UnitedHealth Group Still Recovering From February 'BlackCat' Hack, "Getting Everything Back To Normal Can Be A Multi-Month Process"

Largest Health Insurer In The United States Suffers A Massive Breach

In one of the most disruptive hacks against American healthcare infrastructure, security experts say it will take at least several months for UnitedHealth Group to make a full recovery from the cyberattack.

Hacking group ALPHV, also known as "BlackCat," infiltrated the largest US health insurer's computer systems on Feb. 21. Since the breach of security, United Health reports it continues to work on restoring the impacted channels and that some of its systems are returning to normal.

"The amount of disruption suggests they don't have alternate systems at the ready," said Chester Wisniewski, a director at the cybersecurity firm Sophos. "It's been 13, 14 days, and that is already longer than I'd expect for backup systems to be spun up."

Reuters reports change processes about 50% of medical claims in the US for around 900,000 physicians, 33,000 pharmacies, 5,500 hospitals, and 600 laboratories. About 1 in 3 US patient records are touched by its health technology offerings, creating an ideal target for hackers in search of easy access to a large swathe of healthcare data.

Patients directly impacted may see a quicker turnabout, "but the back end, it takes a couple of months, or upwards of a year," said Wisniewski, who has tracked such breaches for over 20 years.

A spokesman from UnitedHealth indicated the company is focusing on the investigation behind the hack and restoring operations at Change Healthcare as quickly as possible.

To contain the situation, US officials have stepped in to help control the chaos. The breach also affected smaller medical care providers who were hit particularly hard, with many struggling to process payments.

The giant healthcare company has not revealed whether ALPHV demanded a ransom, but an online post to a cybercrime forum claims the company paid $22 million to the hackers to regain access to its locked systems and around eight terabytes, or eight million megabytes, of data that was stolen.

Such decryption can take "unreasonable amounts of time, depending on the file sizes and systems in question," said Kurtis Minder, co-founder of cyber intelligence firm GroupSense.

According to Minder, recovery timelines range from a few weeks to "long and longer."

Ahead of its most damaging hack, ALPHV was hitting hospitals and small healthcare providers.

Minder has helped several companies negotiate ransoms, including an eye care clinic that was an ALPHV target last year.

"To Truly Disrupt These Folks, You'd Have To Arrest Them"

"Of the groups that we've dealt with in ransomware, ALPHV has been some of the more antagonistic or difficult to deal with," Minder said, adding that the gang was particularly persistent against its targets and stubborn at negotiating ransoms.

ALPHV is a Russian-speaking cybercrime gang and since 2021 has provided its own malicious software and infrastructure to other hacking units. In December, the FBI obstructed its operations, which were considered the world's second most prolific 'ransomware-as-a-service' entity.

At the time, the FBI claimed it had seized several ALPHV websites and received insight into its computer network. However, the Change hack has raised concern over how instrumental the agency's actions really were.

Signs are pointing to an unusual silence from ALPHV. Following the Change Healthcare hack, the cybergang appears to have disappeared.

But it is common for such groups to rebrand and resurrect themselves, analysts say." To truly disrupt these folks, you'd have to arrest them," said Minder.

Such arrests are difficult, he said, given that these gangs are often based in countries the US does not have extradition treaties with.

Tags
United States, Russia, FBI, Hospitals
Real Time Analytics