Nebraska AG Sues Change Healthcare over $22M Ransomware

On February 11, 2024, a highly advanced and notorious affiliate group of the BlackCat/ALPHV ransomware gang, known for its history of targeting major organizations and critical infrastructure, infiltrated Change Healthcare’s network. The attackers spent nine days inside, quietly moving through the system, stealing sensitive data, and ultimately encrypting files, demanding a ransom of $22 million. Although the company paid the ransom to prevent releasing this sensitive data, the criminals executed an exit scam, and the payment did nothing to secure the stolen information.

The stolen data, affecting an estimated 100 million people, included personal details such as contact information, social security numbers, driver’s license numbers, health records, insurance details, and billing information. Of this, approximately 575,000 records belonged to residents of Nebraska.

About Change Healthcare

Change Healthcare Inc., previously known as Emdeon until 2015, is a company specializing in revenue and payment cycle management, facilitating connections between payers, providers, and patients within the U.S. healthcare system. It operates the nation’s largest financial and administrative information exchange. The breach disrupted daily operations, impacting medical authorizations, prescriptions, and the delivery of care across the state.

How did they get in?

Nebraska Attorney General Mike Hilgers revealed that the BlackCat/ALPHV ransomware group gained access to Change Healthcare’s network by exploiting the username and password of a low-level customer support employee. These credentials had been posted in a Telegram group known for trafficking stolen login information. The attackers used this information to access the network through a Citrix remote service, which unfortunately didn’t have multifactor authentication enabled. Once inside, the hackers set up privileged administrative accounts, stole large amounts of sensitive data, and installed ransomware without being detected. The breach was only discovered when the company realized its files were encrypted and could no longer be accessed.

Impact of the Breach

In a lawsuit AG Mike Hilgers filed against Change Healthcare and its partners, he expressed frustration over the significant financial burden placed on healthcare providers, particularly critical access hospitals in rural areas, due to the cyberattack on Change Healthcare.

” Healthcare providers, including critical access hospitals in rural areas, have unfairly been forced to absorb financial pain, forcing major cash flow issues and, in some cases, delayed services. And to make matters worse, Change has woefully disregarded the duty to provide notice to Nebraskans, depriving them of a fighting chance to be prepared for possible scams and fraud. We’re filing this suit to hold Change accountable [1],” said Mike Hilgers.

He also criticized Change Healthcare for failing to notify Nebraskans about the breach, depriving them of the opportunity to take precautions against potential scams and fraud. “This lawsuit is about holding Change Healthcare accountable for their actions,” he added.

The lawsuit, which was filed on December 16, 2024, in Lancaster County District Court, had Change Healthcare Inc., Optum Inc., and their parent company UnitedHealth Group Incorporated (UHG) named as defendants. It claims that these companies failed to implement basic cybersecurity measures, which allowed the cyberattack to cause substantial harm to residents of Nebraska. The lawsuit argues that Change Healthcare’s security practices, or lack thereof, directly contributed to the breach.[4]

Key allegations in the lawsuit highlighted by AG Hilgers include the following;[1]

Outdated IT infrastructure and poorly segmented networks: that failed to meet even basic security standards. This left the company’s systems wide open for attack.
Unauthorized access went undetected for more than a week: allowing the hackers to move freely within Change Healthcare’s systems and steal sensitive personal data and health information without anyone noticing.
Affected Nebraskans weren’t notified until nearly five months later: a delay that deprived people of the chance to protect themselves from potential fraud and identity theft.
Delays in authorizations for medical care and prescriptions: the attack caused widespread disruption, halting essential medical operations, including which meant that many patients were left without vital treatments and medications.
Financial and operational challenges: healthcare providers, including hospitals, pharmacies, and doctors’ offices in Nebraska, also bore the brunt of the attack, facing significant as a result of the breach.
Potential misuse of their personal health: as a result of the breach, Nebraskans suffered major consequences, with the breach exposing them to identity theft, financial fraud, and the information, putting their security and privacy at serious risk.[1]

“A trustworthy healthcare system needs to have secure and reliable infrastructure in place, especially when it comes to protecting sensitive health data and ensuring prompt communication with individuals who are affected by a breach,” Hilgers stated. “This lawsuit is aimed at restoring confidence in our healthcare system and compensating Nebraskans for the harm they’ve suffered.”

Legal and Financial Consequences

As a result of the breach, Nebraska’s Attorney General filed a lawsuit accusing Change Healthcare of violating consumer protection laws and data security regulations. The company is facing financial penalties, along with potential long-term reputational damage in an already vulnerable industry

While Nebraska is the first state to file this lawsuit, it is unlikely to be the last. Other state Attorney Generals across the U.S. are expected to follow suit, holding Change Healthcare and UnitedHealth Group Inc. accountable. Meanwhile, the U.S. Department of Health and Human Services’ Office for Civil Rights is investigating whether the breach violated HIPAA regulations, and multiple class action lawsuits have already been filed in connection with the data breach.

