How the ransomware attack at Change Healthcare went down: A timeline

by with No Comment Tech

UnitedHealthcare (UHC) health insurance company signage is displayed on an office building in Phoenix, Arizona in 2023

Image Credits: Patrick T. Fallon / AFP / Getty Images

A ransomware attack earlier this year on UnitedHealth-owned health tech company Change Healthcare likely stands as one of the largest data breaches of U.S. health and medical data in history.

Months after the February data breach, a “substantial proportion of people living in America” are receiving notice by mail that their personal and health information was stolen by cybercriminals during the cyberattack on Change Healthcare.

Change Healthcare processes billing and insurance for hundreds of thousands of hospitals, pharmacies and medical practices across the U.S. healthcare sector. As such, it collects and stores vast amounts of highly sensitive medical data on patients in the United States. Through a series of mergers and acquisitions, Change became one of the largest processors of U.S. health data, handling between one-third and one-half of all U.S. health transactions.

Here’s what has happened since the ransomware attack began.

February 21, 2024

First report of outages as security incident emerges

It seemed like an ordinary Wednesday afternoon, until it wasn’t. The outage was sudden. On February 21, billing systems at doctors offices and healthcare practices stopped working, and insurance claims stopped processing. The status page on Change Healthcare’s website was flooded with outage notifications affecting every part of its business, and later that day the company confirmed it was “experiencing a network interruption related to a cyber security issue.” Clearly something had gone very wrong.

It turns out that Change Healthcare invoked its security protocols and shut down its entire network to isolate intruders it found in its systems. That meant sudden and widespread outages across the healthcare sector that relies on a handful of companies — like Change Healthcare — to handle healthcare insurance and billing claims for vast swathes of the United States. It was later determined that the hackers initially broke into the company’s systems over a week earlier, on or around February 12.

February 29, 2024

UnitedHealth confirms it was hit by ransomware gang

After initially (and incorrectly) attributing the intrusion to hackers working for a government or nation-state, UnitedHealth later said on February 29 that the cyberattack was in fact the work of a ransomware gang. UnitedHealth said the gang “represented itself to us as ALPHV/BlackCat,” a company spokesperson told TechCrunch at the time. A dark web leak site associated with the ALPHV/BlackCat gang also took credit for the attack, claiming to have stolen millions of Americans’ sensitive health and patient information, giving the first indication of how many individuals this incident had affected.

ALPHV (aka BlackCat) is a known Russian-speaking ransomware-as-a-service gang. Its affiliates — contractors who work for the gang — break into victim networks and deploy malware developed by ALPHV/BlackCat’s leaders, who take a cut of the profits collected from the ransoms collected from victims to get their files back. 

Knowing that the breach was caused by a ransomware gang changed the equation of the attack from the kind of hacking that governments do — sometimes to send a message to another government instead of publishing millions of people’s private information — to a breach caused by financially motivated cybercriminals, who are likely to employ an entirely different playbook to get their payday. 

March 3-5, 2024

UnitedHealth pays a ransom of $22 million to hackers, who then disappear

In early March, the ALPHV ransomware gang vanished. The gang’s leak site on the dark web, which weeks earlier took credit for the cyberattack, was replaced with a seizure notice claiming that U.K. and U.S. law enforcement took down the gang’s site. But both the FBI and U.K. authorities denied taking down the ransomware gang as they had attempted months earlier. All signs pointed to ALPHV running off with the ransom and pulling an “exit scam.”

In a posting, the ALPHV affiliate who carried out the hack on Change Healthcare claimed that the ALPHV leadership stole $22 million paid as a ransom and included a link to a single bitcoin transaction on March 3 as proof of their claim. But despite losing their share of the ransom payment, the affiliate said the stolen data is “still with us.” UnitedHealth had paid a ransom to hackers who left the data behind and disappeared.

a screenshot showing a fake law enforcement seizure notice posted on BlackCat's dark web leak site.
A fake law enforcement seizure notice posted on BlackCat’s dark web leak site soon after receiving a ransom payment of $22 million.
Image Credits: TechCrunch (screenshot)

March 13, 2024

Widespread disruption across U.S. healthcare amid fears of data breach

Meanwhile, weeks into the cyberattack, outages were still ongoing with many unable to get their prescriptions filled or having to pay cash out of pocket. Military health insurance provider TriCare said “all military pharmacies worldwide” were affected as well. 

