💻 Change Healthcare suffered a cyberattack that completely paralyzed its system. 

Change Healthcare is a healthcare technology provider that offers revenue cycle management, payment management, and health information exchange (HIE) solutions, among other services, to hospitals and pharmacies around the United States. The company, owned by UnitedHealth group, serves a crucial role as a third-party within the healthcare system in the United States.  

On February 21, Change Healthcare reported a disruption in its services due to a cybersecurity attack. When the attack was identified, Change Healthcare disconnected all its systems. This had a direct impact on billing and care authorization portals, revenue for providers, e-prescriptions, patient care, and it may also have affected employees paychecks. The impossibility to provide these services means patients are not receiving the appropriate care they need and institutions are facing financial trouble.  

On February 26, the ransomware group known as BlackCat claimed responsibility for the attack. The group is also called by the names ALPHV and Noberus. The amount of data stolen by BlackCat is not verified, they claim to have stolen 6 terabytes worth of data. Allegedly, the data includes medical records, patient Social Security numbers and information on military personnel. 

Change Healthcare has claimed to be taking measures and working with Palo Alto Network and Mandiant, as well as with law enforcement offices, to address the cyberattack and restore the system to its proper functions. 

Wired claimed UnitedHealth group had paid over 20 million dollars to BlackCat as ransom. The claim is supported by a Bitcoin payment received by BlackCat that could be related to the attack. However, UnitedHealth did not comment on whether they had paid the ransom or not and it could not be confirmed that the payment traces back to them. 

The American Health Association President and CEO Rick Pollack said in a statement on March 8, “Even after Change Healthcare’s technology is restored, it will be weeks — if not months — before our hospitals and other health care providers will be made whole. The AHA will continue to work with the Department of Health and Human Services, Congress, UnitedHealth Group and other payers to ensure that all options for assistance are explored so that the healthcare field can continue to care for patients and communities.”This cyberattack has had one of the biggest impacts to date in U.S. history. Rick Pollack, in another statement, also said: “We cannot say this more clearly – the Change Healthcare cyberattack is the most significant and consequential incident of its kind against the U.S. healthcare system in history. For nearly two weeks, this attack has made it harder for hospitals to provide patient care, fill prescriptions, submit insurance claims, and receive payment for the essential health care services they provide.”

📂 Bank of America and Fidelity Investments Life Insurance Company (FILI) victims of data breach due to cyberattack on third-party.

Both Bank of America and FILI use Infosys McCamish Systems (IMS) platform-based insurance process management solutions and services. Both Bank of America and FILI have fallen victim to data breaches due to cyberattacks that targeted Infosys’ systems.  

In late November, IMS informed Bank of America and FILI that their system had suffered an attack in late October and early November. Due to the attack, IMS suffered a data breach. The stolen data was personal information that belonged to clients from Bank of America and FILI. There is no confirmation on what specific information was stolen. Most likely, the data includes information on names, addresses, Social Security numbers, dates of birth and bank accounts. However, it will probably never be precisely determined what and whose information was stolen. Both Bank of America and FILI informed their clients of the data breach and the suspected stolen information. 

On November 4, the group LockBit allegedly claimed responsibility for the attack. 

This is not the first third-party incident Bank of America has suffered regarding clients’ information. Last year, NCB Management Services fell victim to a cyberattack that led to a data breach that affected clients from Bank of America. The stolen data allegedly included identity and credit card information. 

It is not uncommon for financial institutions to fall victim to data breaches. That is the reason why, since May 2022, the Federal Reserve, the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency require banking organizations and their service providers to inform cybersecurity incidents within 36 hours from determining the incident has occurred. 

💳 American Express card information compromised in third-party data breach.

American Express reported that there was a data breach at a merchant processor which affected credit card information from American Express’ clients. For that reason, they submitted the letter sent to potentially affected clients to the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR). 

The letter clarifies that American Express’ owned or controlled systems were not compromised by this incident. It was a third-party breach. The data stolen includes credit card numbers, names, previous cards owned, expiration dates and other unspecified card details. There is no information on how the incident occurred. 

This is not the first third-party data breach American Express has suffered. According to a report made by the Massachusset’s OCABR on 2024 data breaches so far, American Express data has fallen victim to many third-party data breaches.