Also, according to a blog by Hipaa Journal, UnitedHealth Group (UHG) recently updated its cost estimate for addressing the February 2024 ransomware attack on Change Healthcare. The company now expects the total expenses for the year to range between $2.3 billion and $2.45 billion over $1 billion more than initially reported. So far, UHG has spent nearly $2 billion managing the aftermath of the attack, which caused significant disruptions for healthcare providers nationwide due to extended system outages [4].

How can this be avoided in the future?

Stronger Access Controls and Authentication
- Use Multi-Factor Authentication (MFA): A major vulnerability was the lack of MFA, especially for remote access systems like Citrix. MFA adds an extra layer of security by requiring a second form of verification, such as a code or a biometric scan. This makes it significantly harder for hackers to misuse stolen credentials.
- Limit User Privileges: Employees should only have access to the systems and data necessary for their roles. The attackers exploited excessive privileges, gaining admin-level access, which allowed them to take full control of the network.
Keep Systems Updated and Patched
- Address Vulnerabilities: The breach revealed outdated systems and weak network segmentation. Regularly updating and patching all systems can close security gaps before attackers exploit them.
- Test for Weaknesses: Conduct routine security assessments, such as penetration testing and vulnerability scans, to identify and fix potential issues proactively.
Improve Incident Detection and Response
- Detect Threats Early: The breach went unnoticed for 9 days which wouldn’t have happened if they had a good Incident Detection and Response systems in place. Implement real-time monitoring tools like intrusion detection systems (IDS) and endpoint detection and response (EDR) to catch suspicious activity early.
- Plan for Incidents: A well-tested incident response plan is critical for handling and recovering from breaches effectively. This includes isolating affected systems, containing damage, and keeping stakeholders informed.
Secure Backup Systems
- Isolate Backups: Ransomware often targets backups, so they should be stored separately, either offline or in secure cloud environments. Techniques like air-gapping and a 3-2-1 backup strategy can further protect backups from attacks.
Communicate Quickly and Transparently
- Notify Victims Promptly: The delay in notifying affected individuals was a major criticism. Quick notifications allow people to take steps like changing passwords or monitoring credit for fraud.
- Be Transparent: Regular updates during and after a breach build trust and help stakeholders stay informed.
Train Employees on Cybersecurity
- Prevent Social Engineering: The attack began with stolen credentials. Regular training can teach employees to recognize phishing attempts, use strong passwords, and avoid suspicious links.
- Improve Password Practices: Encourage employees to use complex, unique passwords and to change them regularly.
Strengthen Vendor and Third-Party Security
- Assess Vendor Risks: Ensure that third-party vendors meet strict security standards, especially if they have access to critical systems or data.
Protect Healthcare Data and Ensure Compliance
- Follow HIPAA Standards: Compliance with data protection laws like HIPAA is essential for safeguarding sensitive health information. This includes encryption, access controls, and logging.
- Encrypt Everything: Encrypt data both in storage and during transmission to prevent unauthorized access.
Engage Cybersecurity Experts
- Leverage Expertise: Work with cybersecurity professionals who can help implement the latest protections and provide guidance during incidents.
Prepare for the Unexpected
- Invest in Cyber Insurance: Cyber insurance can cover costs like data recovery and legal fees, but it should supplement—not replace—strong security measures.
- Have a Recovery Plan: A solid disaster recovery plan ensures healthcare services continue, even during an attack.

Organizations like Change Healthcare need a robust and reliable network, hence practices like the above are a must-have for any industry within the healthcare ecosystem due to the amount of sensitive information they keep.

Conclusion

The Change Healthcare breach highlights just how crucial strong cybersecurity is in the healthcare sector. As more personal and medical information is stored and shared online, healthcare organizations must implement stronger security protocols and frameworks to safeguard their patients from the increasing risks of cyberattacks. Now, more than ever, prioritizing cybersecurity should be a top concern for every healthcare provider.

Join the Conversation

9 Comments

Ankita Ankita says:

January 12, 2025 at 10:14 am

This is a fantastic and thorough analysis of the Change Healthcare breach, Mohammed!
I completely agree with your emphasis on stronger access controls and multi-factor authentication to prevent unauthorized access. One thing I’m curious about: In addition to promptly notifying affected individuals, should organizations also provide resources or support, such as fraud prevention tips, to help them protect themselves? What is your thought on this?

