Key Takeaways

1. The Change Healthcare breach occurred due to a lack of Multi-Factor Authentication (MFA) on remote access servers, a HIPAA requirement.

2. The attack disrupted hospitals, medical offices, and pharmacies, affecting patient care, social security numbers, patient health information, insurance claims, and payments.

3. Modifications to existing legislation on personal data protection is likely to prioritize patient privacy.

4. Prevent healthcare data breaches by using end-to-end encryption, strict access controls like role-based access control (RBAC) and multi-factor authentication (MFA), and security measures such as firewalls and anti-malware in line with HIPAA and HITRUST guidelines.

5. HIPAA and HITRUST compliance enforce strict security measures to protect sensitive health data and reduce the risk of breaches.

6. Protect your healthcare organization with I.S. Partners’ expert HITRUST and HIPAA compliance services.

Overview of Change Healthcare Data Breach 2024 

On February 21, 2024, Change Healthcare, one of America’s largest healthcare payment processing companies, was compromised and attacked by ransomware. 

The attackers from the notorious ransomware gang BlackCat, also known as ALPHV, claimed responsibility for this attack. The group managed to perform the following activities:

  • gained access to Change’s data systems through stolen credentials, 
  • exfiltrated up to 6TB of sensitive patient data, and 
  • deployed ransomware that disrupted healthcare billing and payment operations and other processes across its infrastructure. 

This attack is one of the most consequential cyber attacks in the history of the U.S. healthcare system. The attack was described to have affected a substantial proportion of people in America. 

The payment system management company connects more than 1.6 million health professionals, 70,000 pharmacies, and 8,000 healthcare facilities in the US healthcare system. 

As a subsidiary of the global health company – UnitedHealth Group, Change serves as a clearinghouse for 15 billion medical claims annually and handles nearly 40% of all health claims.

It’s been months since the attack, and Change Healthcare is still restoring the impacted systems and processes from its effects. How could this have happened to a company so big as Change Healthcare? 

Vulnerabilities Exploited During the Data Breach 

The Change Healthcare incident occurred simply because the Change remote access servers did not have Multi-Factor Authentication (MFA), an industry standard mandated by the Health Insurance Portability and Accountability Act (HIPAA) for data system security. 

During one of his hearings, the CEO of UnitedHealth, Andrew  Witty, revealed, “Change Healthcare was a relatively older company with older technologies, which we had been working to upgrade since the acquisition. For some reason, which we continue to investigate, this particular server did not have MFA on it.”

Change Healthcare was still using 40-year-old legacy software for payment processing, plus the absence of MFA on the remote servers allowed the attackers to access the network easily. MFA is a critical security measure that adds an extra layer of identity theft protection by requiring multiple verification forms before granting access.

Timeline of Change Healthcare attack
Timeline of Change Healthcare attack

The Office for Civil Rights described the attack as “unprecedented” and prompted a wide investigation.

Reports emerged that a new ransomware group, RansomHub, has demanded payment to prevent the release of stolen data obtained from a former ALPHV affiliate. Screenshots leaked appear to show Change Healthcare data, including patient information patient information, test results, and other sensitive data. 

Inside the ALPHV/BlackCat Attack on Change Healthcare

Like many modern ransomware families, ALPHV/ BlackCat employed double extortion tactics. While encrypting Change Healthcare data, it also exfiltrated sensitive information and threatened to release it publicly if the ransom was not paid.

ALPHV is a sophisticated ransomware strain that operates under a ransomware-as-a-service (RaaS) model. Under this model, developers create and maintain the ransomware, then lease it out to affiliates who carry out attacks. The profits from these attacks are shared between ‌ developers and ‌ affiliates.

After infiltrating Change’s remote servers with stolen credentials, the attackers moved laterally through the network, searching for Change Healthcare’s key data and assets. They exfiltrated millions of patients’ Personal Health Information before deploying the ransomware on February 21, which blocked and disrupted access to Change’s services for up to two weeks.

