Ransomware in Healthcare Explained Through the Change Healthcare Attack

16. January 2025 | 

The healthcare sector has become the #1 target of ransomware in the US1, with devastating consequences for patient safety, operations, and data privacy. In 2023 alone, over 133 million healthcare records were exposed, stolen, or compromised2. This alarming trend escalated in 2024 with a wave of cyberattacks on hospitals and critical health infrastructure. The breach at Change Healthcare in February 2024 marked the largest ransomware attack on protected health information in US history. Over 100 million personal, financial, and healthcare records were compromised, systems were forced offline for months, and billing processes for healthcare providers nationwide were disrupted, leading to severe cashflow problems3.

The financial toll of ransomware is staggering. By mid-2024, the median ransom payment had skyrocketed to $1.5 million, up from $200,000 in early 20234. But the costs don’t end there—recovery expenses in healthcare averaged $2.57 million in 20245. Downtime alone costs healthcare organizations an average of $1.9 million per day6.

These figures highlight the immense economic pressure ransomware attacks place on the healthcare sector. This unprecedented scale underscores the urgent need for stronger defenses across the healthcare industry.

Read in this blog post what ransomware is, why healthcare is uniquely vulnerable, and how advanced solutions like Privileged Access Management (PAM), Identity Governance and Administration (IGA), and Access Management can provide critical protection—illustrated with the Change Healthcare attack as a real-life example.

What is Ransomware?

Ransomware is malicious software that encrypts an organization’s data, rendering it inaccessible. Attackers then demand a ransom—often paid in cryptocurrency—for the decryption key. Modern ransomware goes beyond encryption, exfiltrating sensitive data to leverage double extortion: payment for decryption and to prevent public exposure of stolen information.

Ransomware attacks typically follow this pattern:

  1. Access: Attackers infiltrate networks through phishing, unpatched software, or compromised credentials. In the Change Healthcare attack, hackers exploited a single set of credentials from a low-level support employee. This account lacked multi-factor authentication (MFA), enabling the attackers to gain entry.
  2. Initiation: Once inside, attackers establish control and deploy ransomware to encrypt systems, locking data and crippling operations. At Change Healthcare, hackers spent nine days moving laterally, stealing six terabytes of sensitive data, and preparing the ransomware deployment that ultimately forced critical systems offline for months.
  3. Ransom: Attackers demand payment for decryption keys or to prevent data leaks, often using cryptocurrency to maintain anonymity. Change Healthcare paid $22 million in ransom, but the payment failed to secure the stolen data, highlighting the risks of negotiating with ransomware gangs3.

Types of Ransomware in Action

Ransomware has evolved into several forms, each with unique methods of disruption and extortion. Understanding these types is crucial for recognizing threats and tailoring defenses.

Crypto Ransomware/Encryptors

This is the most damaging type, encrypting files and rendering them inaccessible without a decryption key. The Change Healthcare attack prominently showcased this type of ransomware: critical systems were encrypted, forcing them offline for months and causing immense damage.

Doxware/Leakware

Doxware threatens to publish sensitive data unless a ransom is paid, leveraging reputational harm and data misuse as pressure. In the Change Healthcare breach, attackers exfiltrated six terabytes of sensitive information and used it in a double extortion scheme, demanding payment while threatening to expose the data. Although $22 million in ransom was paid to the ALPHV ransomware group, the attackers retained the stolen data and vanished, leaving Change Healthcare exposed despite the payment.

Ransomware-as-a-Service (RaaS)

RaaS has commoditized ransomware, enabling attackers to lease malware tools and execute attacks with ease. The Change Healthcare attack was orchestrated by ALPHV affiliates using pre-built malware developed by the group, which takes a share of ransom profits. This highlights how RaaS lowers barriers to executing high-impact campaigns.

Other forms of ransomware, such as Lockers, which completely lock users out of their systems, and Scareware, which falsely claims to detect issues and demands payment, were not observed in this case. However, understanding their existence is key to preparing for varied threats.

Why Healthcare is a Prime Target for Ransomware

The healthcare sector is a prime target for ransomware attackers due to unique vulnerabilities and the critical nature of its operations.

High-Value Data

Healthcare organizations store vast amounts of highly sensitive information, including personal details, financial records, and medical histories. This data is invaluable to cybercriminals for selling on the black market, identity theft, or extortion schemes. The lucrative nature of this information makes healthcare a top priority for cybercriminals. Change Healthcare exemplifies this risk as one of the largest processors of U.S. medical data. Despite paying a $22 million ransom to prevent the publication of the stolen, highly sensitive patient data, the company failed to secure the information, which remained in the hands of the attackers.

