Indeed, ransomware attacks targeting healthcare have been on the rise even before the Change Healthcare attack, which paralyzed a UnitedHealthcare subsidiary’s ability to process claims on behalf of the healthcare provider’s customers in February of this year. Recorded Future’s Liska notes that there have been more healthcare ransomware attacks in each month of 2024 than in the same month of any previous year he has tracked. (May of this year saw 32 healthcare attacks, fewer than the 33 in May 2023, but Liska says he expects the recent numbers to grow as other incidents continue to come to light.)
Still, Liska noted that the April spike especially seen in Recorded Future’s data is likely a secondary effect of Change’s fiasco, not just because of the exorbitant ransom paid by Change to AlphaV, but also because of the highly visible disruption the attacks caused. “These attacks are so impactful that other ransomware groups see an opportunity,” Liska said. He also noted that healthcare ransomware attacks continue to rise even as ransomware incidents overall remain roughly flat or decline overall. For example, there were 1,153 incidents in the first four months of this year, compared to 1,179 in the same period in 2023.
When WIRED reached out to United Healthcare for comment, a company spokesperson noted that healthcare ransomware attacks have begun to increase overall in 2022, suggesting that this overall trend predates the Change incident. The spokesperson also cited testimony United Healthcare CEO Andrew Whitty gave last month at a congressional hearing on the Change Healthcare ransomware attack. “As we’ve dealt with the many challenges in responding to this attack, including responding to the ransom demand, I’ve been guided by my overriding priority of doing all I can to protect people’s personal health information,” Whitty said at the hearing. “As CEO, the decision to pay the ransom was my own. It was one of the most difficult decisions I’ve ever made, and I wouldn’t wish this on anyone.”
Change Healthcare’s extremely sticky ransomware situation was further complicated by the fact that AlphaV had supposedly accepted Change’s $22 million extortion fee and had betrayed its hacking partners, disappearing without giving any of its associates a cut of the profits, drawing even more attention from the ransomware hacker underworld, which led to the highly unusual situation where the associates provided the data to another group, RansomHub, who then demanded a second ransom from Change and threatened to leak the data to a dark web site.
The second extortion threat has since mysteriously disappeared from the RansomHub site, and UnitedHealthcare did not respond to WIRED’s questions about the second incident, or whether it had paid the second ransom.
Still, many ransomware hackers widely believe that Change Healthcare actually paid double the ransom, said John DiMaggio, a security researcher at cybersecurity firm Analyst1, who frequently speaks with members of the ransomware group to gather intelligence. “Everybody was talking about a double ransom,” DiMaggio said. “If the people I’m talking to are excited about this, it’s not a leap to think other hackers are excited about it as well.”
DiMaggio says the uproar the situation created, and the scale of disruption to healthcare providers caused by Change Healthcare’s downtime and high ransom payments, provided the perfect vehicle to promote the potential profits to be made from hacking vulnerable, high-risk healthcare victims. “Healthcare always has a lot to lose, and Change just made adversaries realize that,” he says. “They had a lot of leverage.”
As these attacks snowball, and while some healthcare victims may have paid the ransom themselves to limit damage to life-saving systems, the attacks are unlikely to stop. “They’ve always looked like an easy target,” DiMaggio said. “Now they look like an easy target that’s willing to pay the ransom.”
Updated June 12, 2024 at 9:35 a.m. ET: This article has been updated to reflect that the total number of ransomware incidents covers the first four months of the year, not just April.