They demanded a ransom for Change’s services to be restored. Change Healthcare allegedly paid the ransom of 350 bitcoins, equivalent to $22 million, on March 3. 

CEO Witty of UnitedHealth stated that the hackers potentially stole about a third of Americans’ protected health information and personally identifiable information, including Social Security numbers, medical records, test results, contact information, and information on active military personnel. The financial impact of the attack has been reported to be up to $872 million.  

FREE DOWNLOAD

Are you prepared for a data breach? Download our FREE Healthcare Data Security Assessment Checklist and find out!

Preventing Data Breaches in Healthcare

The 2024 Change Healthcare data breach serves as a stark reminder for all healthcare providers and contractors to intensify their efforts to ensure the safety of their information systems and maintain high vigilance in their daily operations. 

Here are four key takeaways all healthcare organizations must learn from this incident:

Ensure All Compliance Requirements Are Met

Hospitals and healthcare providers must comply with industry regulatory requirements to prevent cybersecurity incidents. Many of the data breaches that happen in healthcare could be prevented if health providers simply stick to regulatory standards and configure their systems correctly. 

The Federal HIPAA Security Rule mandates that health service providers protect electronic health records (EHRs) using appropriate physical and electronic safeguards to ensure the safety of health information. In addition, the HITECH Act strengthens these protections by supporting cloud security in healthcare, enhancing HIPAA enforcement, and requiring stricter data breach notifications.

Together, these regulations help ensure that healthcare providers adopt secure IT systems to safeguard sensitive patient data.

Health Information Trust Alliance Common Security Framework (HITRUST CSF) is a certifiable security and privacy framework that helps healthcare organizations prevent data breaches. It offers a comprehensive set of controls that ensure compliance with HIPAA, reducing the risk of security incidents.

The framework serves as a guide for organizations in the healthcare sector to implement appropriate security policies and procedures. It also helps simplify HIPAA regulations and makes compliance easy. 

Compliance with HIPAA and HITECH regulations through the HITRUST CSF ensures strong authentication, data encryption (both in transit and at rest), access controls, and regular risk assessments. These frameworks, along with regulations like GDPR, are crucial for securing patient data and preventing healthcare data breaches. 

Background

Dive Deeper!

Fastest Way to Fast-Track Your HITRUST Certification Process

Read Article

Prioritize Patient Data Protection

Healthcare organizations must make the protection of patient data a top priority. This involves implementing robust security measures such as multi-factor authentication, encryption, and access controls to safeguard sensitive information. SOC 2 controls for privacy and confidentiality are designed to cover all these measures. 

Compliance with the SOC 2 Privacy Rule ensures stringent privacy practices are in place to protect patient data and secure information systems.

Healthcare providers should also consider adopting a “zero trust” security model. Adopting a zero trust model in healthcare extends to mobile device security, ensuring that every device accessing sensitive patient data is treated as a potential threat until verified.

This approach protects against unauthorized access, safeguarding sensitive information like Social Security Numbers (SSNs) and Personally Identifiable Information (PII) even when accessed via mobile devices. Strong safeguards around SSN and PII not only protect patients but also shield healthcare organizations from legal and financial repercussions associated with data breaches.

Perform Third-party Vendor Risk Management

The Change Healthcare data breach highlights the significant risks posed by third-party vendors in the healthcare industry. As healthcare providers increasingly rely on external partners for services, any vulnerabilities in these vendors’ systems can directly impact the security of sensitive patient data.

In this case, the breach highlighted how even trusted vendors can be a weak link in the cybersecurity chain. To mitigate such risks, healthcare organizations must thoroughly vet and continuously monitor third-party vendors, ensuring they comply with strict security protocols and regulations like HIPAA.

Vendor risk assessments and clear contractual obligations for data protection are essential in minimizing vulnerabilities introduced by external partners.

