cyber-security – stlplace

Another day, another healthcare related hacking

Reading Time: 4 minutes

Or ransomware as a service or RaaS, please refer to this Pensacola News Journal article, search for “Black Basta” for the detailed information. I felt this article was well written. Unfortunately, this one is the place I used to work – Ascension Health (company official note on this cyber security event). I also talked about Ascension from time to time, after I left the company in June 2021. Here are some tweets.

Impacts

My 1st worry is its impact on patients, such as this patient in Wisconsin (I tweet below too). The impact to the patients is real and in a way is similar to the recent Change Healthcare hack (WSJ; I have a blog post too).

This is a personal story from a patient in Wisconsin that was impacted by this #cyberEvent – 'I'm frightened': Ascension Health patient feels impacts of widespread ransomware attack https://t.co/A7HgOKwUk1 /7
— stl-place (@stlplace) May 14, 2024

It impacts the caregivers too – Ascension cyberattack: Patients, nurses frustrated as problems persist. And all over Ascension service area, such as this one in Middle Tennessee, ‘Chaos’: Nurses, visitors describe conditions inside Ascension hospitals after cyberattack. This is very unfortunate for the patients, caregivers and impacted families. I just don’t have words for them – I hope they all can pull through. I will touch upon the evil of the bad actors below.

All this also showed the computerization of the medicine (or healthcare), while has its advantage: electronic medical record in theory at least gave the provider a holistic view of patient health issues. At the same time it shows its fragility (easy to break). Paper based process is always needed, because no computer systems is 100% reliable. This is somewhat like the Disaster Recovery (business continuity process) many decent sized organizations run or try to run, in case something horrendous happens (natural disaster, fire and so on). But in real life, how many hospitals or providers have the paper process nailed down, and have regularly ran the DR exercises. For me personally, I only saw DR exercise in action at Mastercard (and I participated it once as a lead, and it was quite interesting). In fact to me “production” is also interesting 🙂

Last but not least, if there is no lawsuit, then it’s not America. Central Texas woman sues Ascension following cyberattack.: interesting part of this article is it talked about RaaS and “Black Basta” in more details.

Health Insurance

We know in the US, health care system is very complicated (I wrote a series on this, the 3rd post is here).

Also note Ascension’s insurance (Blue Cross Blue Shield of Michigan) is not that great to begin with, as I learned 1st hand from my COBRA usage, or attempt to use my COBRA coverage after I left. My new employer’s benefits didn’t kick in immediately and there was two months gap.

Another phone call with the current #HR (benefits central), and they sent out #enrollment info over, and today I called the dental insurance co and it seems fixed. Back to #Cobra, I think it's harder because there is no HR standing behind me… /7
— stl-place (@stlplace) October 15, 2021

Why I left Ascesnion

Below is one reason, the event proceeded my leaving. But not the only reason. I guess we may say that’s last straw.

This project was one of the reasons I left that place to pursue other opportunities. I feel the management on my work place is mostly spinning on the wheels: and try to scape goat the vendors for any mistakes. #officePolitics /6
— stl-place (@stlplace) September 30, 2023

Incidentally I worked at another major catholic hospital chain in the St. Louis area, and while my experience is not as bad, nonetheless I was not happy on one project – at one time we were briefly asked by the management to come in on Saturdays to complete the project “on time”. I knew it was mostly for “a show” not for actual completion of the project. And we had quite a few people quit (jump ship) during that time.

At both places, I have seen or worked on ambitious projects that started because one executive has the budget, and later on had to abandon because of various reasons. I understand software development projects are notoriously for cancellation and budget overrun because its complexity, hard to estimate and changing (or sometimes random) requirements. But I have worked on other industries too, and they usually “fail early, fail faster” (the agile way).

Recent cyber security events that I wrote

Panera Bread System Down

UnitedHealth Group Change Health Hack

Odds and Ends

Before I join the company (Ascension.org), I encountered some issues (login or single sign on SSO related) at myAscension.org. I still encountered similar issues (I would say about 33% failure rate) when I was working there. Looking back, this is a red flag of an organization’s IT capability.

If you happen to work in the IT/software development field, think “security security and security” all the time. It won’t prevent all the hacks. But it’s a good starting point. Btw, once when I was working for the Mastercard, I had the fun task to investigate the bad guys logged into a bank’s rewards redemption website and redeemed air tickets and hotels. One thing I still remember is this “client attorney privilege… ” in the email thread; another thing I was emotionally drained was seeing how some people can be that kind of malicious (stealing is bad, stealing on internet is equally bad as physically stealing). I also recalled when I was at college, I was stolen twice, once at a bus, someone picked up my wallet (when I realized, it was a bit late); another time, someone broke the lock on my drawer and took the money that my dad sent me recently. Always have the “security in mind” in daily life and in IT. Learn as much as you can, such as this Security in Mind channel on YT.

