HEALTH Yay work made the news: Tens of thousands of pharmacies across America unable to get prescriptions to patients after major cyberattack

[Tex88]

Pharmacies nationwide affected by major cyberattack by 'foreign naton'

A cyberattack on UnitedHealth's Change Healthcare unit made 'tens of thousands' of pharmacies nationwide unable to get prescriptions to patients.

www.dailymail.co.uk

Tens of thousands of pharmacies across America unable to get prescriptions to patients after major...​

Emily Joshu, Reuters

---

A cyberattack on America's biggest health insurer has left pharmacies unable to fill prescriptions across the country.
UnitedHealth said tens of thousands of pharmacies were impacted by the hack it suspects was a state-sponsored attack.
The hack began on Wednesday, preventing several pharmacies from processing prescriptions to insurance companies.
It is unclear how many patients are affected but UnitedHealth serves about 7.7 million customers nationwide.

CVS Health said that the hack meant that, 'in certain cases,' it was unable to process insurance claims. Pharmacies like Walgreens and Publix
There is no evidence that the two events are related, but the FBI and Homeland Security is investigating the latter.

UnitedHealth said Thursday that its Change Healthcare unit, which processes prescriptions to pharmacies across the country, was compromised by a 'suspected nation-state associated cyber security threat actor.'

Several prescription providers announced that they were impacted by the hack.

CVS Health, which has more than 9,000 pharmacies, said that the hack meant that, 'in certain cases' it was unable to process insurance claims.

'We're committed to ensuring access to care as we navigate through this interruption,' the company's statement said. A spokesman for the chain did not immediately provide further details.

Walgreens, which serves nine million customers, said a 'small percentage' of its prescriptions 'may be affected,' but that the company had safeguards in place to process and fill them 'with minimal delay or interruption.'

The company said it had no additional information to share about the incident.

Publix Super Markets didn't immediately respond to a request for comment, but on social media some users complained of issues when trying to fill their prescriptions.

'This is a nationwide disruption,' Publix said in a response to one user on X, formerly known as Twitter.

Other companies including GoodRX and BlueCross BlueShield of Montana also flagged potential disruptions on social media.

Up to 80 percent of hacks led to disruptions to operations - which lasted weeks
'We apologize for any outages you have been experiencing while at the pharmacy,' GoodRx wrote on X.

'Unfortunately, the issue is an external one impacting both GoodRx and a multitude of providers.'

'Our team is aware of the issue and working to ensure it is resolved. We appreciate your patience!'

Naval Hospital Camp Pendleton, a military health system in California, wrote on X: 'Due to an ongoing enterprise-wide issue, all Camp Pendleton and associated pharmacies are unable to process any prescription claims.'

'We are only able to assist patients with emergency and urgent prescriptions from hospital providers at this time.'

The hospital's website states that 'Naval Hospital Camp Pendleton and associated pharmacies will provide outpatient prescriptions through a manual procedure until this issue is resolved.'

'Priority will be given to urgent prescriptions followed by routine prescriptions as manning and resources allow.'

Independent pharmacies also reported issues.

-----------

Now... two things: I removed some barely relevant fluff. And on the other hand: NOPE! It was not just "pharmacies unable to fill prescriptions".
The relevant part of the article is this:

UnitedHealth said Thursday that its Change Healthcare unit, which processes prescriptions to pharmacies across the country, was compromised by a 'suspected nation-state associated cyber security threat actor.'

This is effin MAJOR and affected "my work" a lot this week. Not going into too many details that are irrelevant, like where I am in this (I'm in there), but this is a MAJOR back end hack of patient data, hospital and provider systems and we had to go so far as to cut Change Healthcare out of our systems yesterday.

 

[Tex88]

More here, much better article:

https://www.wsj.com/articles/hospitals-urged-to-disconnect-from-unitedhealths-hacked-pharmacy-unit-11c9691e

 

[Tex88]

Update, the pharmacy bits are restored but everything else is still catastrophically b0rked.

 

[Tex88]

Ransomware attackers are holding 6 TB of data hostage.

Outages from cyberattack at UnitedHealth's Change Healthcare extend to seventh day as pharmacies deploy workarounds

Change Healthcare's systems are down for the seventh straight day after a cyber threat actor gained access to its network last week

www.cnbc.com

They are acting like everything is under control and manageable.

"It's catastrophic but don't tell clients".

It's literally and verbatim what we were told. Like those exact words.

 

[Tex88]

Ooooh now the thot plickens!

https://www.cnn.com/2024/02/28/tech/cyberattack-health-insurance-doctors-therapists/index.html

A week after a cyberattack disrupted insurance processing at pharmacies across the US, health care professionals from Maryland to New York tell CNN that the hack continues to upend their businesses, potentially cutting into revenue.