Log in to Reply
1. Mohammed Idrisu says:
  
  January 21, 2025 at 2:32 pm
  
  Yes, I believe that would be so helpful. i also think that in the long run, I hope first-world countries set up cybersecurity law enforcement agencies to police these multi-million dollar cooperations to ensure they follow best Cybersecurity practices. This team should be permitted to run random pen tests on organizations like Change Healthcare and brought to book for weak or bad cybersecurity practices. I believe this would help to save money and the trauma visits of cyberattacks go through
  
  Log in to Reply
Smruti Ranjan Dash says:

January 14, 2025 at 3:02 pm

I understand that updating systems and maintaining the highest compliance standards can be extremely challenging, and realistically, no organization is entirely immune to breaches. However, it is completely unacceptable for an organization to wait nearly five months to inform affected users about a breach. This delay reflects a concerning level of negligence on the part of the organization’s leadership and underscores a failure to prioritize user security and transparency.

Log in to Reply
1. Mohammed Idrisu says:
  
  January 21, 2025 at 2:37 pm
  
  I completely agree with you on that Smruti, but we can also agree that a lot comes into play when discussing being resilient to cyberattacks. the most important part of it all is your ability to quickly bounce back from these attacks with minimal downtime and financial loss, which I believe most organizations fail at. the ultimate goal isn’t having a bullet-proof system but being able to bounce back quickly is what matters most.
  
  Log in to Reply
John Broni says:

January 17, 2025 at 10:07 pm

Informative post, Mohammed! The attackers’ spending nine days navigating the network, getting access, and maintaining complete encryption demonstrates their growing patience and technical expertise. Change Healthcare, a major participant in the healthcare sector, was especially targeted, most likely because to the value and sensitivity of the data they handle, as well as the criticality of their infrastructure. The exit scam is arguably the most distressing component of this case. I completely agree with your mitigation strategy and conclusion. It emphasizes the importance of organizations having comprehensive cybersecurity practices in place, such as solid data backups, threat detection, incident response, and employee training, to reduce the danger of such attacks. It also advocates for greater coordinated efforts from government agencies, cybersecurity businesses, and international partners to track down and dismantle these criminal groups before they inflict further harm.

Log in to Reply
Keerthana Chockalingam says:

January 18, 2025 at 10:06 pm

Informative post, Mohammed! It remains concerning how the attackers spent nine days inside the Change Healthcare systems unnoticed or undetected. This process of stealing sensitive data, and ultimately encrypting files resulted in a high cost demanding a ransom of $22 million. Like you mention, despite the company paying the ransom to prevent releasing this sensitive data, the criminals executed an exit scam which ultimately did not contribute to secure the stolen information. This highlights the inherent risks with paying ransom as it does not often guarantee the return and destroying of the original stolen data from the attackers system. Instead paying ransom might inadvertently fund further criminal activity leaving organizations at a greater risk. How do you propose such issues with ransoms could be addressed to ensure the stolen data is destroyed and returned?

Log in to Reply
1. Mohammed Idrisu says:
  
  January 21, 2025 at 2:48 pm
  
  I believe these organizations often weigh between the repercussions of paying this ransomware and not paying it. Most times, I believe they only pay for the politics of it, don’t get me wrong I’m sure they paying that ransomware doesn’t completely guarantee these data from not being leaked or sold anyway. In my thoughts, they did it most likely to save their face publicly and also to avoid making it look like they did not make enough efforts to prevent further escalations on the issue. other than that I believe organizations should make it a must to never pay for ransomware, this will help discourage ransomware attacks. Instead, a fraction of the money they pay or lose to these attacks from time to time can be invested into best cybersecurity practices.
  
  Log in to Reply
Abdul Salawu says:

January 19, 2025 at 3:39 pm

Great Post Mohammed, something that really caught my attention is the idea of an exit scam. It seems to me that Change Healthcare did what they thought was the correct thing to protect their user’s data. They agreed to pay the ransom in order to protect their users from all sorts of scams that may result in the data being leaked, but the hacker group released the information anyways. I am wondering with this in mind is it ever worth it to pay these ransoms. It feels like Change Healthcare cannot really win, they pay the ransom in hopes of the data being safe, but if it leaks their users may be at risk and they will get sued like what happened in this case. Besides better security to avoid the breach in the first place, I am not sure there is much they can do once the hackers have the information. At least if they don’t pay the ransom and get sued, the hope would be that the money from that goes to the users affected.

Log in to Reply
1. Mohammed Idrisu says:
  
  January 21, 2025 at 2:54 pm
  
  Exactly Abdul! “There’s no honour among thieves”, they say. Regardless of whatever, I strongly believe organizations must stop paying for ransomware. it’s one of the few ways to discourage them. Another thing they could have done if they had a good incident response team was to look at previous attacks connected to this group of attackers, they’re quite notable for pulling exit scams on their victims. This information would have helped the team in taking the right measures and precautions in their decision making which they didn’t do. I believe they paid just to save their public face.
  
  Log in to Reply

Cancel reply

You must be logged in to post a comment.