Last but not least, I understand we are going towards “electronic medical record” world, but we probably still need to keep some papers around prescription, vaccination records and testing results etc., better yet, back them up in the iCloud or somewhere you believe is safe, just in case the MyChart etc. goes down.

More Coverage in the news

Retired FBI agent weighs in on Ascension cyberattack

Fallout from Ascension cyberattack continues: Michigan pharmacies can’t fill prescriptions

Healthcare leaders praise Ascension cyberattack response

Ascension nurse: Ransomware attack makes caring for hospital patients ‘so, so dangerous’

Delays in cancer treatment. Canceled appointments. Long wait times. Ascension patients still grapple with fallout from cyberattack

How the Ascension cyberattack is disrupting care at hospitals

Ascension Saint Thomas Health patient files class action lawsuit over data breach

Ascension patients still grappling with fallout from cyberattack

Nurses fed up with Ascension Healthcare security breach issues

‘They need to step up’: Retired FBI Special Agent speaks on current Ascension cybersecurity attack

(June 13, 2024 at 7:21 AM) Ascension cyber attack caused by worker who accidentally downloaded malware – Officials: Attackers accessed 7 of 25,000 servers

(06-19-2024) Patients at Ascension hospital network given dangerous doses of narcotics after disastrous cyberattack: “In another case, a female patient suffered a cardiac arrest and died after data mishaps delayed test results that would determine her life-saving treatment.”

(09-19-2024) Ascension posts $1.1B net loss for 2024 after May cyberattack

(12-20-2024) Ransomware attack on health giant Ascension hits 5.6 million patients

(Update 04-29-2025) Ascension data breach impacts patients in 5 states, including Michigan

UnitedHealth Group Change Health hack

Reading Time: 4 minutes

(03-02-2025) Wikipedia – Change Healthcare 2024 Cyberattack.

(hyperproof) Understanding the Change Healthcare Breach and Its Impact on Security Compliance

(12-19-2024) How the ransomware attack at Change Healthcare went down: A timeline (03-02-2025) It seems this article is no longer available.

(04-09-2024) Change Healthcare faces second ransomware dilemma weeks after ALPHV attack || So in summary, ransomware attack poses two threats: 1) Loss of data, if they bad guys encrypts the data; 2) Leak of data, in the case a company or an organization (the victim) restores the data from backup (without paying the attacker), the attacker can threat to leak the data online (or sell the data to other bad guys in a black market etc.), so basically this is what happened here.

Btw, I am watching #CNBC Jim Cramer talking to George Kurtz, CEO of #CrowdStrike on this exact topic. #CyberSecurity #ransomWare #RANSOMHUB $CRWD #MadMoney /2
— stl-place (@stlplace) April 9, 2024

(Update 03-24-2024) It seems Panera Bread, which probblay has 2,000 stores in the US, had just experienced a similar issue.

As far as I know, it's been down now for at least 2 days. I was trying to use a BOGO 50% that was loaded on my app but couldn't get it yesterday morning & they told me to come back later – I did & still down. Then tried to call their CS ph# & hear message that they're unavailable
— Tina Marie (@LadyTi88) March 24, 2024

Panera Bread app and kiosk down since 03-23-2024 afternoon

PSA: Panera system is down nationwide now: the mobile app and the kiosk don’t work. But the register still works, I think. I am at the new u city all digital store and it’s full outage. || WiFi is down too so I am using iPhone as hotspot 😀 https://t.co/cIEwKLRNFT
— stl-place (@stlplace) March 24, 2024

I am speculating the root cause is ransomware attack

I recall few years ago Panera did have an incident – Panerabread.com Leaks Millions of Customer Records

(03-09-2024) I first heard about this a few weeks ago, something like below:

美最大医保网遇网攻或来自外国黑客万余药房受干扰

Note it was not in the mainstream news at least not covered heavily in the network TV and so on, initially. Until its impact are felt by both providers and the patients. Below are some more recent coverages.

Cyberattack Paralyzes the Largest US Health Care Payment System – The New York Times || https://twitter.com/ryanstellar/status/1763666449988751373 || https://twitter.com/zackkanter/status/1765170835919143293 ||

https://twitter.com/Lis86274333/status/1763351768002355431 ||

EXPLAINER: What to Know About the Change Healthcare Cyberattack | Health News

Change Healthcare has acknowledged the hack, which reportedly affected billing and care authorization portals. It’s led to prescription backlogs and missed revenue for providers, posing potential threats to worker paychecks and even patient care.

