A ransomware attack on Change Healthcare, a company that processes 15 billion health care transactions annually and deals with 1 in 3 patient records in the United States, is continuing to cause massive disruptions nearly three weeks later.
The hack shut down the system for processing claims, billing and verifying patients’ eligibility for receiving care. Prescriptions were delayed, while discharging patients from hospitals and issuing paychecks for medical workers also were targeted.
The incident, which started on February 21, has been called the “most significant cyberattack on the U.S. health care system” by the American Hospital Association.
It is just the latest example of an increasing trend.
“We’ve worked on cases for really small hospital systems with a couple dozen beds where a payment may need to be made in order to not have to divert critical services like ambulances to a rural district that’s 100 miles away,” Meredith Griffanti, FTI Consulting’s Global Head of Cybersecurity and Data Privacy Communications, told VOA.
In ransomware attacks, criminal hackers encrypt victims’ computer systems and demand large sums of money to unlock the data, keep it from being made public or sold on the dark web — part of the internet inaccessible through common web browsers.
In a report in January, Emsisoft, a cybersecurity company, said 46 hospital systems with a total of 141 hospitals in the United States were affected by ransomware in 2023. In at least 32 of 46 systems, protected health information was stolen.
In November 2023, a ransomware attack on Ardent Health Services, which operates 30 hospitals, caused cancelation of patients’ procedures, while ER patients had to be rerouted to other hospitals in three U.S. states.
Among other consequences are locked health records, which makes it impossible for doctors to see allergies of patients and medicines they take, as well as delayed testing and scanning services.
University of Minnesota School of Public Health experts estimate that ransomware attacks killed 42 to 67 Medicare patients between 2016 and 2021.
Compromised information
“2023 was the year in which the behavior of the threat actors and the aggression, the aggressive extortion tactics, really started to knock your socks off,” said Griffanti of FTI Consulting.
“We saw everything, from death threats, bouquets of flowers sent to CEOs houses. … We saw released pictures of executives’ family members and executives themselves on dark websites,” she said.
The actual number of attacks annually is much higher, as there are thousands of incidents in the private sector, while many organizations are indirectly impacted through the computer systems of their service providers.
“Unfortunately, the only change we’re really seeing is that these ransomware actors are getting bolder. They’re going after softer targets, like health care and public health sector organizations … the things that are most critical to our everyday lives,” said Gabriel Davis, chief of the Risk Intelligence and Operations Section at the Cybersecurity and Infrastructure Security Agency, or CISA.
Schools are vulnerable to ransomware because they often do not have enough resources for adequate protection, while they are attractive to criminals because they possess a large amount of sensitive information. At least 1,899 K-12 schools were attacked in the U.S. in 2023, per Emsisoft.
In an attack on Minneapolis Public Schools, not only was learning disrupted, but about 200,000 documents were stolen and posted online, including details on reports of sexual abuse of students, accusations of bad behavior by teachers, students’ psychological reports and Social Security numbers.
More money, more problems
Reuters reported that UnitedHealth Group, owner of Change Healthcare, paid $22 million to hackers in a bid to recover access to encrypted data and systems, which both sides declined to comment on.
Payments to ransomware gangs rose significantly in the last five years.
According to Emsisoft, the average ransom payment in 2023 was about $1.5 million, compared with 2018, when criminals were paid about $5,000. The only solution, they noted, is to completely ban the payments.
There is no consensus among experts and governments on a ban.
Brett Callow, Emsisoft’s threat analyst, told VOA a complete ban is doable: “It’s commonly said that a ban would push ransomware underground. The reality is that it’s already far underground, with only about 20% of organizations reporting incidents. Yes, a ban may cause problems for victims in the short term, but isn’t that preferable to ransomware causing problems for everyone in the long term?”
Cybersecurity expert Ivan Markovic told VOA it is recommended not to pay ransomware, “because once someone has been in your system, you must consider that everything has been compromised.”
“A total ban, the introduction of some laws, would be good on one hand, but there are some extreme cases that must enter public debates and have experts discuss them,” said Markovic, citing situations in which it is necessary to act quickly because people’s lives are at risk.
CISA is focused on preventing attacks and helping organizations recover from incidents.
“We’re not going to be able to prevent everything, unfortunately. However, when things do happen, we do want to minimize and consolidate the damage and the impact. And if we can do that and continue doing that year over year, but also reducing the exposure of these organizations and the vulnerable devices, we’re going to start to see very significant reduction in these attacks,” Davis told VOA.