The American Medical Association was saying there was little information from UnitedHealth and Change Healthcare about the ongoing outages, causing massive disruption that continued to ripple across the healthcare sector. 

By March 13, Change Healthcare had received a “safe” copy of the stolen data that it had just days earlier paid $22 million for. This allowed Change to begin the process of poring through the dataset to determine whose information was stolen in the cyberattack, with the aim of notifying as many affected individuals as possible.  

March 28, 2024

U.S. government ups its bounty to $10 million for information leading to ALPHV capture

By late March, the U.S. government said it was upping its bounty for information on key leadership of ALPHV/BlackCat and its affiliates. 

By offering $10 million to anyone who can identify or locate the individuals behind the gang, the U.S. government seemed to hope that one of the gang’s insiders would turn on their former leaders. It also could be seen as the U.S. realizing the threat of having a significant number of Americans’ health information potentially published online. 

April 15, 2024

Contractor forms new ransom gang and publishes some stolen health data

And then there were two — ransoms, that is. By mid-April, the aggrieved affiliate set up a new extortion racket called RansomHub, and since it still had the data that it stole from Change Healthcare, it demanded a second ransom from UnitedHealth. In doing so, RansomHub published a portion of the stolen files containing what appeared to be private and sensitive patient records as proof of their threat. 

Ransomware gangs don’t just encrypt files; they also steal as much data as possible and threaten to publish the files if a ransom isn’t paid. This is known as “double extortion.” In some cases when the victim pays, the ransomware gang can extort the victim again — or, in others, extort the victim’s customers, known as “triple extortion.”

Now that UnitedHealth was willing to pay one ransom, there was a risk that the healthcare giant would be extorted again. It’s why law enforcement have long advocated against paying a ransom that allows criminals to profit from cyberattacks.

April 22, 2024

UnitedHealth says ransomware hackers stole health data on a “substantial proportion of people in America”

For the first time, UnitedHealth confirmed on April 22 — more than two months after the ransomware attack began — that there was a data breach and that it likely affects a “substantial proportion of people in America,” without saying how many millions of people that entails. UnitedHealth also confirmed it paid a ransom for the data but would not say how many ransoms it ultimately paid.

The company said that the stolen data includes highly sensitive information, including medical records and health information, diagnoses, medications, test results, imaging and care and treatment plans, and other personal information.

Given that Change Healthcare handles data on about one-third of everyone living in the United States, the data breach is likely to affect more than 100 million people at least. When reached by TechCrunch, a UnitedHealth spokesperson did not dispute the likely affected number but said that the company’s data review was ongoing. 

May 1, 2024

UnitedHealth Group chief executive testifies that Change wasn’t using basic cybersecurity

Perhaps unsurprisingly when your company has had one of the biggest data breaches in recent history, its chief executive is bound to get called to testify before lawmakers. 

That’s what happened with UnitedHealth Group (UHG) chief executive Andrew Witty, who on Capitol Hill admitted that the hackers broke into Change Healthcare’s systems using a single set password on a user account not protected with multi-factor authentication, a basic security feature that can prevent password reuse attacks by requiring a second code sent to that account holder’s phone. 

One of the biggest data breaches in U.S. history was entirely preventable, was the key message. Witty said that the data breach was likely to affect about one-third of people living in America — in line with the company’s previous estimates that the breach affects around as many people that Change Healthcare processes healthcare claims for.

