Following Change Healthcare's admission that it paid off hackers after its ransomware attack, there has been a spike in healthcare-related cyber incidents, Wired reported June 12.
In April, cybersecurity firm Recorded Future identified 44 instances of cybercriminal groups targeting healthcare organizations with ransomware attacks. These attacks involved stealing data, encrypting systems and demanding ransom payments while holding networks hostage. This marks the highest number of healthcare ransomware victims recorded in a single month during Recorded Future's four years of data collection, Allan Liska, a threat intelligence analyst at the company told Wired.
Mr. Liska said that while the exact cause of the increase is uncertain, it is unlikely to be a coincidence that it followed UnitedHealth, the parent company of Change Healthcare, paying a ransom to the hacker group AlphV, also known as BlackCat, which orchestrated the attack on Change.
"These kind of large payments are absolutely going to incentivize ransomware actors to go after healthcare providers because they think there’s more money to made be there," Mr. Liska said.
According to Wired, over the past two months, several healthcare organizations have experienced severe disruptions due to ransomware attacks. Among the organizations are St. Louis-based Ascension, Hospital Simone Veil in France, and pathology firm Synnovis.
But ransomware attacks targeting healthcare organizations were already increasing before the February Change Healthcare incident. Mr. Liska noted that each month in 2024 has experienced more healthcare ransomware attacks compared to the same month in any previous year he has monitored. Although there were 32 healthcare attacks in May, slightly fewer than the 33 in May 2023, Mr. Liska told Wired he anticipates that figure to grow as more incidents are reported.
However, Mr. Liska highlights the April surge captured in Recorded Future's data as a likely consequence of Change's crisis — not just due to the substantial ransom paid to AlphV, but also because of the prominent disruption caused by the attack.
"Because these attacks are so impactful, other ransomware groups see an opportunity," he said.
Mr. Liska said that ransomware incidents in healthcare have continued to rise, contrasting with overall ransomware trends which have remained stable or decreased. For example, from January to April 2024, there were 1,153 incidents, compared to 1,179 during the same period in 2023.
In response to Wired's request for comment, a United Healthcare spokesperson highlighted the increasing trend of healthcare ransomware attacks since 2022, indicating that this pattern began before the incident involving Change Healthcare. The spokesperson also referenced United Healthcare CEO Andrew Witty's testimony during a congressional hearing on the Change Healthcare ransomware attack.
"In addressing the numerous challenges posed by this attack, including navigating ransom demands, my foremost priority has been safeguarding individuals' personal health information," Mr. Witty said during the hearing. "As CEO, the decision to authorize a ransom payment was mine alone. It was undoubtedly one of the most difficult decisions I've ever faced, and one I wouldn't wish upon anyone."