After some research, I found one concrete example of very “bad behavior” in the online space, although this example should probably be defined as much more than “bad behavior”. This example is the ransomware attack on the USA’s largest healthcare payment system, Change Healthcare. This incident began on February 21, 2024.
Who was involved?
The victim was Change Healthcare, a company that provides a widely used program that healthcare providers use to manage customer payments and insurance claims. The users across the country, especially small-sized and medium-sized businesses, were also affected. The cybercriminals were the cybercriminal gang “ALPHV/BlackCat”, which is a known Russian-speaking ransomware-as-a-service gang.
What was the outcome?
After confirming that Change Healthcare had been hit by a ransomware gang on February 29th, UnitedHealth paid a ransom of $22 million to the hackers around March 3rd-5th. The ALPHV cybercriminal gang then vanished. Still, for several months, there was widespread disruption across the USA healthcare system. Then in April, a new ransom gang was formed by a ALPHV affiliate and threatened to publish the data stolen unless another ransom was paid from UnitedHealth. It was later revealed on May 1st that Change Healthcare’s cybersecurity system was broken into because of a single set password on a user’s account not protected with multi-factor authentication. Finally, after nearly six months after the first incident, Change Healthcare began notifying known affected individuals by letter.
Was there financial loss or damage to someone’s reputation?
There was at least one known ransom paid by UnitedHealth, which was $22 million. There was a second ransom paid, but UnitedHealth would not disclose how much the ransom was or how many ransoms it ultimately paid. Many people (though the number of people affected is still unknown) had highly sensitive information stolen, including medical records and health information, diagnoses, medications, test results, imaging and care and treatment plans, and other personal information including social security numbers.
Were the criminals held accountable?
The cybercriminals have not been caught yet. The US government has a bounty of $10 million for anyone who can identify or locate the individuals behind the gang.
What practical lessons can we learn as a result of this?
The biggest lesson we can learn is to have a higher account security strength. The cybercriminals were able to break in because of one account that only used a single password and not multi-factor authentication. Because of one account’s lack of security, information for possibly tens of millions of people was stolen. After learning about this nationwide cybersecurity incident, I won’t resent having to read an authentication code from my phone or email to get into my COTC account!
Sources: