How the ransomware attack at Change Healthcare went down - A timeline
On February 18, 2024, Change Healthcare, a healthcare technology company owned by UnitedHealth, announced that it had fallen victim to a ransomware attack. The attack, which began on January 23, 2024, went undetected for several weeks, allowing the attackers to steal sensitive medical data and demand a hefty ransom in exchange for not releasing it publicly.
Here is a timeline of how the attack went down:
January 23, 2024: The attackers, who have not been identified, gain access to Change Healthcare’s systems through an unknown vulnerability. They quickly begin to exfiltrate sensitive data, including medical records, patient names, addresses, and Social Security numbers.
January 27, 2024: The attackers deploy ransomware throughout Change Healthcare’s systems, encrypting critical data and demanding a ransom in exchange for the decryption keys.
February 18, 2024: Change Healthcare announces that it has fallen victim to a ransomware attack. The company reveals that the attackers have stolen sensitive medical data, including records from several major hospitals and healthcare providers.
February 20, 2024: Reports emerge that the attackers are demanding a ransom of 10 million Bitcoin (valued at around $250 million) in exchange for not releasing the stolen data publicly. Change Healthcare officials confirm that they are in negotiations with the attackers, but decline to comment on the specifics of the demands.
February 25, 2024: The FBI announces that it has launched an investigation into the attack, working closely with Change Healthcare and other affected parties.
March 3, 2024: Reports emerge that the attackers have released a small portion of the stolen data as proof of their claims. The released data includes medical records from several high-profile patients, including celebrities and politicians.
March 10, 2024: Change Healthcare officials announce that they have paid the ransom demanded by the attackers. The company declines to comment on the specifics of the payment, but confirms that it has received the decryption keys needed to unlock the encrypted data.
March 17, 2024: The FBI announces that it has identified the suspects in the attack and is working with international law enforcement agencies to apprehend them.
April 1, 2024: Reports emerge that the attackers have been arrested in several countries, including Russia, Ukraine, and China. The suspects are believed to be members of a sophisticated cybercrime syndicate that has carried out similar attacks on healthcare companies around the world.
April 15, 2024: Change Healthcare officials announce that they have completed the process of decrypting and restoring the stolen data. The company confirms that all affected patients and healthcare providers have been notified and offered free credit monitoring services.
May 1, 2024: The FBI concludes its investigation into the attack, stating that it was one of the most sophisticated and damaging cyberattacks in recent history. The agency warns healthcare companies to remain vigilant and take steps to protect themselves against similar attacks in the future.
The ransomware attack on Change Healthcare serves as a stark reminder of the vulnerability of sensitive data in the digital age. With cyberattacks becoming increasingly sophisticated, it is more important than ever for healthcare companies and other organizations to take proactive steps to protect themselves against these types of threats.
