How Hacks Happen

Change Healthcare Breach

Many Worlds Productions Season 3 Episode 4

Share episode

Change Healthcare Breach

If you were one of the millions of unlucky people who received a data breach letter from a company called Change Healthcare recently, you might have wondered, who the heck is Change Healthcare, and why do they even have my data? In this episode we'll talk about Change Healthcare: who they are, how they got breached, and how you may have been affected, and also what you can do to keep yourself safe in the aftermath of the breach. 

This episode is about a breach in 2024 of a healthcare-related system, a breach that affected up to one in three Americans, over 100 million people. A breach that included personal data about your own healthcare, data that you might not even know was being gathered and stored. I'm Michele Bousquet, cybersecurity researcher, author, and teacher. And this is How Hacks Happen.

What is CHC?

Change Healthcare is a company that provides a bunch of services to the healthcare industry. One of the biggest parts of their business is managing healthcare claims, acting as a go-between for providers and payers, the providers being doctors and pharmacies and hospitals, and the payers being insurance companies.

When you go to see your doctor and they put in a claim for your visit, the claim itself probably doesn't go directly to the insurance company. Instead, it very likely goes to a go-between service like Change Healthcare. The system is designed to streamline the process, taking your doctor's claim and standardizing the formatting, for example, before sending it off to the appropriate insurance company. This makes it easier for the insurance company to process the claim, and they can even pay the doctor directly through this go-between service. 

This helps your doctor too. Your doctor's many patients probably have many different insurance providers, and if your doctor's office had to deal with each one directly every time a patient came in, it could make for a lot of administrative work. Instead, the doctor's office uses a service like Change Healthcare to process all their insurance claims and collect their payments, which ideally, saves the doctor's office time and money and hassle.

And on top of that, healthcare is constantly changing. Insurance companies have rules about what information they need to process a claim, and the types of claims they will accept and won't accept, and these rules change all the time. It's a lot to expect a doctor's office to stay on top of all that stuff, for every insurance company. With a service in the middle, between the doctor and the payer, the service can stay on top of these kinds of changes and help make sure that claims are filed properly.

And Change Healthcare has a huge portion of the healthcare claims processing market. I've seen estimates ranging from 15% to 50%, depending on who you ask. That's a lot of people, a lot of patients, and a lot of data.

So, back to the transaction processing. When Change Healthcare processes an insurance claim, they need a bunch of data. They need to know who the provider was, your doctor or hospital or clinic or dentist or whoever. Also information about you, like your name, age, and social security number. And also the name of the insurance company the claim is going to be filed with.

All this data would be kept in databases. There was probably one database of healthcare providers like doctors and hospitals, another of patients, and a third one of insurance companies. And a fourth database with all the transactions in it, storing the doctor, patient, insurance company, date of the visit, what it was for, how much it cost, and so on. And to keep things neat and tidy, this fourth database wouldn’t store all the information about each of the parties involved. There would probably just be an identifier for the doctor, for example, like an ID number that points back to the doctor database. And for the patient, it might be just their social security number that points back to the patient database.

So after you see the doctor, they would send your personal information to their service, for example, Change Healthcare. I'm just going to call Change Healthcare CHC here, just for simplicity. So anyway, the doctor would send your personal information to CHC, like your name, address, social security number, what the doctor visit was about, who the insurance company was, and then CHC would then store this all in databases so they could process the claim, and they would also keep it in the databases in case they need to reference it later, like for a history.

This means that CHC had the personal information of many millions of people. Now, how did they get it? Well, you probably signed a consent form at the doctor’s office saying that they could share your personal information when necessary, to keep the wheels of medical care turning. But you probably didn’t consider that it might be stored in some other company’s database. 