Raeya Disney, a psychotherapist who treats trauma victims in Maryland, said she worries she is “at risk of having to give up my office space” if the billing outage continues much longer.


“I’ve begun manually billing and I’m praying that I will be paid,” Disney told CNN.


Purvi Parikh, an allergist with a private practice in New York, said the hacking incident “just puts a lot more burden on physician practices, hospitals, pharmacies that now are scrambling to figure out the alternatives of how to get claims submitted or fill prescriptions.”


Parikh hasn’t been able to submit claims to insurance carriers for a week, she said.


It’s all part of the fallout from a cyberattack that a week ago hit Change Healthcare, a unit of health IT giant UnitedHealth that processes prescriptions to insurance for tens of thousands of pharmacies nationwide.


Carter Groome, chief executive of First Health Advisory, a cybersecurity firm whose clients include big health care organizations, estimated that some health care providers are losing more than $100 million per day because of the outage.


“That’s just not sustainable in an industry with not a lot of cash on hand,” Groome told CNN.


“This is our Colonial Pipeline,” he said, referring to a 2021 ransomware on one of America’s biggest pipelines that disrupted fuel shipments for days and cemented ransomware as a national security concern in the minds of senior US officials.


In the wake of the hack, Elevance Health, which owns Anthem Blue Cross and Blue Shield and insures millions of Americans, has severed network connections to Change Healthcare “out of an abundance of caution,” Elevance spokesperson Leslie Porras told CNN in an email.


“The ability for our members to access medical care, services or fill their prescriptions remains unaffected,” Porras said.


As of Wednesday morning, Change Health Care said the company’s affected network was still offline. Tyler Mason, a company spokesperson, said that insurance claims submissions have returned to “pre-disruption levels” because health care providers are using “alternative clearing houses” to submit claims.


Mason said that doctors and patients can use these workarounds to address the problems described by Parikh and Disney.


“Since identifying the cyber incident, we have worked closely with customers and clients to ensure people have access to the medications and the care they need,” Mason said in an email. “As we remediate, the most impacted partners are those who have disconnected from our systems and/or have not chosen to execute workarounds.”


But confusion among some health care professionals about how to adapt to the situation remains.


Amy Cizik, a health care researcher in Utah, has been trying to get her pharmacy in Salt Lake City to process her insurance for days. Her 16-year-old daughter has a rare genetic syndrome and takes multiple medications to manage the conditions that come with the syndrome, Cizik told CNN.


“She needs the drug to function at school, to function well in our household,” Cizik said.


With medication running out, Cizik said she spent an hour on the phone Tuesday trying to resolve the situation. The pharmacy transferred her to the insurance provider, which transferred her to another firm that handles prescription drug benefits on behalf of insurers.


No one could resolve the issue, she said.


“As somebody who has a child with chronic illness with multiple prescriptions who works a fulltime job, me caring for her is a whole other job that I do,” she said. “And this is just adding to that.”


Cizik said the pharmacy was finally able to process her insurance on Wednesday morning, narrowly avoiding having to pay $1,000 over the counter for the medication.


Senior US cyber officials have been concerned about the cyberattack from the moment that news of the hack broke. Officials from the FBI and departments of Health and Human Service (HHS) and Homeland Security have held regular calls for days to try to get a handle on the problem, CNN previously reported.


Andrea Palm, the deputy HHS secretary, told CNN on Tuesday that the department continues to be in close touch with Change Healthcare as the company tries to restore its network.


Forensic evidence recovered in the investigation indicates that a prolific ransomware gang was responsible for the hack, according to private briefings Change Healthcare executives have given to other health care executives, two people familiar with the conversations told CNN.


The ransomware gang, which includes Russian-speaking cybercriminals, rents out their so-called malicious software, known as ALPHV or BlackCat. Hackers using the malware have claimed a slew of attacks on US universities, health care providers and hotels in the last 18 months. On Wednesday, the ransomware gang claimed responsibility for hacking Change Healthcare, listing the company as a victim on its dark-web site.


Reuters first reported on the connection between ALPHV ransomware and the Change Healthcare hack.


The Justice Department in December announced an operation targeting the ALPHV gang, including the seizure of some of its computer infrastructure. But well-oiled cybercriminal groups often bounce back from US law enforcement crackdowns.


As of Tuesday afternoon, the American Hospital Association (AHA), an industry group that represents thousands of hospitals and health care clinics across the US, was still receiving reports from members that the cyberattack was interfering with the processing of insurance claims, John Riggi, AHA’s national advisor for cybersecurity and risk, told CNN.


“This was a systemic attack,” Riggi said. “This was an attack not only on Change Healthcare. This was an attack on the entire health care sector.”

