In a recent podcast interview with Cybercrime Magazine's Host, Heather Engel, Scott Schober, Cyber Expert, Author, and CEO of Berkeley Varitronics Systems, discusses the cyberattack that recently hit Change Healthcare. The podcast can be listened to in its entirety below.
Heather: Joining us today is Scott Schober, cyber expert, CEO of Berkeley Veratonic systems, and author of the popular books Hacked Again in Senior Cyber. Scott, welcome to the podcast.
Scott: Hey, great to be with you, Heather.
Heather: So today we are talking about the recent breach of Change Healthcare. Change Healthcare, part of Optum, and owned by United Health Group, processes about half of medical claims in the U.S. for about 900,000 doctors, 118,000 dentists, 33,000 pharmacies, 5,500 hospitals and 600 laboratories. That's according to figures from a 2022 Department of Justice lawsuit. In February, Change Healthcare was impacted by the BlackCat ransomware strain. So, Scott, can you give us a brief rundown of what happened?
Scott: This is a story that kind of keeps unfolding heather. Like always, we hear the headlines initially, and it kind of slowly changes as they dig in and do more investigation and forensics. Certainly, what we're learning today is different than a few weeks ago, and it'll probably be different in a few weeks from now, after this airs. But, basically, United Healthcare, they initially disclosed the attack that was really targeting Change Healthcare, which is primarily process prescriptions and stuff.
This was back February 22nd, and it really kind of gave widespread effects that others throughout the healthcare system throughout the U.S. felt in different ways, and it prevented a lot of these pharmacies and hospitals, and healthcare-related facilities from processing claims, from receiving payments. And when you think about that, that's probably the worst case scenario. When the money's not flowing, then people are not being taken care of, they're not getting their medicines, and it kind of spirals down the line. So it becomes something much larger than just reading initially, "Hey, this company or that company was hacked or suffered a breach." Because now you're talking about people's lives.
Heather: Yeah, and what is the situation today for the healthcare providers that were impacted by this?
Scott: Well, it really put everybody very behind from a standpoint of disruption, and certainly it led to eventually, as we learned about that it really was truly a ransom, it was intercepted on the dark web, and there's different reports that Change Healthcare paid some $21-22,000,000, and it was intercepted on the dark web. So, lots of unknowns and lots of things. Who got the money? Did the original hackers get it? Was it another hacker that intercepted it? So it kind of becomes a finger pointing type of scenario and leaves everything up in the air.
Heather: Yeah, you mentioned that we've seen reports indicating that the 21 or 22 million that was paid in ransom was intercepted on the dark web. What does this tell us about ransomware and payments? Because, you know, you never know if you're gonna actually get the decryption key or get your data back. You're kind of relying on the other person or the attackers to do what they say they're going to do. And this is a case where that absolutely didn't happen. What are your thoughts on this? And what does that mean for the future of negotiating ransomware payments?
Scott: Unfortunately, I kind of view it as the Wild West. Everybody is not who they claim to be. They're hiding behind all kinds of layers to keep themselves safe from law enforcement. So some of these hacking groups, and some of them are certainly state-sponsored, like Alfie and BlackCat and others, and they're using, again, cryptocurrencies. So they're doing everything and anything they can from being caught. When those type of things happen and you've got dishonest cyber criminals, they're gonna be dishonest to the good guys, to law enforcement, as well as other cyber criminals, will be dishonest, too, and I think that's part of the challenge. Even dealing in the crypto space, and I've had a little bit of experience there, and we, too, were scammed out of some Bitcoins. It's again, because you're dealing with people you can't trust, and I think that's part of the fundamental problem with this, when you're working in the dark web and you're trying to do things and do things right, as certainly as these healthcare companies are trying to. They're dealing with so many unknowns and so many things are up in the air. And I think that's kind of part of the fundamental problem. It's not like traditional law enforcement dealing with a bad guy in courts. There's a very standard procedure that can be followed. It is truly the Wild West when you're dealing with these type of things because you don't know how it'll unwind and how it will affect in this case. Obviously, the patients number one, but shareholders.
When the government gets involved and they start doing their investigation, and you could tell there's even been some, I guess, some words said between CISA and some other groups that are investigating some of this. There's a lot of concerns about the way United Health Group even handled it. How transparent they were, and now you've got on top of that, you've got different agencies and committees getting involved. Everybody kind of throwing in their own angle on what should have or could have been done. It makes it very difficult.
Heather: I was gonna ask you to expand more on that. So the U.S. Department of Health and Human Services is investigating. CISA has started weighing in. The focus of this investigation appears to be not only the impacts in the healthcare industry, but also this idea that Change Healthcare is a company that handles data on millions of consumers or patients, and most people have never heard of them. Do you have any thoughts on that?
