Change Healthcare Ransomware Attack Highlights Threat to Critical Infrastructure


March 26, 2024

World map

One of the biggest nursing home operators in the U.S., Petersen Health Care, has filed for bankruptcy as the healthcare sector reels from an attack on Change Healthcare.

And UnitedHealth - parent company Change Healthcare, one of the largest payment services providers in the nation, announced it is pouring $2 billion into recovery efforts.

Every day, more healthcare providers are in serious financial crisis following the attack, highlighting the ripple effect that attacks on critical infrastructure can have across industries and the economy.

“An American Hospital Association survey reported on March 15 that almost 60% of respondents say the revenue impact is $1 million per day or higher, and 44% said the adverse effects on revenue will continue for two to four more months,” SC Media reports.

The SC Media article calls out several other examples of how the attack has had widespread impact on both healthcare providers and their patients:

“This was not an attack on some back-office administrative function. This was a coordinated attack on our infrastructure. If this were an attack on a pipeline, the electronic grid, or our aviation towers, the public — and our elected officials — would have understood the situation better,” Mary Mayhew, president and CEO of the Florida Hospital Association, told SC Media.

Takeaway: Ransomware attacks against critical infrastructure providers – which includes healthcare providers - have no doubt crossed the line from mere criminal activity to a threat to lives of patients as well as our national security.

A recent report by Ponemon found a direct link between ransomware attacks and negative patient outcomes, increased mortality rates, and an increase in complications during medical procedures. Other research found a 33% increase in death rates per month for hospitalized Medicare patients.

There is a good deal of evidence that many of the attackers and tooling employed by ransomware gangs can be tied directly to Russia, so the potential dual nature of a subsection of ransomware attacks should be considered.

A recent report by Chainalysis assessed that 74% of all the illicit revenue generated by ransomware attacks in 2021 went to Russia-linked attackers. If the Putin regime is influencing targeting in some ransomware operations, then there is a case to be made to redesignate some attacks, like those against healthcare providers, as acts of terrorism.

Executive Order 13224 seems to be clearly applicable to some ransomware attacks, especially those against healthcare and other critical infrastructure providers:

“For the purpose of the Order, “terrorism” is defined to be an activity that (1) involves a violent act or an act dangerous to human life, property, or infrastructure; and (2) appears to be intended to intimidate or coerce a civilian population; to influence the policy of a government by intimidation or coercion; or to affect the conduct of a government by mass destruction, assassination, kidnapping, or hostage-taking.”

The fact that ransomware attacks appear on the surface to merely be cybercriminal activity provides a convenient level of plausible deniability when those attacks also serve the larger geopolitical goals of adversarial governments like Russia.

If we call these attacks what they are – terrorist attacks meant to instill fear and further geopolitical goals – then we unlock a whole range of new options for both offensive cyber and traditional military responses.

The impact of the attack on Change Healthcare emphasizes that we can no longer address these issues as simple criminal matters by offering organizations more alerts, guidelines and frameworks.

It’s time to call attacks on healthcare organizations and other critical infrastructure providers what they really are, a serious threat to national security. is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.