Breaches like this can expose organizations to significant legal and financial risks under the Health Insurance Portability and Accountability Act (HIPAA)7. While a cyberattack involving access to Protected Health Information (PHI) is not automatically a HIPAA violation, the act mandates strict safeguards for PHI and requires organizations to mitigate risks and vulnerabilities to a reasonable and appropriate level. Compliance with HIPAA’s rules such as for Privacy, Security, and Breach Notification is essential to avoid penalties.

Failure to meet these standards can result in penalties ranging from $141 to over $2 million per violation, with deliberate violations potentially leading to criminal charges8. Change Healthcare is currently under investigation to determine if violations occurred.

For more details on HIPAA’s Penalty Structure and guidelines, visit the HIPAA Journal site. A HIPAA compliance checklist is also available to help organizations align with these requirements.

Operational Urgency

Downtime in healthcare can be life-threatening and very costly, with each day costing healthcare organizations an average of $1.9 million6. Hospitals and providers rely on uninterrupted access to electronic health records, medical devices, and communication systems to deliver patient care. Beyond delaying or denying care, outages can disrupt critical functions like monitoring patient vitals during procedures. Incident response protocols—intended to guide healthcare organizations during downtimes—are not always fully followed. The immense operational pressure often forces organizations to pay ransoms to restore operations quickly, further incentivizing attackers.

However, the overall costs of the attack can far surpass the ransom. In the Change Healthcare case, the ransomware attack cost rose to $2.87bn in 20243. This includes recovery efforts, lost revenue, operational disruptions, and loans paid to providers affected by the outage.

Expanded Attack Surfaces

The shift to telehealth services, the proliferation of IoT medical devices, and the increase in remote work environments have broadened the attack surface for healthcare organizations. Each new digital endpoint becomes a potential vulnerability for attackers to exploit.

Adding to this risk, many healthcare giants rely on devices like Aruba and Meraki, which can pose risks if not properly secured, potentially exposing internal network traffic to attackers and increasing breach opportunities.

Legacy Systems

Many healthcare providers rely on outdated IT systems lacking modern security protocols. These legacy systems often have unpatched vulnerabilities, providing easy entry points for attackers. Updating or replacing these systems can be costly and time-consuming, leaving organizations exposed. For Change Healthcare, outdated and poorly segmented IT systems facilitated attackers in exploiting vulnerabilities, enabling them to carry out this large-scale breach.

The Consequences of Ransomware in Healthcare

The impact of ransomware on healthcare goes far beyond financial losses, threatening patient safety, operational continuity, and institutional survival. In the case of Change Healthcare, ransomware exposed sensitive records of over 100 million individuals and forced the organization to shut down its network to isolate intruders and contain the breach. This action, while necessary, disrupted billing processes nationwide, leaving healthcare providers unable to receive payments and exacerbating financial strain.

In other cases, ransomware has postponed medical procedures and delayed emergency care, putting patient lives at risk. Smaller healthcare facilities may suffer such severe financial and reputational damage that they are forced to close permanently. These incidents underscore the devastating toll ransomware takes on healthcare organizations, highlighting the urgent need for robust cybersecurity measures to protect both operations and patients.

How PAM, IGA, and AM Could Have Changed the Game for Change Healthcare

The Change Healthcare attack highlights how gaps in access control can amplify the impact of ransomware. One of the biggest data breaches in U.S. history was entirely preventable. Proactive measures through Access Management (AM), Privileged Access Management (PAM), and Identity Governance and Administration (IGA) could have drastically reduced vulnerabilities and mitigated the attack’s consequences.

Access Management and Zero Trust

Multi-Factor Authentication (MFA) was a critical missing element in the Change Healthcare attack. The breach occurred because attackers exploited the credentials of a low-level customer support employee, which were posted in a Telegram group selling stolen data. These credentials allowed access via a Citrix remote access service that lacked MFA—a basic security feature that could have thwarted the attack by requiring additional verification.

Had MFA been in place, the attackers would have been unable to gain entry using just a stolen password. Beyond MFA, other measures could have further contained the attack:

  • Continuous Verification would have ensured that even if initial access was gained, ongoing identity checks would flag suspicious activity and prevent further exploitation.
  • Micro-Segmentation could have limited lateral movement within the network, isolating systems and preventing attackers from deploying ransomware or exfiltrating data across servers.

→ Explore how Access Management and Zero Trust enhance healthcare security here.