 

[desertvet2]

The whole sordid temple is collapsing

 

[Macgyver]

Raeya Disney, a psychotherapist who treats trauma victims in Maryland, said she worries she is “at risk of having to give up my office space” if the billing outage continues much longer.

I see this as a very sad statement.
You can't stay in business because you can't submit payment requests for a week?
You probably should have went to business school instead of medical.

 

[nomifyle]

too bad so many people have let themselves depend on drugs, life style changes would have elemated much of that.

 

[Tex88]

Once more, this isn’t just about pharmacies and prescriptions, it’s ALL patient data, health and financial, like your nurse won’t even be able to verify if you got insurance or connect your lab results to you.
The “pharmacies can’t get your prescriptions” is just the part they’re admitting to.

 

[dunebuggy]

Karl Denninger has a post about this on his site today. And one of his readers posted the update below, which jibes with what Tex88 has been saying. This is serious sh!t, and we're 10 days into it with no resolution.

The Market Ticker Error: Post Not Available

market-ticker.org

Now about Change Healthcare, I have a front row seat, my employer does business with Change, I'm on the security team, and I've been interviewing their competitors.

1. Change HC has been lying from Day 1 about the breadth and depth of their incident. They have routinely withheld information.

2. Change HC claimed a nation state actor (foreign government) attacked them. Um, no, just the normal ransomware crooks. The outfit that got them is both skilled and very successful.

3. Change HC's executive team doesn't give a shit about cyber security which is why they've been down for ten days. They have not demonstrated the ability to restore services, and they obviously have not been running a tight ship.

4. Change HC's competitors are no better at cybersecurity. Every single one we've spoken to has had a breach or incident in the last year.

The government has been treating this like a Big Deal because the armed services healthcare org uses Change and they've had their own difficulties.

 

[Knoxville's Joker]

Change healthcare is a conglomerate. They do interfacing, processing of payments, radiology imaging, and many other things. By definition they are a monopoly.

 

[Tex88]

Change healthcare is a conglomerate. They do interfacing, processing of payments, radiology imaging, and many other things. By definition they are a monopoly.

The definition of a monopoly would be they're the only ones doing that.

 

[Tex88]

Karl Denninger has a post about this on his site today. And one of his readers posted the update below, which jibes with what Tex88 has been saying. This is serious sh!t, and we're 10 days into it with no resolution.

The Market Ticker Error: Post Not Available

market-ticker.org

Now about Change Healthcare, I have a front row seat, my employer does business with Change, I'm on the security team, and I've been interviewing their competitors.

1. Change HC has been lying from Day 1 about the breadth and depth of their incident. They have routinely withheld information.

2. Change HC claimed a nation state actor (foreign government) attacked them. Um, no, just the normal ransomware crooks. The outfit that got them is both skilled and very successful.

3. Change HC's executive team doesn't give a shit about cyber security which is why they've been down for ten days. They have not demonstrated the ability to restore services, and they obviously have not been running a tight ship.

4. Change HC's competitors are no better at cybersecurity. Every single one we've spoken to has had a breach or incident in the last year.

The government has been treating this like a Big Deal because the armed services healthcare org uses Change and they've had their own difficulties.

Indeed. And with more details emerging semi-publicly, I can post more without telling on myself LOL.

US Government Warns Healthcare is Biggest Target for BlackCat Affiliat

The US government advisory warns healthcare organizations are being targeted by BlackCat amid an ongoing cyber-incident affecting Change Healthcare

www.infosecurity-magazine.com

US Government Warns Healthcare is Biggest Target for BlackCat Affiliat​

James Coker

5–7 minutes

---

The US government has warned the healthcare sector that it is now the biggest target of the BlackCat ransomware group.
The joint advisory from the FBI, the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS), noted of the nearly 70 leaked victims of BlackCat since mid-December 2023, healthcare has been the most commonly victimized industry.
This follows a post by a BlackCat administrator encouraging affiliates to target hospitals in early December in response to law enforcement action taking down the Russian-speaking group’s leak site.
The group appeared to “unseize” its leak site shortly after the announcement.
BlackCat, also known as ALPHV, is reportedly behind the ongoing cyber incident affecting health tech firm Change Healthcare, which was first reported on February 21.

BlackCat Adapts Techniques Following Law Enforcement Operation​

The advisory said that BlackCat actors are employing improvised communication methods by creating victim-specific emails to notify of the initial compromise.
For example, affiliates offer to provide unsolicited cyber remediation advice as an incentive for making a payment, such as “vulnerability reports” and “security recommendations” to prevent future attacks.

Example BlackCat affiliate ransom note instruction. Source: FBI/CISA/HHS
Additionally, in February 2023, the ransomware-as-a-service (RaaS) operator announced the ALPHV BlackCat Ransomware 2.0 Sphynx update, providing additional features for affiliates, including improved defense evasion.
This updated malware is capable of encrypting both Windows and Linux devices, and VMware instances.

