In fact, ransomware attacks against healthcare targets were on the rise even before the Change Healthcare attack, which crippled the United Healthcare subsidiary’s ability to process insurance payments on behalf of its healthcare provider clients starting in February. of this year. Recorded Future’s Liska notes that each month of 2024 has seen more healthcare ransomware attacks than the same month in any previous year he has tracked. (While this May’s 32 healthcare attacks are fewer than the 33 in May 2023, Liska says he expects the latest number to rise as other incidents continue to come to light.)
However, Liska still points to the April spike visible in the Recorded Future data in particular as a likely after-effect of the Change debacle: not only the huge ransom Change paid to AlphV, but also the highly visible disruption caused by the stroke. “Because these attacks are so impactful, other ransomware groups see an opportunity,” says Liska. It also notes that healthcare ransomware attacks have continued to grow even compared to overall ransomware incidents, which remained relatively stable or declined overall: In April, for example, there were 1,153 incidents compared to 1,179 in the same month of 2023.
When WIRED approached United Healthcare for comment, a company spokesperson noted the overall increase in ransomware attacks on healthcare starting in 2022, suggesting the overall trend predates the Change incident. The spokesperson also cited testimony that United Healthcare CEO Andrew Witty gave at a Congressional hearing about the Change Healthcare ransomware attack last month. “As we address the numerous challenges in responding to this attack, including the ransom demand, I have been guided by the overriding priority of doing everything possible to protect people’s personal health information,” Witty said at the hearing. “As CEO, the decision to pay a ransom was mine. This was one of the hardest decisions I have ever had to make. And I wouldn’t wish that on anyone.”
The deeply complicated Change Healthcare ransomware situation was further complicated (and made even more conspicuous to the ransomware hacker underworld) by the fact that AlphV appears to have taken Change’s $22 million extortion fee and abandoned to their hacker partners, disappearing without giving those affiliates their share. of the profits. This led to a very unusual situation where affiliates offered the data to a different group, RansomHub, which demanded a second ransom from Change and threatened to leak the data on its dark website.
That second extortion threat inexplicably disappeared from the RansomHub site. United Healthcare declined to answer WIRED’s questions about that second incident or whether it paid a second ransom.
However, it is widely believed by many ransomware hackers that Change Healthcare actually paid two ransoms, says Jon DiMaggio, a security researcher at cybersecurity firm Analyst1, who frequently speaks with members of ransomware gangs to gather information. “Everyone was talking about the double bailout,” DiMaggio says. “If the people I talk to are excited about this, it’s not hard to think that other hackers are too.”
The noise that situation created, as well as the scale of disruption to healthcare providers due to Change Healthcare’s downtime and its large ransom, served as the perfect advertisement for the lucrative potential of hacking fragile and high-risk victims. health care, DiMaggio says. “Healthcare has always had a lot to lose, it’s something the adversary has now realized through change,” he says. “They had a lot of influence.”
As those attacks multiply (and some healthcare victims have likely shelled out their own ransoms to control the damage to their life-saving systems), the attacks are unlikely to stop. “He always seemed like an easy target,” DiMaggio notes. “Now he seems like an easy target who is willing to pay.”
