare's Citrix remote access portal lacking multi-factor authentication, leading to a significant data breach and operational disruption.
Kill Chain Progression
Initial Compromise
Description
Attackers used stolen credentials to access Change Healthcare's Citrix remote access portal, which lacked multi-factor authentication.
MITRE ATT&CK® Techniques
Valid Accounts
External Remote Services
Data Encrypted for Impact
Data from Cloud Storage
Inhibit System Recovery
Application Layer Protocol
Disable or Modify Tools
Internal Defacement
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Multi-Factor Authentication for All Access
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Encryption of Nonpublic Information
Control ID: 500.15
DORA – ICT Risk Management Framework
Control ID: Article 10
CISA ZTMM 2.0 – Identity and Access Management
Control ID: Identity Pillar
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
HIPAA – Access Control - Unique User Identification
Control ID: 164.312(a)(2)(i)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Health Care / Life Sciences
High-value targets for RaaS operations requiring HIPAA compliance; Change Healthcare breach demonstrates devastating impact from lateral movement and data exfiltration vulnerabilities.
Financial Services
Critical infrastructure vulnerable to double extortion attacks; requires enhanced east-west traffic security and zero trust segmentation to prevent privilege escalation scenarios.
Information Technology/IT
Supply chain compromise risks affecting downstream clients; MSP vulnerabilities enable widespread ransomware distribution through trusted network connections and privileged access pathways.
Government Administration
Strategic targets for nation-state and cybercrime groups; requires comprehensive threat detection capabilities and encrypted traffic monitoring to counter sophisticated RaaS operations.
Sources
- What the ransom note won't sayhttps://www.welivesecurity.com/en/ransomware/what-ransom-note-doesnt-say/Verified
- BlackCat Ransomware Group Implodes After Apparent $22M Payment by Change Healthcarehttps://krebsonsecurity.com/2024/03/blackcat-ransomware-group-implodes-after-apparent-22m-ransom-payment-by-change-healthcare/Verified
- Change Healthcare Finally Admits It Paid Ransomware Hackers—and Still Faces a Patient Data Leakhttps://www.wired.com/story/change-healthcare-admits-it-paid-ransomware-hackers/Verified
- Ransomware attack wreaks havoc on prescription paymentshttps://www.axios.com/2024/03/01/prescription-outage-ransomware-unitedhealthVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-aware routing, thereby reducing the blast radius of the breach.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix Zero Trust CNSF may not have prevented the initial unauthorized access, it could have limited the attacker's ability to exploit the compromised credentials beyond the initial entry point.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation could have constrained the attacker's ability to escalate privileges by limiting access to sensitive resources based on strict identity and context-aware policies.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security could have restricted the attacker's lateral movement by enforcing strict segmentation and monitoring of internal traffic, thereby limiting access to critical systems.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control could have detected and constrained unauthorized command and control communications by providing comprehensive monitoring and control over network traffic.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement could have limited data exfiltration by enforcing strict policies on outbound traffic, potentially preventing unauthorized data transfers.
While Aviatrix Zero Trust CNSF may not have prevented the deployment of ransomware, it could have limited the spread and impact by enforcing strict segmentation and access controls, thereby reducing the overall blast radius.
Impact at a Glance
Affected Business Functions
- Insurance Claims Processing
- Prescription Payment Systems
- Patient Data Management
Estimated downtime: 10 days
Estimated loss: $22,000,000
Potential exposure of patient health information (PHI) and personally identifiable information (PII), including medical records, health insurance details, Social Security numbers, and billing data.
Recommended Actions
Key Takeaways & Next Steps
- • Implement multi-factor authentication (MFA) across all remote access portals to prevent unauthorized access.
- • Deploy Zero Trust Segmentation to limit lateral movement within the network.
- • Utilize East-West Traffic Security to monitor and control internal traffic flows.
- • Establish comprehensive Threat Detection & Anomaly Response mechanisms to identify and respond to suspicious activities promptly.
- • Enforce Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