Set up Incident Response and Recovery Plans

Despite preventive measures, data breaches can still occur. Healthcare organizations must always have effective incident response and recovery plans to minimize a breach’s impact through immediate actions. 

These plans should include procedures for quickly identifying, containing, and mitigating the breach and protocols for notifying affected individuals, regulatory authorities, and the public. 

HIPAA Breach Notification Rule mandates that healthcare clearinghouses, health plans, and any covered entity report data breaches involving protected health information (PHI) to affected individuals within 60 days of discovering the breach.

Organizations must also have a disaster recovery plan to restore lost data and ensure the continuation of operations in the event of a breach. Updating your backup systems to use modern technologies is also very important. 

Working with the right technical audit team is key to HITRUST certification and HIPAA compliance. 

I.S. Partners’ healthcare compliance auditors specialize in helping organizations prepare effectively for various compliance assessments. Our auditors collaborate closely with your team to conduct audits tailored to your specific needs, ensuring that the entire certification process is smooth and stress-free.

Healthcare Compliance Questions?

Book a free 30-minute consultation with a specialist to find your fastest way to protect healthcare data.

BOOK A MEETING

Security Strategies For Healthcare Organizations

The Change Healthcare cyberattack, like other incidents in the healthcare sector, serves as a reminder of the vulnerabilities and potential consequences of cyber threats.  Nowadays, a comprehensive security system is imperative, and this system must be assessed consistently. 

To prevent future cyber incidents, health organizations must perform the following:

Implement RBAC and MFA Strategies

Multi-Factor Authentication (MFA) adds an extra layer of security by requiring users to provide multiple forms of authentication, such as a password combined with a one-time code or biometric verification, making it significantly harder for attackers to gain access even if they obtain login credentials.

Role-Based Access Control (RBAC) further enhances security by limiting access to sensitive data based on a user’s specific role within the organization, ensuring that individuals can only access the information necessary for their job functions. Together, these strategies significantly reduce the chances of unauthorized access, helping to prevent data breaches and safeguard sensitive healthcare information.

Chris Wliszczak, Information Security Consultant at I.S. Partners, shares an invaluable strategy for protecting sensitive information,

 Double extortion (where threat actors both deploy ransomware and steal the data from their target for sale elsewhere) is the most common modus operandi for threat actors now.

The best way to fight against the sale of sensitive data is to implement effective data at rest and data in motion measures so the data is useless if extracted without the proper keys.
ISP favicon yellow Chris Wliszczak, Information Security Consultant at I.S. Partners

Regularly Update and Patch Systems

Outdated software and unpatched vulnerabilities are common entry points for attackers. Healthcare organizations must establish a robust patch management process to ensure that all systems are up-to-date and protected against known security flaws.

Strengthen Employee Training and Awareness

 Human error and lack of awareness are often the weakest links in cybersecurity. Although the risk of human error cannot be entirely eliminated in cybersecurity, regular training and awareness programs can help employees recognize and respond to phishing attempts, social engineering, and other common attack vectors. 

Healthcare services providers should invest in comprehensive and ongoing cybersecurity training for all employees, highlighting the importance of data protection, identifying potential threats, and following best practices for handling sensitive information.

Implement Real-time Monitoring and Threat Detection

Healthcare organizations need to stay one step ahead of cyber threats, and real-time monitoring and threat detection are critical components of this proactive defense. Continuous monitoring allows for the immediate identification of suspicious activity, enabling swift action to mitigate potential attacks before they can cause harm.

By leveraging advanced tools, healthcare providers can track unauthorized access attempts, detect abnormal behaviors, and respond to incidents in real time. This reduces the window of opportunity for cybercriminals and enhances the overall security posture of the organization.

FREE DOWNLOAD

Download our FREE HITRUST checklist and get a clear path to compliance.

Anticipate Critical Regulatory Shifts After the Attack

The nationwide impact of the Change Healthcare data breach has drawn significant attention from federal regulatory agencies, as well as the United States Congress.

