NCPA, Providers in 22 States Sue Change Healthcare/Optum/UHG Over Ransomware Attack

The National Community Pharmacists Association (NCPA) and over three dozen healthcare providers from 22 U.S. states have filed a lawsuit against Change Healthcare, Optum, and UnitedHealth Group following a severe ransomware attack in February 2024.  

‍

The attack compromised a significant amount of sensitive patient data, disrupted healthcare services, and exposed vulnerabilities in the digital infrastructure of numerous healthcare providers.  

‍

The breach had widespread effects, particularly on community pharmacists and healthcare providers who depend on Change Healthcare’s services for essential operations like billing and data management.

‍

The lawsuit, filed in federal court, alleges that Change Healthcare, Optum, and UnitedHealth Group failed to implement adequate cybersecurity measures to protect sensitive data, SecureWorld reports.

‍

Key allegations include negligence in securing healthcare data, breach of contractual obligations to provide secure and reliable services, and violations of state and federal data protection laws, including HIPAA.  

‍

The plaintiffs seek compensation for financial losses, reputational damage, and operational disruptions caused by the breach. So far, the attack has cost UHG about $2.6 billion in losses.

‍

Takeaway: The Change Healthcare attack significantly impacted the US healthcare system and directly affected about one-in-three people in the US, yet it’s surprising that we are not collectively more alarmed by the attack.

‍

A survey by the American Hospital Association (AHA) revealed that 74% of providers reported the outage affected patient care, while 94% cited financial repercussions. Similarly, a survey by the American Medical Association (AMA) found that over 80% of providers reported lost revenue, and some were not able to make payroll. Another study found a direct link between ransomware attacks and increased mortality rates.

‍

Yes, ransomware attacks have caused premature deaths. But where is the outrage?

‍

Ten years ago, it seemed everyone’s hair was on fire about APTs, and the angst around nation-state actors was driving a huge increase in security spending, much to the delight of a few big vendors.

‍

Organizations who would likely never come under attack from an APT (because they were not in the Defense Industrial Base or were not developing cutting edge technologies) were all too eager to implement defenses against the most sophisticated of attackers who would probably never attack them.

‍

Today, ransomware operators are brazenly attacking every industry sector, every business large or small, closing schools, jeopardizing patient care, shutting down production, disrupting commerce, causing billions of dollars in losses and most negatively impacting the economy.  

‍

Despite this, there seems to be little if any alarm about the growing number of attacks and the financial burden to both defend against and recover from these operations. Certainly nothing even remotely near the levels of concern we saw about APT operations.

‍

This is very concerning because, as far as the maturity of the ransomware threat is concerned, we are still at the dawn of the cyber extortion era.  

‍

These groups have only recently begun to become more organized and are honing their skills – many now using TTPs that were once only seen in APT operations, like exploit kits and zero-days.  

‍

With ransomware-as-a-service platforms proliferating and initial access brokers doing the heavy lifting of compromising networks, the barrier to entry as a ransomware attacker has never been lower.

‍

Combine that with the fact that attackers from certain areas of the world know they will never be held criminally liable for conducting attacks (especially of the attacks also serve the host nation's geopolitical goals), and we have all the elements required for a crisis of epidemic levels.

‍

‍

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.