Privileged Access Management (PAM)

Privileged Access Management (PAM) is specifically designed to secure the privileged accounts that attackers frequently target. In the Change Healthcare breach, the absence of robust PAM measures enabled attackers to infiltrate systems, escalate privileges, and deploy ransomware. Here’s how PAM could have changed the outcome:

  • Enforcing Least Privilege: PAM could have restricted the compromised support employee account to minimal access, ensuring it lacked permissions to critical systems. Instead, the attackers used the stolen credentials to create privileged administrative accounts, exfiltrate vast amounts of sensitive data, and install ransomware undetected.
  • Real-Time Monitoring: PAM’s continuous monitoring could have flagged unusual behavior, such as the creation of privileged accounts or attempts to exfiltrate large volumes of data. The intrusion at Change Healthcare went undetected for nine days, allowing attackers to prepare and execute their ransomware campaign. Real-time monitoring would have enabled a swift response, potentially stopping the attack before encryption occurred.
  • Securing Remote Access: PAM could have enforced stricter access protocols for remote connections, particularly given the extensive third-party ecosystem Change Healthcare supports. This would have prevented attackers from exploiting weak access controls and infiltrating the network.

→ Learn more about how PAM protects healthcare organizations from ransomware here.

Identity Governance and Administration (IGA)

IGA addresses vulnerabilities by managing access rights and ensuring they align with organizational policies. Robust IGA practices could have significantly mitigated the impact of the breach:

  • Role-Based Access Controls (RBAC) would have limited lateral movement by the attackers, restricting their ability to traverse the network and escalate access to critical systems. Change Healthcare’s poorly segmented IT systems allowed hackers to disable both primary and backup systems, forcing a total shutdown. Proper segmentation combined with RBAC could have confined the breach to a single segment, reducing its scope.
  • Continuous Auditing: Anomalies in user behavior, such as the compromised account accessing systems outside its typical scope, could have been flagged through regular audits. Early detection of these red flags might have triggered intervention before the attackers could exfiltrate data or deploy ransomware.
  • Identity Lifecycle Management could have ensured that access permissions for all accounts were continuously updated, with unused or unnecessary accounts promptly deactivated.

→ Dive deeper into IGA’s role in ransomware prevention here.

Proactive Steps for Healthcare Organizations

Effectively defending against ransomware requires a proactive approach that combines strategic planning, advanced tools, and consistent vigilance. The following steps offer a starting point for healthcare organizations to strengthen their defenses:

  1. Perform a Risk Assessment: Identify and address vulnerabilities in your IT infrastructure, prioritizing critical risks such as outdated systems or insufficient access controls.
  2. Develop an Incident Response Plan: Prepare your team to act swiftly during an attack, with clear protocols for isolating systems, recovering data, and communicating with stakeholders.
  3. Training Your Staff: Equip employees to recognize phishing attempts and other ransomware tactics, reducing the risk of human error.
  4. Deploy Advanced Tools: Implement solutions like PAM, IGA, and Zero Trust to secure access, monitor activity, and contain threats before they escalate.

Implementing these steps can be complex and resource-intensive. That’s where iC Consult can help. As experts in identity-driven cybersecurity, we deliver tailored PAM, IGA, and Access Management solutions to protect your systems, data, and patients.

Contact us today to strengthen your defenses against ransomware and other cyber threats.

References

1 FBI Internet Crime Report 2023. https://www.ic3.gov/AnnualReport/Reports/2023_ic3report.pdf

2 HIPAA Journal, Healthcare Data Breach Statistics, 2024. https://www.hipaajournal.com/healthcare-data-breach-statistics/

3 HIPAA Journal, Nebraska Sues Change Healthcare Over February Ransomware Attack, 2024. https://www.hipaajournal.com/change-healthcare-responding-to-cyberattack/

4 Chainalysis, 2024 Crypto Crime Mid-year Update Part 1: Cybercrime Climbs as Exchange Thieves and Ransomware Attackers Grow Bolder. https://www.chainalysis.com/blog/2024-crypto-crime-mid-year-update-part-1/

5 Sophos. “The State of Ransomware 2024.” February 2024. https://www.sophos.com/en-us/content/state-of-ransomware

6 Comparitech, 2024, https://www.comparitech.com/news/ransomware-attacks-hospitals-data/

7 U.S. Department of Health and Human Services, HIPAA for Professionals. https://www.hhs.gov/hipaa/for-professionals/index.html

8 The HIPAA Journal, What are the Penalties for HIPAA Violations? 2024. https://www.hipaajournal.com/what-are-the-penalties-for-hipaa-violations-7096/