Anyway, that’s who CHC is, and why you probably never heard of them until you got that letter. I don’t know about you, but I’ve never asked my doctor which payment service he uses. Because of HIPAA, I assumed it would all be safe. HIPAA stands for the Health Insurance Portability and Accountability Act, HIPAA, and HIPAA has strong rules about keeping patient information safe and confidential. And any consent form I signed about sharing information, I thought was more about giving permission to transfer my medical records to a hospital if I was admitted there for treatment or something. When CHC came up on my radar, the entire industry was kind of news to me.

So that’s all about CHC. Let’s talk about the breach.

The Hack

In February of 2024, Change Healthcare suffered a massive hack. A hacker group that calls itself AlphV, that’s spelled ALPHV, also known as Black Cat, they're the ones who took responsibility for it. I’m just going to say Black Cat, because I’m not really sure how to say Alph-V. It kind of sounds like Alfie, which is way too cute a name for these people.

Anyway, Black Cat had somehow gotten onto one of CHC’s servers. They knocked around in there for about a week, and then exported a whole bunch of data, and after that, they froze the database by encrypting the data, making it completely inaccessible to CHC employees, or anybody, for that matter. Then Black Cat demanded $22 million in Bitcoin in exchange for the decryption key, and the hackers also promised that they would delete their own copy of the data if the money was paid. 

This is called a ransomware attack, because the attacker is basically using software to hold data for ransom. You pay the ransom, you get the data back. Simple as that.

CHC immediately shut everything down so the ransomware wouldn’t spread to other systems. CHC is part of UnitedHealth, a big conglomerate that includes a bunch of other healthcare services, and CHC successfully kept the ransomware from spreading. But the shutdown caused chaos in some areas of healthcare, where hospitals, pharmacies, and doctors couldn’t connect to the system for a few days. So pharmacies, for example, couldn’t fulfill subscriptions that relied on contact with CHC for billing.

CHC called the FBI, and called in experts from Google, Cisco, Microsoft, Amazon, and also Mandiant, which is a prominent cybersecurity firm. A few weeks after the breach, in March 2024, UnitedHealth, the parent company of CHC, they paid the $22M ransom and they got the decryption key, so CHC could get its data back and resume operations. 

But the hackers didn't hold up the second part of the bargain: they did not delete their own copy of the data. Instead, they passed it on to another hacker group called Ransom Hub, who then demanded more ransom money to delete the data. But by this time, I guess CHC had wised up and they didn't pay any more ransom money. And subsequently, the data was leaked on the Dark Web, to a site called Pirate Bay.

CHC then had the unsavory task of sending letters to over 100 million people, explaining to them that their personal information had been leaked to hackers. They also advanced loans to health care providers who couldn’t collect from insurance companies during the time CHC was locked down. And they rebuilt their systems from the ground up to have all the security possible. All this cost nearly $3B.

So how did this hack happen? Nobody knows for sure how the hackers got a login and password to get into one of CHC’s servers. It could have been through a phishing email, or it could have been brute force, where the hackers hammered the server with every possible login and password until they found one that worked. 

Then, once the hackers got inside, they managed to get access to the permission structure for the server, and escalated their own permissions to let them access databases. The permission structure was stored in Windows Active Directory. This is a commonly used system for limiting users’ access to sensitive data. Like, you don't want Marketing people to be able to access Accounting, so different users have different levels of permission. It’s thought that the hackers used brute force on Active Directory to reassign themselves the highest permissions possible. Then they ported the data off to their own server, and then encrypted the data that was sitting on CHC’s server and made their ransom demand.

Hey, my Hack Dodgers, can you spot the places where security was lax here? There were a bunch of points where the hack could have been stopped in its tracks, but wasn’t. 

Let’s break it down. Break it down, break it down… a little musical interlude. Let's get to it.

Where Did CHC Go Wrong?

Let's do some Cybersecurity Baseball.

Announcer: "Good evening Ladies and Gentlemen, and welcome to tonight's game!"

Strike 1, was that the server login just required a password. There was no multi-factor authentication on the server. None at all! No having to enter a code or use an authenticator app or security key or any number of other ways to enable multi-factor authentication. I mean, I can’t even log into Google without multi-factor authentication these days.