Multifaceted Approach to Accessing Victim Networks​

The agencies highlighted that many BlackCat affiliates employ advanced social engineering techniques to gain initial access, after undertaking open-source research on targets.
Threat actors frequently pose as company IT or helpdesk staff via phone calls or SMS messages to obtain credentials from employees.
After gaining access to the organization’s network, a sophisticated process takes place to gain access to the network and exfiltrate sensitive data.
Affiliates deploy remote access software such as AnyDesk, Mega sync, and Splashtop in preparation of data exfiltration, the advisory noted.
The attackers then create a user account, and gain domain access via Kerberos token generation. After gaining access, they use legitimate remote access and tunneling tools.
Tools like Cobalt Strike and Brute Ratel C4 provide “beacons” to command and control servers, while open-source adversary-in-the-middle (AitM) attack framework Evilginx2 enables them to obtain multifactor authentication (MFA) credentials, login credentials and session cookies.
While moving laterally through the network, affiliates employ allowlisted applications such as Metasploit to evade detection.
Mega.nz or Dropbox are used to move, exfiltrate, and/or download victim data, before finally the ransomware is deployed, with a ransom note embedded as a file.txt.
BlackCat affiliates communicate with victims via TOR, Tox, email, or encrypted applications.
Uniform resource locators (URLs) are sometimes used to live-chat with victims to convey demands and initiate processes to restore the victims’ encrypted files.
Some affiliates exfiltrate data after gaining access and extort victims without deploying ransomware, the agencies added.

How to Mitigate BlackCat Affiliate Attacks​

The advisory highlighted a range of measures to tackle the common approaches employed by BlackCat affiliates. These include:

• Secure remote access tools by implementing application controls to manage and control execution of software
• Implement phishing-resistant MFA, such as FIDO/WebAuthn authentication
• Use network monitoring tools to identify, detect and investigate abnormal activity and potential traversal of the indicated ransomware
• Adopt internal mail and messaging monitoring to identify suspicious activity
• Employ user awareness training on how to identify social engineering and phishing attacks

BlackCat Reportedly Behind Change Healthcare Incident​

The BlackCat group has reportedly claimed responsibility for the ongoing cyber-attack against Change Healthcare, stating on its dark web site that it exfiltrated 6TB of data from the firm. However, the claim was subsequently removed without explanation.
Change, which has merged with Optum, a subsidiary of healthcare giant UnitedHealth Group, is still experiencing disruption to its services more than a week after the attack was first reported.
UnitedHealth has access to around one-third of US patients and handles 15 billion healthcare transactions annually.
In a filing to the US Securities and Exchange Commission (SEC), UnitedHealth said the attack was perpetrated by a “suspected nation-state associated cybersecurity threat actor.”
Change said it is working on multiple approaches to restore the impacted environment, “and will not take any shortcuts or take any additional risk as we bring our systems back online.”
The incident has disrupted healthcare services, including prescriptions, throughout the US.
The American Pharmacists Association (APhA) reported on February 23 that many pharmacies throughout America could not transmit insurance claims for their patients as a result of the incident.

 

[Knoxville's Joker]

The definition of a monopoly would be they're the only ones doing that.

Kind of they are. EVERYONE uses them. They bought out Centricity PACS. That is among one of the largest radiology equipment companies out there. It is either Centricity or GE. Change also makes some consumable products and they are the only sellers of said products. Their interfacing piece also connects everyone to everyone. The penetration is monopoly like if they are not a technical monoply they are very close to being one due to the reach that they have.

 

[Knoxville's Joker]

Indeed. And with more details emerging semi-publicly, I can post more without telling on myself LOL.

US Government Warns Healthcare is Biggest Target for BlackCat Affiliat

The US government advisory warns healthcare organizations are being targeted by BlackCat amid an ongoing cyber-incident affecting Change Healthcare

www.infosecurity-magazine.com

US Government Warns Healthcare is Biggest Target for BlackCat Affiliat​

James Coker

5–7 minutes

---

The US government has warned the healthcare sector that it is now the biggest target of the BlackCat ransomware group.
The joint advisory from the FBI, the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS), noted of the nearly 70 leaked victims of BlackCat since mid-December 2023, healthcare has been the most commonly victimized industry.
This follows a post by a BlackCat administrator encouraging affiliates to target hospitals in early December in response to law enforcement action taking down the Russian-speaking group’s leak site.
The group appeared to “unseize” its leak site shortly after the announcement.
BlackCat, also known as ALPHV, is reportedly behind the ongoing cyber incident affecting health tech firm Change Healthcare, which was first reported on February 21.