“Our experts are working to address the matter, and we are working closely with law enforcement and leading third-party consultants such as Mandiant and Palo Alto Networks on this attack against Change Healthcare’s systems,” Change Healthcare said. “We are actively working to understand the impact to members, patients and customers.”

(My take, lesson learned: cyber security best practice; collect the data that’s only necessary)

UnitedHealth Pays $22 Million To Ransomware Group Behind Change Healthcare Cyber-Attack: Reports https://t.co/bHb8mAUceK "The Russian-speaking cybercriminal gang known as AlphV and Blackcat claimed responsibility and said on its darkweb site that it exfiltrated 6 TB of data in…
— stl-place (@stlplace) March 6, 2024

“The Russian-speaking cybercriminal gang known as AlphV and Blackcat claimed responsibility and said on its darkweb site that it exfiltrated 6 TB of data in the attack against Change Healthcare.”

NPR: Health industry struggles to recover from cyberattack on a unit of UnitedHealth

PBS has a few reports on that as well: such as this one – How a cyberattack crippled the U.S. health care system

For IT and security professionals

YT Video: 🔒 Ransomware Chaos -Part 2: UnitedHealth Drained…Dishonor among thieves🦹🏻 – The Briefing (thanks to Ryan⭐ Stellar and Mike Martinelli for the YT video; same below)

YT Video: 🔒 Ransomware Chaos: UnitedHealthcare Under Attack by BlackCat Hackers!…youtube.com (this is part 1)

BlackCat Ransomware Group Implodes After Apparent $22M Payment by Change Healthcare – Krebs on Security On March 3, a BlackCat affiliate posted a complaint to the exclusive Russian-language ransomware forum Ramp saying that Change Healthcare had paid a $22 million ransom for a decryption key, and to prevent four terabytes of stolen data from being published online.

https://twitter.com/zackkanter/status/1765170835919143293 (technical explanation of EDI and Change Healthcare)

Related Incidents

This Change Health incident somehow reminds me of the SolarWind hack a few years ago. It seems Microsoft has some more work to do, as they are still a popular target for hackers.

SolarWinds hack explained: Everything you need to know – 2020 United States federal government data breach – Wikipedia Microsoft exploits || SolarWinds exploit

A ‘Worst Nightmare’ Cyberattack: The Untold Story Of The SolarWinds Hack

“The tradecraft was phenomenal,” said Adam Meyers, who led the cyber forensics team that pawed through that tainted update on behalf of SolarWinds, providing details for the first time about what they found. The code was elegant and innovative, he said, and then added, “This was the craziest f***ing thing I’d ever seen.”

The hackers didn’t do anything fancy to give them the domestic footprint, officials confirmed. In fact, they just rented servers from Amazon and GoDaddy.

SWI stock has not done too much in last 5 years mostly due to this attack.

Also the Kronos attack which received less media attention (somewhat similar to the UnitedHealth hack). I recall this incident because around at time I was working on a Kronos based project (app, the official name of the app is Ascension Nurse Center of Excellence). It didn’t work out due to various reasons, after the company sunk millions of dollars on the project.

(The Garmin breach/incident happened in the year 2020, Velo) How did the Garmin cyber attack happen, and what does it mean for users? || 6 Things to Learn from the Garmin Security Breach (Terranova Security)

Some other question:

Legality aside, paying the ransom encourages the hackers? See also Incident Of The Week: Garmin Pays $10 Million To Ransomware Hackers Who Rendered Systems Useless. But from a business’s perspective, they are usually between a rock and a hard place: meaning if they don’t pay, they usually don’t know how long it will take them to recover the data, if at all; or if they pay up, they essentially are working with the bad guy (or encouraging the bad guy).

Can we ever negotiate or trust the hackers (the bad guys)? || This somehow reminded me of my personal experience when I was working for one of the major credit card company (their loyalty and rewards platform), and at one time I was assigned to investigate the root cause of an incident in which the bad guys (or girls) logged into some cardholers’s loyalty redemption website quickly after the website launch, and redeemed their points for air tickets or hotel bookings. At the time, amid the tedious work, I asked myself: how come in this world there are evil people like that?

Another question I had for the UnitedHealth Group (Change Healthcare) hacking: if this is the notorious Russian hacking group BlackCat, can the US government do something about it (hint: retaliation)?