And there wasn’t anything in place for detecting a repeated pattern of wrong logins and passwords. You might have seen this kind of thing on a sensitive website, like maybe for your bank, where, if you enter the wrong password three times, they lock you out and you have to call them up to get access to your account again. Or they make you wait 15 minutes to try again. Something to slow you down. On the CHC server, there wasn’t anything like this.

Strike 2 was the way the databases were stored. Apparently the databases were all right there, and available to grab. CHC hadn’t segmented the databases in a way that would slow hackers down, and they would have to go to different parts of the system and log in again to get access to other parts. If this type of mistake rings a bell, it’s because Equifax made the same mistake back in 2017 when they suffered their huge and enormous breach. You can hear all about it in our very first episode, which is about Equifax.

Back to CHC. Strike 3 was how easy it was, apparently, for the hackers to export the information. Exporting data on the sly like this, is called “exfiltration” in cybersecurity. Routers and firewalls are supposed to guard against exfiltration, by looking at all the traffic passing through and detecting anything that doesn't look quite right. Like, entire databases leaving the building, something like that.  

Equifax had this problem, too. In Equifax’s case, it was a misconfigured router that made it possible for hackers to exfiltrate the data of half of the adults in the United States, over a period of several months. The issue of a misconfigured router wasn’t mentioned in any of the news reports or government reports I read about the CHC breach, but the hackers did manage to get six terabytes in one week. For reference, one terabyte is 1,000 GB, which is enough to store many hundreds of full-length movies at 4K. This, when the Equifax hackers took several months to exfiltrate a much smaller amount of data, like a few GB. So I’d bet that undetected exfiltration was a weak area for CHC, too.

That’s three strikes. And just like in baseball, three strikes and you’re out!

Let’s take a look at how things played out for CHC, versus how it could have gone for them.

Dealing with Ransomware

Now, CHC had a number of things they could have done after they got the ransomware threat.  One of the protections against ransomware is you have very good backups. So if someone has encrypted all your data, and says, "I won't give you the decryption key until you pay me," you can just go "Ha ha," and flip them the bird, and restore your backups. That's what Danish shipping company Maersk did when they got hit with the NotPetya ransomware attack back in 2017. They skipped the ransom and just restored their backups. It took a few days, but they got everything back up and running without paying anything to hackers.

For CHC, paying the ransom kind of worked out. At least they got the decryption key, which was something. The hackers could have just taken the money and run, there would have been no penalty for them. And it does happen with some ransomware attacks. Thank you for the money, you don’t get the key. Ha ha, goodbye. Thank you.

But the CHC hackers didn’t keep up the other end of the bargain, which was to delete their own copy of the data. And you could argue that this was the more important part of the CHC breach, that hackers had the data and could sell it or release it to hackers at large. But personally, I think CHC was lucky to even get the decryption key.

In the cybersecurity industry, paying ransoms is frowned upon, it’s considered generally not a good idea. When a company pays a ransom for their data, it kind of hurts everyone, because it encourages more hackers to do ransomware attacks. Think of it from the flip side, and imagine if no one paid hackers after a ransomware attack. Hackers would stop doing them after a while, because there’d be no money in it.

At the same time, I don’t blame CHC for paying the ransom, because they were also trying to protect their customers and avoid a PR nightmare. But sadly, that didn’t work out.

Hacker Infighting

While there isn’t much that’s funny about this hack, there is one part that is kind of funny–the hackers involved are apparently squabbling amongst themselves over money. BlackCat was working with an affiliate group that carried out the actual attack, we don't know the name of this group, but BlackCat was the one that received the funds. And then BlackCat was supposed to share the ransom payout with this other group. But then BlackCat faked a government takedown on their website to avoid sharing the money. The other group is now pissed off at BlackCat, and apparently this other group gave the data to RansomHub so RansomHub would try to ask for more money so they could get paid. 