BlackCat Adapts Techniques Following Law Enforcement Operation​

The advisory said that BlackCat actors are employing improvised communication methods by creating victim-specific emails to notify of the initial compromise.
For example, affiliates offer to provide unsolicited cyber remediation advice as an incentive for making a payment, such as “vulnerability reports” and “security recommendations” to prevent future attacks.

Example BlackCat affiliate ransom note instruction. Source: FBI/CISA/HHS
Additionally, in February 2023, the ransomware-as-a-service (RaaS) operator announced the ALPHV BlackCat Ransomware 2.0 Sphynx update, providing additional features for affiliates, including improved defense evasion.
This updated malware is capable of encrypting both Windows and Linux devices, and VMware instances.

Multifaceted Approach to Accessing Victim Networks​

The agencies highlighted that many BlackCat affiliates employ advanced social engineering techniques to gain initial access, after undertaking open-source research on targets.
Threat actors frequently pose as company IT or helpdesk staff via phone calls or SMS messages to obtain credentials from employees.
After gaining access to the organization’s network, a sophisticated process takes place to gain access to the network and exfiltrate sensitive data.
Affiliates deploy remote access software such as AnyDesk, Mega sync, and Splashtop in preparation of data exfiltration, the advisory noted.
The attackers then create a user account, and gain domain access via Kerberos token generation. After gaining access, they use legitimate remote access and tunneling tools.
Tools like Cobalt Strike and Brute Ratel C4 provide “beacons” to command and control servers, while open-source adversary-in-the-middle (AitM) attack framework Evilginx2 enables them to obtain multifactor authentication (MFA) credentials, login credentials and session cookies.
While moving laterally through the network, affiliates employ allowlisted applications such as Metasploit to evade detection.
Mega.nz or Dropbox are used to move, exfiltrate, and/or download victim data, before finally the ransomware is deployed, with a ransom note embedded as a file.txt.
BlackCat affiliates communicate with victims via TOR, Tox, email, or encrypted applications.
Uniform resource locators (URLs) are sometimes used to live-chat with victims to convey demands and initiate processes to restore the victims’ encrypted files.
Some affiliates exfiltrate data after gaining access and extort victims without deploying ransomware, the agencies added.

How to Mitigate BlackCat Affiliate Attacks​

The advisory highlighted a range of measures to tackle the common approaches employed by BlackCat affiliates. These include:

• Secure remote access tools by implementing application controls to manage and control execution of software
• Implement phishing-resistant MFA, such as FIDO/WebAuthn authentication
• Use network monitoring tools to identify, detect and investigate abnormal activity and potential traversal of the indicated ransomware
• Adopt internal mail and messaging monitoring to identify suspicious activity
• Employ user awareness training on how to identify social engineering and phishing attacks

BlackCat Reportedly Behind Change Healthcare Incident​

The BlackCat group has reportedly claimed responsibility for the ongoing cyber-attack against Change Healthcare, stating on its dark web site that it exfiltrated 6TB of data from the firm. However, the claim was subsequently removed without explanation.
Change, which has merged with Optum, a subsidiary of healthcare giant UnitedHealth Group, is still experiencing disruption to its services more than a week after the attack was first reported.
UnitedHealth has access to around one-third of US patients and handles 15 billion healthcare transactions annually.
In a filing to the US Securities and Exchange Commission (SEC), UnitedHealth said the attack was perpetrated by a “suspected nation-state associated cybersecurity threat actor.”
Change said it is working on multiple approaches to restore the impacted environment, “and will not take any shortcuts or take any additional risk as we bring our systems back online.”
The incident has disrupted healthcare services, including prescriptions, throughout the US.
The American Pharmacists Association (APhA) reported on February 23 that many pharmacies throughout America could not transmit insurance claims for their patients as a result of the incident.

What this is going to push for more is offline backups that go offline the moment a backup completes. This is also going to push for more storage and more stringent data security policies. For too many decades medical care was about convenience over security and we are now seeing it flip to security over convenience.

 

[Loretta Van Riet]

"E-prescribe" is still DOWN at my hospital. Very big problem.

 

[Knoxville's Joker]

"E-prescribe" is still DOWN at my hospital. Very big problem.

It is a problem everywhere. Here is the kicker the providers are penalized now for writing scrips on paper. Narcotic scrips especially. I am wondering if the FDA is going to have to issue an exception ruling to prevent blowback. This whole extended outage is going to kill the push for future EMR growth and will push more for folks to use paper...

 

[ainitfunny]

I thank God that I was able to get all my meds renewed and picked up the day before this happened.