Scott: That is a good thought, and that's kind of typical what we find out with a lot of these large breaches. How many different agencies and groups actually hold our personal information? And not to beat up on the Youth Healthcare System, but it's easy to do, but it is, in a sense, kind of dysfunctional, and there's even a lot of reports, and I was kind of laughing reading some of the stats that we spend twice as much per capita as almost any other country, and somewhere in the neighborhood of 13,000 per year. And there's 85 million Americans who remain uninsured or under insured. The statistics, the more you read, you realise how broken our system is, and I think that's part of the reason. When you've got the Department of Health and Human Services. They're analysing it. You've got CISA. They're all getting very frustrated. And behind the scenes they're saying, "Hey, United Health!" And I think even the President of United Health, the CEO kind of stepped out and was trying to hold his ground and explain that they're trying to be transparent, and they were briefing the House Committee on oversight. And who's accountable for this and that. So it's a lot of finger pointing, unfortunately. And I think CISA kind of indicated one of the reports I read that they felt that they were kind of handcuffed because there was not enough transparency. United Health did not come forward and explain things in a way that allowed them to assist and help. So there's finger pointing all over, and the story is going to continue to grow, and we'll probably learn lots of more information in the coming weeks.
We'll be right back after a quick word from our sponsor.
Cimcor develops innovative next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real time, while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak. That's C-I-M-C-O-R.COM/C-I-M-T-R-A-K.
And now back to the podcast.
Heather: So, Scott, this is the Data Security Podcast, for those connected to Change Healthcare, those doctors, hospitals, pharmacies, even the Federal Government through their Tri-care program. What is the impact to those systems? Is there a risk that the malware may have spread to other systems?
Scott: Yeah, absolutely, because everything is interconnected, unfortunately. And there's a highly likelihood that it does spread. And at the same time, as maybe some of our concerned listeners are thinking, "Jeez, was, I impacted?" Probably good chance you were. And it's so important that you do have some basic things done. And I recently went through a mess just having my identity compromised. And fortunately I had my credit frozen, and I ask people all the time, is your credit frozen? And they're like. "What's that? What do you mean?" So doing basic things like freezing our credit if our personal information gets compromise, maybe our identity is compromised, someone tries to take credit out in our name, borrow money, this or that. Doing basic things like freezing your credit can really help, because some of this personal information is exactly what people need to do if they're gonna try to take out credit or try to steal our identity or some other scam. So sometimes backing up, if we're listeners, think about what have we done proactively thinking that we may have been a victim of this healthcare debacle, not to mention all the other breaches and things that are going on out there. So I think it's a good time to just kind of take stock and think about your own personal information. What safeguards do you have in place? Very important.
Heather: Yeah. I mean, Change Healthcare handled records on it's estimated one out of every three patients, and it was reported that the attackers had exfiltrated patient data. So you know, based on what you said, it feels to me like, maybe it's a good time to just take stock of your overall risk and improve your personal security across the board rather than reacting and being responsive to this breach over here, and then this breach over here, let's maybe just tighten everything down.
Scott: Yeah, absolutely. And not being too quick to give our information when it's asked. I recently had a fall. I was ice skating, and I twisted my ankle really bad, and had to go to a Meta Merge and get X-rays, and so on, and so forth. And the first thing they wanted is, they said, we need a copy of your license front and back. And I said, "What for?" I said, "You've never done that before. I was here before." and they're like, "Oh, the new policies! We refuse to see any patients unless we have the front and back of the license. I said, "Oh, that's scary. What do you do with it?"
"Well, we scan it in, and we store it here. We do this, and we do that. Make a copy here". And I said, "Well, how do I know it's gonna be safe?" They're like, "Oh, you have to trust us." So I kinda laughed and said, "Oh, boy!" So those type of things are very common in the medical world. And again, not that they have any mal intent to sell my license or expose it, or even think they're doing their job. So I appreciate that. But my frustration is when they collect oodles of information, and they're part of the bigger healthcare picture. Where does that all end up? Is it end up as part of a breach? In this case? Likely it has, or it will. And that's the part that's kind of difficult. Who has the time and energy to really dig in and do the research to find out what information was and wasn't compromised? Yeah, we'll probably find out with breach notifications in the months to come. If we were or weren't affected, or maybe we won't. We don't know.
Heather: Well, Scott, this has been really interesting. Unpacking this with you. Is there anything else you'd like to add?
Scott: I do think about just ransomware in general, and I think it's important just for everyone, whether you're working in the healthcare field, or maybe you're a business owner or a small business owner even working out of your home office, that we really have to be careful because oftentimes a lot of these ransomware strains and attacks are facilitated, it goes back to the basics. People clicking on phishing emails, just not being educated enough. So we can all do our part by just questioning things. Slow down, not be too quick to click, because we don't want to be some part of a gruesome statistic such as this, or be the one that let it into our organization, and then see all of this unfold right before our eyes. So just use caution and really stay safe out there.
Heather: And be a little bit more prudent in who and what information you hand out.
Scott: Yeah, don't trust anyone, but take your time and really verify it. Do the due diligence there before you take it to the next step.
Heather: Scott, thanks so much for being on the podcast.
Scott: Great to be on with you. Thanks, so much Heather.