Rep. Richard Neal (D-MA), the top Democrat on the House Ways and Means Committee, told the Washington Post that the “recent cyberattack on Change Healthcare and the resulting fallout demonstrates the potential consequences we face if we do not take appropriate measures to protect and secure our data.

Going forward, we can expect to see new modifications and legislation regarding health data protection to ensure organizations prioritize the security of patients’ data.

Some cyber requirements are in the works for providers that accept Medicare and Medicaid,” Anne Neuberger, U.S. Deputy National Security Advisor for Cyber and Emerging Tech, mentioned in a report to the Washington Post.  Currently, no baseline standards for cybersecurity exist for healthcare organizations.

Sen. Ron Wyden (D-OR), the Senate Finance Committee chair, also plans to introduce legislation to establish minimum cybersecurity standards. In a press release, he noted that the legislation would include “fines and accountability for negligent CEOs” to protect patients and national security. 

Wyden stated, “I’m also investigating whether additional legislation is needed to bolster security in the healthcare sector, including increasing financial penalties and holding company executives liable for failing cybersecurity 101.”

The Impact of Cyberattacks on Healthcare

The healthcare industry experiences more data breaches than any other sector. They are a major target for cyber-attacks and ransomware. According to Becker’s Hospital Review, one out of every three large data breaches involves a hospital or health system. The recent Change Healthcare cyberattack in February is part of a troubling trend. 

A report from Wired showed that since that incident, over 44 more cases of data breaches and ransomware attacks have been reported across the healthcare industry in the U.S. These records and patterns clearly show an upward trend in healthcare security breaches. 

Protected Health Information (PHI) is highly valuable on the black market. According to the InfoSec Institute, while credit card information and Personally Identifiable Information (PII) sell for $1-$2, PHI can sell for as much as $363. This high value makes healthcare data a prime target for cybercriminals.

Healthcare security breaches threaten patients’ personal privacy and can result in major compliance fines and long-lasting damage to reputation and trust.

These trends and statistics are a wake-up call for everyone in the health industry to get serious about securing their data systems and complying with industry standards for data protection to ensure the safety of patient data. 

Protect Your Data with Proven Compliance Solutions

The 2024 breach at Change Healthcare stands as a stark reminder that no healthcare organization is too large or too established to fall victim to cyberattacks. With millions of patients’ sensitive information exposed and essential services disrupted, this incident highlights the urgent need for stronger security measures in healthcare.

Healthcare providers must take decisive action to prevent similar breaches and protect patient data. I.S. Partners offers three essential services to help:

What Should You Do Next?

  1. HITRUST CSF Certification. Achieving HITRUST CSF certification ensures your organization meets the highest standards for data protection and compliance with HIPAA regulations. Our team guides you through the certification process, implementing robust security frameworks that safeguard patient information.

  2. HIPAA Compliance Consulting. Staying HIPAA-compliant is critical to avoiding breaches and fines. Our consultants work closely with your team to implement proper safeguards and protocols, ensuring full compliance with all HIPAA requirements.

  3. SOC 2 Audits. SOC 2 audits assess the security, confidentiality, and privacy controls within your organization, providing assurance that your systems are protected against potential cyber threats. We help you identify gaps and strengthen your defenses.

The Change Healthcare breach underscores the importance of proactive cybersecurity and compliance efforts. Don’t wait until it’s too late—contact I.S. Partners today to protect your organization and your patients.

About The Author

Get started

Get a quote today!

Fill out the form to schedule a free, 30-minute consultation with a senior-level compliance expert today!

Analysis of your compliance needs
Timeline, cost, and pricing breakdown
A strategy to keep pace with evolving regulations

Great companies think alike.

Join hundreds of other companies that trust I.S. Partners for their compliance, attestation and security needs.

nlex-logovrs-veraclaim-logoaffinity logopaymedia-logo-1presort logoTRC Logo final_Color

Scroll to Top