Whenever you put too much power and control into
One organizaion or entity, you open a very vulnerable
situation for a potential MASSIVE destrucive impact on millions of people. We have lost COMMON SENSE which our forefathers USED TO KNOW, To the bean counters who have no common sense, who say it is cheaper and more efficient, to consolidate ALL of one kind of service or manufacturing into one or two sources. With the vulnerability of computers to destructive hacking from so many enemy and just evil sources, that's going to KILL US. It's unwise to even place differing sources for a thing TOO CLOSE Physically, that one bomb would take them both out! Where are our "wise men"? A 79 year old great-greandma shouldn't have to tell you this!

Homeland SECURITY IS an example of a massive power and Control CONSOLIDATION that should Never have happened! Majorkas wouldn't have so much power!

 

[Knoxville's Joker]

I thank God that I was able to get all my meds renewed and picked up the day before this happened.

Whenever you put too much power and control into
One organizaion or entity, you open a very vulnerable
situation for a potential MASSIVE destrucive impact on millions of people. We have lost COMMON SENSE which our forefathers USED TO KNOW, To the bean counters who have no common sense, who say it is cheaper and more efficient, to consolidate ALL of one kind of service or manufacturing into one or two sources. With the vulnerability of computers to destructive hacking from so many enemy and just evil sources Thats going to KILL US. It's unwise to even place differing sources for a thing TOO CLOSE Physically, that one bomb would take them both out!

There will be a congressional inquiry into this whole incident as they try to understand how to stop this from being an issue again...

 

[packyderms_wife]

I see this as a very sad statement.
You can't stay in business because you can't submit payment requests for a week?
You probably should have went to business school instead of medical.

No, this is how the medical/insurance system works now... I have a friend who owns/runs an equine rehab center for people with PSTD, billing is an absolute nightmare.

 

[Knoxville's Joker]

No, this is how the medical/insurance system works now... I have a friend who owns/runs an equine rehab center for people with PSTD, billing is an absolute nightmare.

This will also force a revisit by congress on the billing aspect as not being able to bill will cause many congress critter calls for accountability and fines.

 

[Dr. G]

There will be a congressional inquiry into this whole incident as they try to understand how to stop this from being an issue again...

That’s the funniest thing I’ve read all day

 

[Knoxville's Joker]

That’s the funniest thing I’ve read all day

The sad part is it will be funny as we watch the congress critters try to understand the issue and how to stop the bad optics from happening again.

CMS will have some serious sanctions for change healthcare on allowing this large of a breach to have occurred and they could honestly go out of businesses depending upon the level of fines levied...

 

[Tex88]

The sad part is it will be funny as we watch the congress critters try to understand the issue and how to stop the bad optics from happening again.

CMS will have some serious sanctions for change healthcare on allowing this large of a breach to have occurred and they could honestly go out of businesses depending upon the level of fines levied...

The joke is the actual people actually in charge of this particular cf have, as of my Friday morning meeting, not even a hint of the slightest clue on how to fix this. Stops have been pulled to slow down the spread. They’re even reluctant to admit the extent of it internally, much less to anybody outside. Much of the things I’ve seen from inside match what people not connected to it have dediced and written about, but whatever is coming from the orgs involved is nothing PR and lies including internal comms.

 

[Knoxville's Joker]

The joke is the actual people actually in charge of this particular cf have, as of my Friday morning meeting, not even a hint of the slightest clue on how to fix this. Stops have been pulled to slow down the spread. They’re even reluctant to admit the extent of it internally, much less to anybody outside. Much of the things I’ve seen from inside match what people not connected to it have dediced and written about, but whatever is coming from the orgs involved is nothing PR and lies including internal comms.

I can't speak on the matter as I have been there myself. Just suffice to say that they are still trying to figure out scope and response before proceeding. The concern is whether or not their infrastructure can support a timely and quick recovery or not. And if the hack is still ongoing they may be trying to nab the offenders in the act. Longer term the recovery timeline will be determined by the robustness of their backups and the imaging solutions that they have in place and their documentation or rather how well documented their setup process is from scratch.

Now the real kicker is that there are some hardware level bios attacks that will encrypt the drive even if you wipe the hard drive and will reinfect even after replacing the hard drive. I have not seen those used in the wild yet, but the potential exists for that mechanism to start showing up at some point.

 

[prudentwatcher]

I was gone last week on a cruise and didn't hear about this until yesterday. I had a call from Walgreens to come pick up my refills (auto refills). I stopped by today and there was a big sign at the drive thru pick up window that no prescriptions could be dispensed by federal law. The pharmacy hours had it listed as closed on Sunday, which is new. I will try tomorrow. I also had some lab work done for a dr appt back the Thursday before the cruise. It still doesn't show up in my health record and my appointment is tomorrow. I have always had the results ahead of time, so I am wondering if that is an off shoot of this problem.

 

[LoupGarou]

From what I am hearing (and now hearing dozens of similar hacks in the last three weeks that have happend the same way); the issue boils down to companies using Connectwise's ScreenConnect and someone found out a novel hack "Slash and Grab". There were two patches made after the fact, but it seems that the patches don't fully prevent another incident, just keep the original "Slash and Grab" hack from working.