1: UnitedHealth CEO Andrew Witty testifies before the Senate Finance committee on Capitol Hill on May 1, 2024 in Washington, DC.
UnitedHealth CEO Andrew Witty testifies before the Senate Finance committee on Capitol Hill on May 1, 2024, in Washington, D.C.
Image Credits: Kent Nishimura / Getty Images

June 20, 2024

UHG starts notifying affected hospitals and medical providers what data was stolen

It took Change Healthcare until June 20 to begin formally notifying affected individuals that their information was stolen, as legally required under a law commonly known as HIPAA, likely delayed in part by the sheer size of the stolen dataset. 

The company published a notice disclosing the data breach and said that it would begin notifying individuals it had identified in the “safe” copy of the stolen data. But Change said it “cannot confirm exactly” what data was stolen about each individual and that the information may vary from person to person. Change says it was posting the notice on its website, as it “may not have sufficient addresses for all affected individuals.”

The incident was so big and complex that the U.S. Department of Health and Human Services stepped in and said that affected healthcare providers, whose patients are ultimately affected by the breach, can ask UnitedHealth to notify affected patients on their behalf, an effort seen at lessening the burden on smaller providers whose finances were hit amid the ongoing outage. 

July 29, 2024

Change Healthcare begins notifying known affected individuals by letter

The health tech giant confirmed in late June that it would begin notifying those whose healthcare data was stolen in its ransomware attack on a rolling basis. That process began in late July. 

The letters going out to affected individuals will most likely come from Change Healthcare, if not the specific healthcare provider affected by the hack at Change. The letter confirms what kinds of data was stolen, including medical data and health insurance information, and claims and payment information, which Change said includes financial and banking information.

As Iran-backed groups attack Red Sea ships, investors are backing startups assisting global cargo

by with No Comment Tech

Aerial front view Container cargo ship full carrier container with terminal commercial port background for business logistics, import export, shipping or freight transportation.

Image Credits: Suriyapong Thongsawang / Getty Images

Multiple shocks to global supply chains brought about first by the pandemic and more recently by Iran-backed Houthis targeting cargo ships in the Red Sea have shown there’s a need for greater resilience in global shipping. At the same time, the pressure to reduce both costs and carbon footprints continues apace. Quietly, investors are eyeing up tech platforms for ports and cargo ships, which could prove to be a very savvy investment.

There are already several signs this is happening.

Most recently, Portchain — a Danish startup that claims to be a “neutral exchange” for cargo ships and ports, has now raised a $5 million “Seed+” funding round from Angular Ventures. Other investors include MK Ventures, and several former shipping executives.

Portchain works by facilitating constant communication between a cargo ship and a port, acting something like air traffic control to make sure that a ship arrives just at the right time to be docked, rather than waiting outside the port, burning fuel, polluting the atmosphere and racking up costs.

CEO Niels Kristiansen explained the problem to me thus: “The top 10 carriers represent 85% of global volume. But carriers and terminals operate in a very different way. Carriers know how carriers operate and they don’t know enough about how terminals operate, and vice versa. So what happens is that the carrier will arrive at a terminal and will say ‘I have this data system’. And then the terminal says, ‘You’re a carrier so you don’t know how I operate’. In the end, both end up sharing and planning through email, phone calls, and WhatsApp. It’s a mess.”

Instead, long before they’ve reached their destination, Portchain allows ship captains to adjust their speed in order to dock just at the right time, just like a plane landing at an airport. In the meantime, this removes the need to update spreadsheets, emails and PDF documents (which is how many systems are run today).

Portchain claims that as a result, CO2 emissions of up to 14% can be saved, with no modification to the vessels — significant since it is estimated that shipping burns over 117,800,000 tonnes of fuel annually.

And neutrality in these systems is important. Although shipping giant Maersk launched the “Tradelens” project in 2018, it hit problems when it needed rival firms to share data. The venture subsequently shut down last year.

Portchain now claims to have signed up 90 container terminals globally (20% of the world’s terminal capacity) and has signed a five-year agreement with Hapag-Lloyd, the fifth largest shipping line.

However, Portchain isn’t the only player in this field, which is clearly heating up.

PortXChange, which is based in Rotterdam, spun out as a separate project from the Port of Rotterdam and became an independent company in 2019. Its strategic partners include Shell and Maersk.

