Change Healthcare went without cyber insurance before debilitating ransomware attack

Congressional hearings have revealed that UnitedHealth was without cyber-insurance coverage before a hugely debilitating ransomware attack on its Change Healthcare subsidiary.

During questions before the US House Energy and Commerce Committee last week UnitedHealth Group CEO Andrew Witty described the healthcare giant as “self-insured” in confirming that insurance did not cover the $22m ransomware payment it paid out to cybercriminals.

Asked whether any part of UnitedHealth was covered by cyber-insurance, a UnitedHealth representative referred CSOonline back to Witty’s answer on self-insurance, adding (in reference to Witty’s latest testimony) that UnitedHealth spends approximately $300 million per year on cybersecurity.

Anatomy of an attack

The ransomware gang known as ALPHV or BlackCat hit Change Healthcare with a ransomware attack on February 21. Technicians took Change Healthcare systems offline to contain the attack, rendering the US’s largest healthcare payment system unavailable in the process.

Clinics, hospitals, and pharmacies were unable to properly bill, manage, and issue prescriptions and medical procedures as a result of the attack. The resulting disruption has created a backlog of healthcare claims and payments that has posed a huge financial strain on medical practices and patients.

UnitedHealth Group has advanced more than $6.5 billion in accelerated payments and no-interest, no-fee loans to thousands of providers.

In response to the attack, Change Healthcare technology infrastructure has been rebuilt from the ground up. Change Healthcare’s data center network and core services have been rebuilt with added server capacity and greater reliance on the cloud.

Questions about insurance reimbursements and the extent of the breach, which also exposed the personal information and medical data of an estimated one-in-three US citizens, were the focus of two hearings featuring Witty last Wednesday, before the House Finance and House Energy and Commerce Committees.

Vulnerable portal lacked MFA

During the hearings, Witty explained how cybercriminals used compromised credentials to remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops, on Feb. 12, nine days before the ransomware attack.

“The portal did not have multi-factor authentication,” Witty admitted.

Having gained access into Change Healthcare’s systems, the cybercriminals moved laterally within its systems to expand the scope of the breach before exfiltrating data.

UnitedHealth Group completed its acquisition of Change Healthcare in October 2022. The health conglomerate inherited an ageing technology infrastructure with points of weakness that, with the benefit of hindsight are now all too obvious.

[ Related reading: 5 strategies to manage cybersecurity risks in mergers and acquisitions ]

Having multi-factor authentication on externally facing services was UnitedHealth’s policy even prior to the attack — it’s just that this policy had at least one gaping hole.

Without cyber insurance, UnitedHealth is left bearing the full cost of the attack; with insurance, it might have avoided not only the cost but also, perhaps, the attack itself.

Cyber insurance is far from a panacea but the process of contracting a breach protection policy can help companies achieve greater cyber-security maturity, according to industry experts.

Demonstrating good cyber-hygiene

The cost and coverage of such insurance policies takes into account the security infrastructure and processes that companies have in place. Insurance firms will normally verify that a potential client follows industry best practice in their environment.

“MFA is an established best practice that companies can and should follow for their applications, so it would be something that insurance providers check for,” said Matt Middleton-Leal, managing director EMEA at Qualys.

Middleton-Leal added: “It might not be possible for every application or system, so for applications that don’t support MFA, the security team should be using other mitigation methods for account security. However, it would be something that would [normally] be expected in place.”

According to Netwrix’s 2024 annual security report, 75% of insured organizations needed to have MFA in place in 2024, up from 63% in 2023. Along with MFA, patch management and regular cybersecurity training for business users are the top three measures requested by insurers.

Other common requirements include having disaster recovery and business continuity plans in place, according to Kelly Indah, a security analyst at Increditools. “Insurers want to see documented protocols for how an organization will respond, minimize downtime, and get back up and running if hacked.”

Additionally, security awareness training is hugely important. “People remain the biggest vulnerability, so insurers look for evidence that employees are regularly educated on cyber threats like phishing and social engineering,” Indah added.

When deciding on cyber insurance, an organization’s risk tolerance is key. In UnitedHealth’s case, not having insurance for its Change Healthcare division left it exposed financially and reputationally, said Michael Adjei, director of systems engineering, EMEA, at security vendor Illumio.

“It’s important that organizations don’t view cyber insurance as a way of transferring risk but see it as an extra layer should the unexpected happen,” said Adjei. “In reality, businesses will need to put in place and demonstrate that they meet cyber-insurance requirements at least six months in advance of asking for cover, much like we provide financial information ahead of obtaining a mortgage.”