The sick part is since MANY companies like using remote tools to be able to work on any machine without actually having to go TO that machine, large companies are using remote tools like ScreenConnect more and more. The same "ease of use, must make things more efficient" crap that made the generation that was allowed to use calculators in school and not learn how to do the math "by hand, on paper", has generated a generation of IT companies that sit in a room and work on hundreds or even thousands of PCs a day without having to move out of their cubicle. Now they have gone and made it so that all of these systems have a Cloud server based back door in them that can be controlled individually or as a large group, remotely (CAN YOU SAY BOTNET? I KNEW YOU COULD..), AND that back door on each system also shows up NICELY in systems like SHODAN, so that you can have a virtual catalog of all of the users of these remote management systems.

It's now like shooting fish in a small bucket.

More of this crap to come. Especially as more and more companies outsource their IT and even security departments.

Prepare accordingly.

 

[Knoxville's Joker]

From what I am hearing (and now hearing dozens of similar hacks in the last three weeks that have happend the same way); the issue boils down to companies using Connectwise's ScreenConnect and someone found out a novel hack "Slash and Grab". There were two patches made after the fact, but it seems that the patches don't fully prevent another incident, just keep the original "Slash and Grab" hack from working.

The sick part is since MANY companies like using remote tools to be able to work on any machine without actually having to go TO that machine, large companies are using remote tools like ScreenConnect more and more. The same "ease of use, must make things more efficient" crap that made the generation that was allowed to use calculators in school and not learn how to do the math "by hand, on paper", has generated a generation of IT companies that sit in a room and work on hundreds or even thousands of PCs a day without having to move out of their cubicle. Now they have gone and made it so that all of these systems have a Cloud server based back door in them that can be controlled individually or as a large group, remotely (CAN YOU SAY BOTNET? I KNEW YOU COULD..), AND that back door on each system also shows up NICELY in systems like SHODAN, so that you can have a virtual catalog of all of the users of these remote management systems.

It's now like shooting fish in a small bucket.

More of this crap to come. Especially as more and more companies outsource their IT and even security departments.

Prepare accordingly.

This will cause a revisit on outsourcing after the fines start coming in and the lawsuits and stuff comes out about management being warned and ignoring the warning signs.

 

[Tex88]

I also had some lab work done for a dr appt back the Thursday before the cruise. It still doesn't show up in my health record and my appointment is tomorrow. I have always had the results ahead of time, so I am wondering if that is an off shoot of this problem.

Not an offshoot, at the ****ing core.

MANY companies like using remote tools to be able to work on any machine without actually having to go TO that machine,

We’ve got 36 patient service centers and hundreds of in-office phlebotomists places in doctor’s offices around the DFW area alone, and apparently I’m also responsible for Oklahoma these days LOL.

You want I should visit them in person every time they have a problem?

 

[Thinwater]

The " Popular Report" on YouTube has been reporting on this based on followers reports of not being able to fill prescriptions, even with cash in many cases at first. Now some can, but at the fake full retail price that no one, especially the insurance companies actually pay.

 

[Publius]

Seems far to many have become dependent on the internet for services and if one link in the chain gos down it affects everything country wide.

 

[LoupGarou]

...

We’ve got 36 patient service centers and hundreds of in-office phlebotomists places in doctor’s offices around the DFW area alone, and apparently I’m also responsible for Oklahoma these days LOL.

You want I should visit them in person every time they have a problem?

No. But as most IT departments have when the system pool gets that big, they have local "IT folks" do the work if "hands on" is actually needed. Usually, by the time that the built into the OS remote management systems stop working on an endpoint, the 3rd party systems have long been offline on that endpoint (running into that issue here at some of my clients that have external "help" helping them with these RMM systems). Yes, there are even remoteable fixes if you don't have "boots on the ground" that do not need a cloud based RMM. All of my customers know the "Check the list (see if the Windows Menu button works, check Ctrl-Shift-Esc........)" and even use the "Hold the power button down for 10 seconds, then power back on" tricks. ON the servers, this is why they made hardware based RMM systems like iDrac on the Dell servers, so that you don't have to go to a cloud based system that leaves you more vulnerable in the end. And if you are worried about the security there, systems like iDrac can be put on a totally separate network from the daily driver network so that nobody has access to them outside of IT staff (different VPNs even).