Heyport in Hamburg was funded and incubated by the local German port operator HHLA.

Then there is Awake.ai, headquartered in Finland.

Awake has so far raised a total of around $12 million according to CEO Karno Tenovuo. He and his team were formerly part of a Rolls Royce unit which looked at “smart shipping.”

With Finnish government funding, Angel and EU backing (but not VC to date) Tenovuo said: “Last year we launched what we call the “Amazon for ports.” This is marketplace functionality. Carriers and ports are using emails and phone calls. So we got funding from the EU to develop this product, which automates the buying and selling of Port services and reporting and invoicing.”

“We match the buyers and sellers automatically. We predict where those products or services are needed then we can recommend all the optimal arrival and departure times and tell the shipping companies what’s their impact in fuel costs emissions,” he added.

However, he said there is “not a lot of overlap” between Awake and Portchain.

Meanwhile, the International Maritime Organisation has regulated that there needs to be a “national single window” for when ships enter an area controlled by a nation. That means more and more technology will have to be employed to assist both carriers and ports.

As Tenovuo says, this “single window” will mean there will be a huge need to “link all the services.”

So, for now, it’s likely that these kinds of services will continue to launch, and continue to keep investors interested.

Palo Alto Networks' firewall bug under attack brings fresh havoc to thousands of companies

by with No Comment Tech

an illustration of a red light cast down on a bunch of computers

Image Credits: Bryce Durbin / TechCrunch

Palo Alto Networks urged companies this week to patch against a newly discovered zero-day vulnerability in one of its widely used security products after malicious hackers began exploiting the bug to break into corporate networks.

The vulnerability is officially known as CVE-2024-3400 and was found in the newer versions of the PAN-OS software that runs on Palo Alto’s GlobalProtect firewall products. Because the vulnerability allows hackers to gain complete control of an affected firewall over the internet without authentication, Palo Alto gave the bug a maximum severity rating. The ease with which hackers can remotely exploit the bug puts thousands of companies that rely on the firewalls at risk from intrusions.

Palo Alto said customers should update their affected systems, warning that the company is “aware of an increasing number of attacks” that exploit this zero-day — described as such because the company had no time to fix the bug before it was maliciously exploited. Adding another complication, Palo Alto initially suggested disabling telemetry to mitigate the vulnerability, but said this week that disabling telemetry does not prevent exploitation.

The company also said there is public proof-of-concept code that allows anyone to launch attacks exploiting the zero-day.

The Shadowserver Foundation, a nonprofit organization that collects and analyzes data on malicious internet activity, said its data shows there are more than 156,000 potentially affected Palo Alto firewall devices connected to the internet, representing thousands of organizations.

Security firm Volexity, which first discovered and reported the vulnerability to Palo Alto, said it found evidence of malicious exploitation going back to March 26, some two weeks before Palo Alto released fixes. Volexity said a government-backed threat actor that it calls UTA0218 exploited the vulnerability to plant a back door and further access its victims’ networks. The government or nation-state that UTA0218 works for is not yet known.

Palo Alto’s zero-day is the latest in a raft of vulnerabilities discovered in recent months targeting corporate security devices — like firewalls, remote access tools and VPN products. These devices sit at the edge of a corporate network and function as digital gatekeepers but have a propensity to contain severe vulnerabilities that render their security and defenses moot.

Earlier this year, security vendor Ivanti fixed several critical zero-day vulnerabilities in its VPN product, Connect Secure, which allows employees remote access to a company’s systems over the internet. At the time, Volexity linked the intrusions to a China-backed hacking group, and mass exploitation of the flaw quickly followed. Given the widespread use of Ivanti’s products, the U.S. government warned federal agencies to patch their systems and the U.S. National Security Agency said it was tracking potential exploitation across the U.S. defense industrial base.

And the technology company ConnectWise, which makes the popular screen-sharing tool ScreenConnect used by IT admins for providing remote technical support, fixed vulnerabilities that researchers deemed “embarrassingly easy to exploit” and also led to the mass exploitation of corporate networks.

