Change Healthcare Ransomware Attack: A chronological timeline
Date: 6 May 2024
We've tried to make sense of everything that has happened & is still happening in this complicated ransomware attack. Through our educational Change Healthcare Ransomware Attack Timeline, our aim is certainly not to spotlight the victim organisation. It is merely to collate the vast reams of information into an easily-consumable format for better understanding.
Get your copy of the Change Health Cyber Attack Timeline documents.
Let's face it - there's no way you can be prepared for an attack of such proportions that gets more curious and riveting every few days. The only way to understand the real repercussions of a vicious ransomware attack involving multiple hacking groups is to empower yourself with knowledge of attacks such as this one. You can then use this material to mull over why Change Healthcare & the UnitedHealth Group are being admonished the way they are.
What did the organisation fail to secure that led to such serious ramifications? Why is their Cyber Incident Planning & Response receiving a bad rap? What can you do differently and how do you prepare for it? These are just some of the questions that this Cyber Attack Timeline will help you understand.
Topics covered in this article:
1. About the Change Healthcare Ransomware Attack
2. Lessons Learned from the Change Healthcare Ransomware Attack
Disclaimer: This document has been created with the sole purpose of encouraging discourse on the subject of cybersecurity and good security practices. Our intention is not to defame any company, person or legal entity. Every piece of information mentioned herein is based on reports and data freely available online. Cyber Management Alliance neither takes credit nor any responsibility for the accuracy of any source or information shared herein.
About the Change Healthcare Ransomware Attack
The U.S. healthcare system faced significant disruptions following the ransomware attack on Change Healthcare on February 21. The organisation is crucial for facilitating electronic communications between health insurers and healthcare providers such as hospitals and doctors.
As a result of the attack, patients encountered difficulties in filling their prescriptions. Healthcare providers continue to experience a financial strain due to delays in receiving payments for their services.
The situation has just been getting more complicated as it unfolds. Multiple ransomware groups have claimed responsibility for the breach, complicating the response and investigation. Initially, the ransomware group ALPHV, also known as BlackCat, took credit for the attack, alleging they had stolen 6 TB worth of sensitive patient data. Following the initial ransom payment of $22 million by Change Healthcare intended to secure the stolen data, a second group named RansomHub emerged, claiming possession of the data and demanding further ransom.
This sequence of events highlighted the challenges and pitfalls of dealing with ransomware attacks, particularly the risk of multiple extortion attempts even after a ransom is paid.
Lessons Learned from the Change Healthcare Ransomware Attack
As the developments in the Change Healthcare Ransomware saga unfold, it becomes clearer that this incident contains many, many lessons for every business leader and Information Security professional.
On May 1, the UnitedHealth Group CEO, Witty Andrews admitted in a summons before the Senate Finance Committee and a panel of the House Energy and Commerce Committee that the decision to pay the ransom was his. However, it's worthy to note that paying the ransom didn't achieve anything. The biggest lesson here is what we've been harping on in all our ransomware education endeavours - Never Pay the Ransom! When it comes to cyber crime, there is NO such thing as honour amongst thieves.
In a written statement, Andrews also confirmed that the ransomware criminals were in the Change network for about 9 days before systems were shut down. They managed to make their way in through a Citrix Remote Access account that had no MFA.
The lesson here? DO NOT be complacent about cybersecurity hygiene, no matter how big or small you may be. Invest in cybersecurity awareness training. Be focussed on getting cybersecurity controls in order and test and validate their effectiveness.
Cyber Incident Planning & Response is another critical area that has received renewed focus in the aftermath of this massive ransomware attack. The organisation has been rapped many times over for its handling of the damaging ransomware attack and its impact on medical clinics, billing companies and pharmacies.
It is time to prioritise Cybersecurity Incident Response. Have an Incident Response Plan that takes into account the size of your organisation and the stakeholders that will be affected in case you are hacked.
Have a swift and meticulous response action plan in place. Rehearse this plan over and over again through regular Cyber Attack Tabletop Exercises so that your key team members have practice in responding to crisis situations. Communications become a core component of crisis management when a ransomware attack of this proportion strikes. Ensure that your Incident Response Playbook makes provisions for effective, accurate communications and defines the channels through which each stakeholder will be informed of the developments during a crisis situation.
Remember that attacks like Change Healthcare can never be completely prevented. But you can avoid them to a significant degree by not being lax about cybersecurity. You can also mitigate the damage tremendously by being fully prepared to bounce back after a crime of this proportion.
Download our FREE Change Healthcare Document & Summary image and empower yourself with all the knowledge, context and perspective you need to build stronger cyber defences today!
Disclaimer: This document has been created with the sole purpose of encouraging discourse on the subject of cybersecurity and good security practices. Our intention is not to defame any company, person or legal entity. Every piece of information mentioned herein is based on reports and data freely available online. Cyber Management Alliance neither takes credit nor any responsibility for the accuracy of any source or information shared herein.