Cassidy, Warren, Blumenthal Request Answers from Homeland Security on Ransomware Attacks Against U.S. Health Care System

WASHINGTON -U.S. Senators Bill Cassidy, M.D. (R-LA), ranking member of the U.S. Senate Health, Education, Labor, and Pensions (HELP) Committee, Elizabeth Warren (D-MA), and Richard Blumenthal (D-CT) requested answers from the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) on its efforts to protect the American health care system from ongoing ransomware attacks. The request to CISA Director Jen Easterly comes ahead of the UnitedHealth Group (UHG) CEO Andrew Witty's testimony in front of the Senate Finance Committee. In February, UHG subsidiary Change Healthcare (Change) suffered a significant cyberattack, impacting patients, providers, and payers.

"On February 21, 2024, Russian-linked cybercriminal group ALPHV Blackcat conducted a ransomware attack on Change, the largest processor of medical claims in the United States. This attack, in which the cybercriminal group shut down Change platforms until it received a $22 million Bitcoin ransom payment, caused widespread and ongoing disruptions to the nation's healthcare system," wrote the senators.

"Following the February ransomware attack, Change disconnected more than 100 of its technology platforms which impacted thousands of patients and providers. For example, UHG estimated that more than 90 percent of 70,000 pharmacies in the U.S. had to change how they process electronic claims, creating a severe cash squeeze. Across the country, pharmacies have been barred from filling prescriptions, doctors are forced to wait on prior authorization, medical centers cannot pay their employees, and tens of millions of dollars in insurance payments to providers are delayed," continued the senators.

"Unfortunately, this attack is emblematic of a growing trend in which cybercriminal groups gain access to, and install ransomware on, a computer system, encrypt the system's data, and require a ransom payment in order to decrypt the files… The latest attacks on Change Healthcare underscore the urgent need for more oversight and investigation into the frequency, scope, and root causes of these attacks, specifically with regards to cryptocurrency's role. The people hurt by these ransomware attacks have a right to know what the federal government is doing to protect them," concluded the senators.

Read the full letter here or below:

Dear Director Easterly:

We are writing regarding the ongoing ransomware attacks against UnitedHealth Group (UHG) subsidiary Change Healthcare (Change) that are driving physicians to bankruptcy, interrupting essential care services like pain management for cancer patients, and leaking sensitive patient data- causing massive disruptions to the nation's health care system. Nearly two months after the initial attack, a second ransomware gang has taken control of the stolen data and begun leaking patient records on the dark web, threatening to sell the entire trove to the highest bidder unless UHG pays another multi-million-dollar ransom. Given the urgency of this threat, Congress must have a full accounting of the cybersecurity landscape including the events leading up to, and after, the Change cyberattack.

On February 21, 2024, Russian-linked cybercriminal group ALPHV Blackcat conducted a ransomware attack on Change, the largest processor of medical claims in the United States. This attack, in which the cybercriminal group shut down Change platforms until it received a $22 million Bitcoin ransom payment, caused widespread and ongoing disruptions to the nation's healthcare system. Seven weeks later, on April 8, 2024, a second ransomware group, RansomHub, took control of the stolen data and is demanding additional payment. And RansomHub has begun leaking sensitive patient data to up the ante. These attacks highlight a dire need for stronger tools to crack down on ransomware attacks.

Following the February ransomware attack, Change disconnected more than 100 of its technology platforms which impacted thousands of patients and providers. For example, UHG estimated that more than 90 percent of 70,000 pharmacies in the U.S. had to change how they process electronic claims, creating a severe cash squeeze. Across the country, pharmacies have been barred from filling prescriptions, doctors are forced to wait on prior authorization, medical centers cannot pay their employees, and tens of millions of dollars in insurance payments to providers are delayed. Indeed, according to a group representing 5,000 U.S. hospitals, health systems, and other health care organizations, the February attack was "the most significant cyberattack on the U.S. healthcare system in American history."

The ramifications of the Change attack will have prolonged effects on our health care system. This month, the American Medical Association (AMA) released survey findings that "practices will close because of this incident, and patients will lose access to their physicians. The one-two punch of compounding Medicare cuts and inability to process claims as a result of this attack is devastating to physician practices that are already struggling to keep their doors open." Providers are growing increasingly desperate, facing a massive cash crunch that, in some cases, threatens their ability to remain in business.

Now, in a shocking turn of events, a second cybercriminal group, RansomHub, posted to the dark web that it "has 4 terabytes of Change Healthcare's stolen data, which it threatened to sell to the 'highest bidder' if Change Healthcare didn't pay an unspecified ransom." RansomHub recently published a small subset of data on the dark web and is threatening to post more, marking the first time in these string of attacks that cybercriminals have actually leaked stolen information as evidence that they have medical records in their possession. The leaked information represents a portion of millions of patients' sensitive and personal data, including insurance records, billing files, and medical information.

Unfortunately, this attack is emblematic of a growing trend in which cybercriminal groups gain access to, and install ransomware on, a computer system, encrypt the system's data, and require a ransom payment in order to decrypt the files. If the victim does not pay the ransom, attackers either increase the ransom amount, or destroy the decryption key-making it possible for the victim to regain access to the system.