Who knows what's going to happen here. I’d like to think that all that squabbling might end up with one of the hackers getting so annoyed that they delete all the data. But that didn’t happen, and now the data is out there. It's out in the wild, and there's no way of clawing it back.

I guess it's kind of like what Shakespeare once said, what was it? It was, “Hell hath no fury like a hacker scorned.” At least, I think he would have said that if he’d been around to see what's going on today in the world of cybersecurity.

How Can You Stay Safe?

Enough with the fun stuff. Let’s talk about how the CHC hack might affect you personally, and what you can do about it.

As I’m fond of saying, your social security number has probably been compromised at this point, whether from Equifax or CHC or some other breach. And the main danger of having your SSN out there, is identity theft, the danger that hackers or criminals will use it to take out loans and credit cards with it, and stick you with the bill. And the best way to guard against that happening, is to freeze your credit with the three big credit reporting agencies: Experian, TransUnion, and Equifax. 

You should also put yourself on high alert with regard to emails, texts, and phone calls that pertain to medical issues. One of the ways that hackers could exploit these medical records is to send out phishing emails that have to do with your personal medical situation. And since that's personal and usually only known to you, and your doctor, the people at his or her office, and maybe a few close friends or family, when you get a medically related email, you wouldn’t be suspicious of it. But now, that’s no longer true. The hackers know all about you now.

As an example, suppose you have something like a torn rotator cuff and you need surgery on your shoulder. A hacker might do something like send you an email about a physical rehab center opening right down the street from you, where you can get convenient and inexpensive post-operative care covered by your insurance. The email even looks legit. It's from something like NewtownRehab.com. Sounds great, right? All you need to do is send them $500 to secure your spot in the patient roster. The trick is, the rehab center is fake, the website was put together three days before, and your $500 is probably gone overseas somewhere and you'll never get it back. In this case, the hacker would be using a very clever phishing tactic, sometimes called spearfishing, because it's targeted directly at you, based on what they know about something specific about you, in this case your medical situation. So be aware that that could happen. 

Another phishing situation might be things like fake invoices for lab tests or lab results, saying you have to pay $50 or $200 or more than that even to get your lab results. Just click here. Just click right there, right there in the email, to pay it. No, don’t. 

But these kinds of emails can be very convincing. The invoice can look realistic, the name of the lab could be very similar to one that's an actual lab.

If you get emails or texts or phone calls or something that tell you, you have to pay for something medically related right now, click here, pay for it on the phone right now, you have to pay, whatever, don’t click on anything in an email or tap on a text. Or if it’s on the phone, say "Thank you very much," hang up and don’t pay that person. Instead, contact your medical facility directly. Make the call yourself from your phone to their number that you either had stored on your phone or you found it online, and find out if that payment is for real. They will be happy to tell you, and to take your payment if it actually is needed.

In the aftermath of the breach, CHC is also offering free credit monitoring and identity theft protection to those affected, so you can take advantage of those services, if you like. Personally, I’m not sure I’d trust CHC with this job at this point, but they did say that they spent a lot of time and money upgrading their security so it wouldn't happen again. They're trying to win everyone's trust back, so if you feel comfortable with doing that, just go ahead and go for it.

Being vigilant, staying on top of your credit, really being suspicious of anything medically related that comes in your email and text or on the phone, that’s the world we live in. It's the price of convenience, and also the price of this very superior health care that we have over people 50 or 100 years ago. And once you get rolling with keeping things in mind and what to look out for, it’s really not that hard. You'll start to develop a little Spidey-sense for it, and that can be very satisfying.

I hope this episode helped you get a better grip on the Change Healthcare breach, and hopefully find it less scary and unknown. Just do what you need to do to keep yourself safe from hackers, and everything should be fine. This is Michele Bousquet from How Hacks Happen, wishing you a happy and well rest of your day.