Skip to content
Home » Why ransomware hackers attacked UnitedHealth and Change Healthcare

Why ransomware hackers attacked UnitedHealth and Change Healthcare

Change Healthcare

The ransomware attack on UnitedHealth’s Change Healthcare subsidiary last month demonstrated not only how appealing the data-rich US healthcare industry is to hackers and the devastating consequences for patients and doctors, but also how sophisticated cyber criminals are becoming when targeting vulnerable sectors.

The breach occurred more than three weeks ago, prompting the United States Department of Health and Human Services to initiate an inquiry against UnitedHealth this week. The HHS Office for Civil Rights stated that it is investigating the incident owing to its “unprecedented magnitude.”

Change Healthcare is the largest clearinghouse for insurance billing and payment in the United States.

Since the February 21 assault, thousands of doctors, hospitals, and other health providers relying on Change Healthcare for billing reimbursements have not been paid while the firm tries to restore its systems.

UnitedHealth informed CNBC that it will comply with the OCR’s probe. “Our immediate focus is to restore our systems, protect data, and support those whose data may have been impacted,” the business stated in a statement. “We are working with law enforcement to investigate the extent of the impacted data.”

The breach is undoubtedly a nightmare for health professionals who claim they are running out of funds to run their clinics while waiting for Change Healthcare reimbursements, as well as for patients who are experiencing delays in getting prescriptions filled or treatments authorized.

However, it also highlights a far larger issue: the vulnerability of the whole U.S. healthcare system.

Going after companies that will pay

Sumedh Thakar, CEO of cybersecurity firm Qualys, stated that while the digitalization of the United States’ health-care system has advanced patient care, it has also increased the need for improved awareness and defense against each new cyber threat.

“Why do hackers target healthcare?”Because they are targeting firms that are most likely to be afraid and willing to pay,” he explained.

This is because the data has a high value. According to cybersecurity expert Jeremiah Fowler, medical information sells on the dark web for $60, while a Social Security number costs $15 and a credit card costs $3. Compounding this is the reality that there is a persistent staffing shortage, and as seen by the Change Healthcare outcry, there is considerable demand to restore access as soon as possible.

“Healthcare data being exposed is a lot worse than most other data, and the bad guys know this,” Thakar told CNN.

Complicating the scenario is the reality that many cyber thieves, like Blackcat, the gang claiming responsibility for the Change Healthcare breach, are now working in similar ways to the firms they target. Unlike rag-tag gangs in basements, these “ransomware-as-a-service” organizations “operate on an affiliate model where the operational work is done by an extended network of threat actors,” stated Nicole Eagan, chief strategy and AI officer at cybersecurity firm Darktrace.

Typically, she explained, a core group of developers sell or rent their “RaaS” tools to affiliate operators, who then abuse organizations. Affiliates often earn a share of the victim’s ransom payment.


According to Eagan, the rise in popularity of the ‘as-a-service’ model in recent years has made it easier for malicious individuals to target vulnerable sectors like health care. This model eliminates the need for them to develop their own ransomware, making it more accessible for them to carry out their attacks.

This marketplace expansion also allows malicious individuals to diversify their sources of income beyond relying solely on ransomware payments. They are utilizing subscription models to generate revenue for their ransomware development and deployment, according to Eagan.

This development may lead to the emergence of more intricate and sophisticated extortion methods. As an expert in analyzing systems, Eagan predicts that hackers will adopt more sophisticated tactics in the future. Instead of just encrypting a company’s data for ransom, they may resort to double or even triple-extortion strategies. This involves not only encrypting sensitive data but also threatening to leak or sell stolen data unless their ransom demands are fulfilled.

According to Thakar, the cybersecurity landscape remains a constant battle between companies and malicious actors. As businesses develop stronger defense mechanisms, cybercriminals constantly find new ways to target them.

Ultimately, security leaders need to determine if their investment in cybersecurity tools and solutions effectively reduces their risk levels. “That’s what security leaders should communicate to the board and their CFO, regardless of the industry they are in,” he stated.

For health-care executives dealing with a constantly evolving threat landscape, Fowler emphasized the importance of a mindset shift. As a health-care leader, it is crucial to recognize the immense value of your data alongside the exceptional care and service you provide to patients and customers. “Invest in ensuring its protection to the best of your ability.”

Leave a Reply

Your email address will not be published. Required fields are marked *