In 2022, ransomware attacks impacted at least 2,421 local governments, schools, and healthcare providers in the U.S. According to the World Economic Forum, ransomware attacks increased by 435 percent in 2020 and "are outpacing societies' ability to effectively prevent or respond to them." Despite government intervention in 2021, attacks on schools nearly doubled from 1,043 in 2021 to 1,981 in 2022, and attacks on local governments increased over 30 percent, including one incident in Miller County, Arizona, where a compromised mainframe spread malware to endpoints in 55 different counties. According to the Department of Health and Human Services, there were over 460 ransomware attacks affecting the U.S. health care and public health sector. These numbers do not account for underreporting: the FBI notes that reporting of malware attacks is "artificially low." Most of these attackers are located abroad. In 2021, nearly 75 percent of all ransomware revenue went to Russia-linked entities.

According to a 2022 report by the Senate Committee on Homeland Security and Government Affairs (HSGAC), ransomware payments are almost exclusively made using cryptocurrency, typically Bitcoin, due to the payment method's decentralized, anonymized, and irreversible nature. In the case of Change, blockchain analysts observed that on March 1, ten days after this years' ransomware attack, "a Bitcoin address connected to ALPHV Blackcat received 350 bitcoins in a single transaction, or close to $22 million based on exchange rates at the time." These funds are at high risk of being laundered through the crypto ecosystem - including via centralized crypto exchanges and crypto mixers, the "preferred methods for laundering ransomware payments" - complicating law enforcement's ability to recover the ransom.

As the nation's cyber defense agency and coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency (CISA) leads the nation in understanding and responding to cyberattacks against critical American infrastructure, and its StopRansomware.gov website is one of the few places that ransomware attacks are reported. The latest attacks on Change Healthcare underscore the urgent need for more oversight and investigation into the frequency, scope, and root causes of these attacks, specifically with regards to cryptocurrency's role.

The people hurt by these ransomware attacks have a right to know what the federal government is doing to protect them. We urge you to provide responses to our questions below that are publicly releasable to the maximum extent possible. Classification should not be a basis for failing to provide responsive information, as our office is able to receive and handle classified information accordingly and upon request. With this in mind, we ask that you answer the following questions, on a question-by- question basis, by May 13, 2024:

1. How many reports of ransomware attacks has CISA received for each year between 2018 and the present?

1. What is the total value of the reported ransomware payments during this time period?
2. What percentage of payments were made using cryptocurrency?

2. What percentage of ransomware attacks does CISA believe are unreported?

3. In your assessment, how big is the threat of ransomware attacks in the United States?

1. To what extent are these threats exacerbated by the use of cryptocurrency?

4. What steps has CISA taken to estimate the scope of ransomware attacks and address the dangers from them?

1. Has CISA estimated the total cost of ransomware attacks on the U.S. economy, including costs arising from computer system repairs and productivity losses? If so, please detail these figures.

5. Can CISA provide information on the number of thwarted healthcare-related ransomware attacks?

1. How were these attacks intercepted?

6. How can CISA better prepare the healthcare industry for increasing ransomware attacks and ensure the sector can maintain access to patient care and access to life-saving services in the event of a ransomware attack?

7. Has CISA estimated the potential costs of ransomware attacks on the healthcare industry?

8. How is CISA cooperating with the Department of Justice (DOJ), Federal Bureau of Investigations (FBI), and other federal agencies to track and combat ransomware attacks?

9. In March 2023, CISA announced the establishment of the Ransomware Vulnerability Warning Pilot (RVWP) to "determine vulnerabilities commonly associated with known ransomware exploitation and warn critical infrastructure entities with those vulnerabilities, enabling mitigation before a ransomware incident occurs."

1. What is the status of the RVWP?
2. Please describe the results of the pilot and if there are any plans to extend or renew it.

10. Given that virtually all ransomware attacks rely on payments made through cryptocurrency, what additional actions can legislators, regulators, and law enforcement officials take to address cryptocurrency's unique threats?

1. How does CISA usually approach these problems?
2. How frequently does CISA recover any ransom?
3. Do victims ever get money back?
4. Do individuals get credit monitoring?
5. What is required of hospitals or other public entities after they are attacked? Do they get fined for data that is leaked?
6. Do physicians and small clinics get any relief for lost monies?
7. Is there something like a customer care center for victims of ransomware attacks?

11. Can you share your rapid response plans? Do you have any contingency scenario planning and how often do you update it?

12. What efforts has CISA made to ensure individuals are incorporating resiliency procedures and processes specifically for industries in critical infrastructure to ensure operation post attack?

CISA'S Efforts Specific to the Change Healthcare Attack

13. When was CISA alerted to the Change attack? By whom?

14. What role is CISA playing in responding to the Change attack?

1. How is it collaborating with its interagency partners including the FBI and DOJ?
2. How is it collaborating with UHG?

15. What information did CISA share with UHG regarding ALPHV Blackcat and its ransom methods? When?

16. What information does CISA typically share with health care entities, including UHG, regarding cyber threats? To whom does CISA typically share this information with in these organizations?

###