AI Autopsy: UnitedHealth Ransomware: An Entirely Preventable Attack

In February, insurance firm UnitedHealth became the latest organisation to fall victim to ransomware, with almost a third of the US population impacted. Kate O’Flaherty investigates

How well did UnitedHealth handle the breach, and what can others learn from it?

In February 2024, UnitedHealth, a healthcare insurance firm, became the latest organisation to suffer a ransomware attack. The cyber assault targeted UnitedHealth’s subsidiary Change Healthcare, which it had acquired in 2022.

Ransomware operation BlackCat stole six terabytes of sensitive patient data in the attack, including personally identifiable information (PII). The group demanded a ransom of $22 million to avoid leaking the data – which UnitedHealth paid.

In April, UnitedHealth issued a press release announcing support for affected individuals. It claimed it was monitoring online forums where hackers leak or trade data packets. However, for those affected, the damage had already been done.

It took eight months for Change Healthcare to confirm the number affected by the February cyber attack, but it’s now known that at least 100 million people were compromised. That’s almost one-third of the US population and the largest ever known breach of protected health information at a Health Insurance Portability and Accountability Act (HIPAA)-regulated entity.

Prevention is always the best cure

Experts are surprised at how poor security was at UnitedHealth’s subsidiary, with the firm lacking basic measures such as multi-factor authentication (MFA) and no decent incident response plan for when things go wrong. “What’s shocking is how preventable this was,” says Stew Parkin, global CTO at Assured Data Protection.

“This wasn’t some high-tech espionage, it was a failure of basic protections. The consequences: A $22 million ransom payment, with overall costs estimated to hit $3.2 billion” Stew Parkin

“The attackers exploited a server that didn’t even have MFA, which is cybersecurity 101. This wasn’t high-tech espionage; it was a failure of basic protections. The consequences: A $22 million ransom payment, with overall costs estimated to hit $3.2 billion, plus massive disruptions to healthcare operations such as insurance claims and payment processing.”

Ken Dunham, cyber threat director at Qualys Threat Research Unit, says organisations need to “seriously rethink” how they proactively prepare for disaster recovery and resiliency. “Are you aggressively scanning for vulnerabilities and patching before bugs are exploited? Have you tested your backups to see if they actually work? Are your backups protected from being corrupted or deleted by ransomware or other threats, a common adversarial tactic?”

With ransomware attacks increasingly hitting firms, it’s a good idea to be prepared, agrees Josh Jacobson, director of professional services at HackerOne. If you have a system for backing up and recovering, you can restore your network to its state before it was locked down by ransomware, he says.

“Of course, be sure to resolve the root cause, not just recover the systems,” he adds. “Otherwise, you will be in a continuous loop of impact and recovery.”

Incident response planning and system recovery strategies help to limit the damage from attacks such as UnitedHealth, says Benn Morris, CEO of 3B Data Security. “Organisations should have clear, regularly updated plans outlining roles, responsibilities and steps to contain and respond to attacks, alongside frequent testing to identify and fix gaps.”

Better security doesn’t have to be expensive. While complete protection against breaches is impossible, many preventative measures can be implemented at “little or no cost”, says Matt Ellison, technical director at Corelight. “Companies should utilise all available default security features within their existing solutions, as it’s easy to overlook these amid rapid product updates.”

Think twice before paying

It is understood that UnitedHealthcare paid ransomware attackers to regain access to its data. In this case, its decision to pay backfired, says Morris. “Although they got access to their data, a portion was still leaked – and the attackers went on to extort them a second time. There was also no evidence the stolen data was deleted.”

“Be sure to resolve the root cause, not just recover the systems…Otherwise, you will be in a continuous loop of impact and recovery” Josh Jacobson

While paying a ransom might seem like the fastest way to resolve a ransomware attack, it is “far from a reliable solution”, says Morris. “There are no guarantees that cyber criminals will honour their promises and that making the payment fulfils their demands – it also reinforces the effectiveness of ransomware attacks, encouraging future incidents.”

Morris says that whether to pay is among the scenarios that can be considered in advance around a table with cyber and PR experts. This helps firms create incident response playbooks “where all the necessary stakeholders have input for differing situations”, he says. Of course, every situation will be unique, and teams must be prepared to adapt and respond.

Acquisition security is key

UnitedHealth acquired Change Health in 2022. The firm “apparently got an unwanted surprise with that”, says Kennet Harpsoe, lead security researcher at Logpoint.

The breach highlights that if you buy a company, you acquire all their cybersecurity “or lack of”, says Harpsoe. “And that can be very expensive.”

UnitedHealth certainly isn’t the first to be breached through a company it had bought. Harpsoe cites the example of the Marriott hack, which saw the hotel giant breached through Starwood, a company it had acquired.

MFA is essential

BlackCat was able to break into a server belonging to Change Healthcare using a stolen password because MFA was not enabled.

Apparently, Change Health was compromised through an internet-facing server, where the attackers could log in without MFA, says Harpsoe. “It is well known that internet-facing servers with log-in interfaces are very weak. It is, and has been, one of the most common initial access vectors and is easily exploitable if not protected by at least MFA.”

“Although they got access to their data, a portion was still leaked – and the attackers went on to extort them a second time” Benn Morris

Adam DiStefano, director of threat and security posture management at eSentire, says that if legacy technology does not support multi-factor authentication, several compensating controls can be explored. “For starters, be sure to use strong passwords.”

The initial access – achieved through compromised credentials without MFA – was “a preventable failure,” says Morris. “MFA is one of the most effective defences against credential-based attacks and should be mandatory across all critical systems, especially those handling sensitive data.”

The fact that such a large company did not have MFA in 2024 is “quite inexcusable,” says Professor Chirantan Chatterjee at the University of Sussex Business School. “JAMA Forum reports that ransomware attacks on health data are now double what they were in 2016, and yet it seems UnitedHealth was blissfully slow to embrace MFA.”

Learn from attacks on others

Cyber attacks are a matter of fact, but learning from what went wrong is essential to prevent being hit again. Any publicised breach should be considered a learning opportunity for other organisations, regardless of size, vertical, or the nature of the attack, says Ellison.

If you are attacked via an employee clicking a phishing link, for example, you can shore up your defences based on that. For phishing, says Ellison, firms can consider better training, an improved mail scanning tool, or even an existing feature in the software stack that hasn’t yet been enabled.

If you are reading this now, take note: Having the insight into how another organisation was breached is “extremely valuable,” says Ellison. “Very few organisations intentionally ignore their cybersecurity protections, but many do not go as far as they could, or should, to ensure they are as protected as they can be.”

To conclude

The UnitedHealth incident was severe and incredibly costly, but lessons must be learned. Always have basic measures in place to prevent attacks—specifically, MFA is a must. Additionally, invest in an incident response plan to ensure you know your plans in the event of a cyber attack. This will help limit the damage if you are hit.