My point was more in the trust of outside (cloud based) systems that other people create and the IT department has no idea of all of what is going on inside of those RMM software packages (like ITS247 and others), and no idea if they have gaping security holes in them (or if those holes are or will ever be truly patched). There are built in (to the OS) ways of remoting into a system securely that don't need a cloud based (hackable from a distance without anyone knowing) system to get you in the door of that remote PC. IT Admins and above used to either make their own RMM type of systems out of what they had (or write their own) and that way they knew a lot more about what was going on "under the hood". I can name off dozens of RMM and security systems that are cloud based at one level or another that have been compromised REPEATEDLY, and yet the IT governance as a whole keeps saying that these systems are what everyone needs to run on their systems.

An extra program, or an extra open port is an open invitation to let someone else from the outside, in your systems.

The false sense of security in the cloud is going to get everything "taken away from us". I keep thinking about the "You will own nothing, and be happy" WEF statement that they keep pushing is also going to be in the software realm as much as it is in the hardware realm. The push for everything cloud is going to burn a lot of people, now, and later.

 

[Tex88]

Yeah you’re right. At the core of this issue is the profit über alles mentality. Local IT guys who can take care of problems in person and in a timely manner?? Nooooo let’s do it all remotely and over work the hell out of the few people who drop all that work load on. And if they complain we’ll outsource everything to Bangladesh.

 

[Tex88]

Morning meeting says a solution is still at least two weeks away and the company is unable to bill 12 million bucks every 36 hrs which will seriously start to impact company finances before too long.

 

[LoupGarou]

Yeah you’re right. At the core of this issue is the profit über alles mentality. Local IT guys who can take care of problems in person and in a timely manner?? Nooooo let’s do it all remotely and over work the hell out of the few people who drop all that work load on. And if they complain we’ll outsource everything to Bangladesh.

PREACH IT BROTHER!

And then they wonder what they can do once the submarine cables are cut from Europe to those parts in Asia....

Then they call you back in once the guys in Bangladesh can't put the system back together again (from the ashes that their whole IT dept process change created)...

 

[Tex88]

Change Healthcare Hackers Received $22 million in BTC - Wired​

Per Wired's Andy Greenberg, looks like ALPHV/BlackCat received a $22 million btc payout, which was made public by a fellow hacker complaining ALPHV stole their portion of the cut.
Optum appears to have paid the ransom, one of the highest ransomware payouts in history.

Hackers Behind the Change Healthcare Ransomware Attack Just Received a $22 Million Payment

Bad precedent to set, surely tons of copycat attackers will be inspired to target bottlenecks in our messy healthcare sector knowing a massive payout is in their future.

ALPHV also appears to have shut down their servers, per BleepingComputer. Could be feeling the heat now with all the BTC handed over?

BlackCat ransomware turns off servers amid claim they stole $22 million ransom

 

[WriterMom]

We are affected by this as well. My husband is on a number of meds, and our pharmacy last week said they cannot accept electronic prescriptions due to the hacking. So, we have to drive out to his doctor tomorrow to get hand-written scripts instead. Fortunately, his refills on existing scripts and the insurance payment have not been affected (yet).

 

[Tex88]

The saga continues, as in, this isht ain't over yet:

After collecting $22 million, AlphV ransomware group stages FBI takedown

Affiliate claims payment came from AlphV victim, and AlphV took the money and ran.

arstechnica.com

The ransomware group responsible for hamstringing the prescription drug market for two weeks has suddenly gone dark, just days after receiving a $22 million payment and standing accused of scamming an affiliate out of its share of the loot.

On Sunday, two days following the payment, a party claiming to be an AlphV affiliate said in an online crime forum that the nearly $22 million payment was tied to the Change Healthcare breach. The party went on to say that AlphV members had cheated the affiliate out of the agreed-upon cut of the payment. In response, the affiliate said it hadn’t deleted the Change Healthcare data it had obtained.

 

[Knoxville's Joker]

The saga continues, as in, this isht ain't over yet:

After collecting $22 million, AlphV ransomware group stages FBI takedown

Affiliate claims payment came from AlphV victim, and AlphV took the money and ran.

arstechnica.com

The ransomware group responsible for hamstringing the prescription drug market for two weeks has suddenly gone dark, just days after receiving a $22 million payment and standing accused of scamming an affiliate out of its share of the loot.

On Sunday, two days following the payment, a party claiming to be an AlphV affiliate said in an online crime forum that the nearly $22 million payment was tied to the Change Healthcare breach. The party went on to say that AlphV members had cheated the affiliate out of the agreed-upon cut of the payment. In response, the affiliate said it hadn’t deleted the Change Healthcare data it had obtained.

Some one did not listen to fbi and cern guidelines. You do not pay the people. Change is fiximg to have a trillion dollar fine from cms over the breach

 

[Repairman-Jack]

Some one did not listen to fbi and cern guidelines. You do not pay the people. Change is fiximg to have a trillion dollar fine from cms over the breach

They say don't pay, but large portions of victims do pay and the ransomers give the keys...that is the only way this model works, as soon keys are no longer provided to the victims nobody will pay.