Read more on TechCrunch:

A crypto wallet maker’s warning about an iMessage bug sounds like a false alarmPrice of zero-day exploits rises as companies harden products against hackersNSA says it’s tracking Ivanti cyberattacks as hackers hit US defense sectorResearchers warn high-risk ConnectWise flaw under attack is ’embarrassingly easy’ to exploit

Slack under attack over sneaky AI training policy

by with No Comment Tech

slack glitch

Image Credits: TechCrunch

On the heels of ongoing issues around how big tech is appropriating data from individuals and businesses in the training of AI services, a storm is brewing among Slack users upset over how the Salesforce-owned chat platform is charging ahead with its AI vision.

The company, like many others, is tapping its own user data to train some of its new AI services. But, it turns out that if you don’t want Slack to use your data, you have to email the company to opt out.

And the terms of that engagement are tucked away in what appears to be an out-of-date, confusing privacy policy that no one was paying attention to. That was the case with Slack, until a miffed person posted about them on a community site hugely popular with developers, and then that post went viral…which is what happened here.

It all kicked off last night, when a note on Hacker News raised the issue of how Slack trains its AI services, by way of a straight link to its privacy principles — no additional comment was needed. That post kicked off a longer conversation — and what seemed like news to current Slack users — that Slack opts users in by default to its AI training, and that you need to email a specific address to opt out.

That Hacker News thread then spurred multiple conversations and questions on other platforms: There is a newish, generically named product called “Slack AI” that lets users search for answers and summarize conversation threads, among other things, but why is that not once mentioned by name on that privacy principles page in any way, even to make clear if the privacy policy applies to it? And why does Slack reference both “global models” and “AI models?”

Between people being confused about where Slack is applying its AI privacy principles, and people being surprised and annoyed at the idea of emailing to opt-out — at a company that makes a big deal of touting that “Your control your data” — Slack does not come off well.

The shock might be new, but the terms are not. According to pages on the Internet Archive, the terms have been applicable since at least September 2023. (We have asked the company to confirm.)

Per the privacy policy, Slack is using customer data specifically to train “global models,” which Slack uses to power channel and emoji recommendations and search results. Slack tells us that its usage of the data has specific limits.

“Slack has platform-level machine learning models for things like channel and emoji recommendations and search results. We do not build or train these models in such a way that they could learn, memorize or be able to reproduce some part of customer data,” a company spokesperson told TechCrunch. However, the policy does not appear to address the overall scope and the company’s wider plans for training AI models.

In its terms, Slack says that if customers opt out of data training, they would still benefit from the company’s “globally trained AI/ML models.” But again, in that case, it’s not clear then why the company is using customer data in the first place to power features like emoji recommendations.

The company also said it doesn’t use customer data to train Slack AI.

“Slack AI is a separately purchased add-on that uses large language models (LLMs) but does not train those LLMs on customer data. Slack AI uses LLMs hosted directly within Slack’s AWS infrastructure, so that customer data remains in-house and is not shared with any LLM provider. This ensures that customer data stays in that organization’s control and exclusively for that organization’s use,” a spokesperson said.

Some of the confusion is likely to be addressed sooner rather than later. In a reply to one critical take on Threads from engineer and writer Gergely Orosz, Slack engineer Aaron Maurer conceded that the company needs to update the page to reflect “how these privacy principles play with Slack AI.”

Maurer added that these terms were written at the time when the company didn’t have Slack AI, and these rules reflect the company’s work around search and recommendations. It will be worth examining the terms for future updates, given the confusion around what Slack is currently doing with its AI.

The issues at Slack are a stark reminder that, in the fast-moving world of AI development, user privacy should not be an afterthought and a company’s terms of service should clearly spell out how and when data is used or if it is not.

Have a news tip? Contact Ingrid securely on Signal via ingrid.101 or here. (No PR pitches, please.)

We’re launching an AI newsletter! Sign up here to start receiving it in your inboxes on June 5.