Change Healthcare Ransomware Incident: Systemic Enough For Ya?
3–4–2024 (Monday)
Hello and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, March 4, 2024, and - while I avoided a deep dive on it last week on purpose - it’s time to talk about Change Healthcare.
Change Healthcare: Systemic Enough For Ya?
Like we mentioned on last week’s call, and anyone in cybersecurity should be well aware of it by now, United Health Group subsidiary Change Healthcare is continuing to experience a cybersecurity incident that has massively disrupted their operations.
Change Healthcare is now acknowledging that this incident is a result ransomware group BlackCat / ALPHV, but has offered little insight otherwise, except for repeating that United Health Group and Optum servers and services are not impacted.
In the week plus that this event has been ongoing, only a few material changes have occurred, including UGH moving to a less frequent update cadence (which is understandable, since their previous tool simply reiterated every few hours that they hadn’t made much headway), and have setup a Temporary Funding Assistance Program - as some news reports indicate that health systems may be experiencing a cashflow shortfall of up to $100 M per day for claims that were processed by Change Healthcare.
In sticking with the theme of being light on details, the Temporary Funding Assistance Program notes that they can’t offer information on who is eligible or how much funding is available unless you enroll in the program. This is also a temporary loan - and money will need to be paid back.
One doctor on LinkedIn noted that this amounts to $4,000 for their practice - whose bi-weekly payroll is $175K - and the American Hospital Association notes that this effort “will not come close” to meeting the needs of their members, and Senate Majority Leader Chuck Schumer is now calling for emergency cash assistance for hospitals, “citing an imminent “financial cliff” for hospitals in New York and nationally.”
As we continue to see - and be frustrated - by UHG being light on details only shares the damage, and leaves everyone else to fend for themselves, rather than recognizing that the damage is already done for Change, but others may be able to learn.
This price, of course, is coming straight out of UHG’s stock price - and I’d note that they’ve managed to lose more than $40B in market cap since the incident was announced. They claimed in a 10-K filing dated three days after the incident was discovered that “As of the date of this report, we have not determined the incident is reasonably likely to materially impact our financial condition or results of operations.” I would wager that even for United Health, $40B - or nearly 10% - is material.
In a recent twist, reports are out today indicating that United Health did, in fact, pay a $22M ransom for deletion of the data and a decryption key, only to have the ransomware gang go dark, note “GG” - short for Good Game - and disappear.
We will likely never know what happened around this ransomware payment, but as the incident itself drags on, we need to be thinking about two things:
Protecting our own businesses by doing the basics that we talk about on this show day in and day out: deploy robust controls around our identities and endpoints, including multi factor authentication and regular vulnerability scanning, ensure that we have a robust program in place to patch our systems, and keep off-line, immutable backups of critical data that we know is viable and can restore with confidence in a reasonable amount of time - whatever reasonable means for our business; and
Looking at the systemic nature of these events. This is but one piece of a giant machine in the US Healthcare System, but it has ground things to a halt to such a degree that one provider noted this event as being “worse than COVID.”
Will this be a tipping point in our collective fight against these criminal gangs operating with impunity from inside Russia, or will this only be a stop along the way to an ever-escalating game of cat and mouse, where we always end up on the losing end? Only time will tell.
Fundraising
From a fundraising perspective, a massive week of new announcements, led by EQT’s blockbuster 10th flagship fund, closed at its €22 billion hard cap, with a continuing focus on private equity deals in Europe and North America.
Smaller players, too, got their news out there, including Chipotle doubling the size of its corporate VC fund to $100m and our friends at the Financial Times launching a new VC arm to invest in media and tech companies.
Proof that while it may feel this way, not everyone is having the worst week ever.
You can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://www.unitedhealthgroup.com/changehealthcarecyberresponse
https://www.timesunion.com/state/article/schumer-calls-emergency-cash-major-cyberattack-18698734.php
https://www.linkedin.com/feed/update/urn:li:activity:7169363941247152128/