© 2024 Connecticut Public

FCC Public Inspection Files:
WPKT · WRLI-FM · WEDW-FM · Public Files Contact
Play Live Radio
Next Up:
0:00 0:00
Available On Air Stations

Change Healthcare's cyberattack casts a light into how cybercriminal groups work


The health care industry is still struggling to overcome a February cyberattack that hit the IT company, Change Healthcare. The group behind the attack is part of a professionalized ecosystem that profits off companies' digital security failings. NPR's Jenna McLaughlin reports.

JENNA MCLAUGHLIN, BYLINE: On Wednesday, February 21, a relatively unknown IT company called Change Healthcare announced it was the victim of a cyberattack. The group of hackers behind it, who go by the name BlackCat, demanded a ransom of $22 million to return the company's data. The hack was devastating. While Change Healthcare isn't a household name, it plays a central role in verifying and processing payments between insurance companies and providers.

Right now, according to a source with knowledge of the situation, the company is still struggling to bring basic functionalities back online. Publicly, Change Healthcare has said it hopes to start restoring those services next week. The response is ongoing, but the breach provides a window into how these criminal ransomware gangs operate. Ram Elboim, the CEO of cybersecurity company Sygnia, has tracked BlackCat for years. Here's how he describes them.

RAM ELBOIM: What makes them, I would say, unique is the viciousness, if we can call it, of the attacks.

MCLAUGHLIN: Elboim says BlackCat sells its malicious code to affiliates, taking a cut of the profits. They even provide human resources, a platform to negotiate payments with victims and a public leak site. The criminal ecosystem of ransomware continues to thrive. That's partially because these groups often live outside the reach of U.S. law enforcement. A senior administration official tells NPR that many of these hackers operate with impunity somewhere inside Russia. BlackCat

emerged out of the ashes of another group that might be familiar, called DarkSide. In May 2021, that group attacked Colonial Pipeline, leaving half the eastern seaboard without fuel for days. At that time, ransomware groups were at least publicly hesitant to target critical infrastructure. But all that seems to have changed in recent years. Here's how Steve Cagle, the CEO of the health care cyber security company Clearwater, described this shift in a briefing for the health care industry in early March.


STEVE CAGLE: The other thing I'll mention about BlackCat is this is an organization that the FBI was able to, in some respects, enforce seizure of their sites. They reemerged. And we reported a couple of months ago they removed all restrictions against hospitals and, practically speaking, encourage their affiliates to go after hospitals and raise their commission rate to 90%.

MCLAUGHLIN: The FBI's annual Internet Crime Report confirms that health care and public health were the top sectors impacted by ransomware in 2023. As for BlackCat, they actually received that $22 million ransom, presumably from Change Healthcare or its parent company. The group then disappeared, though experts say its members are likely to rebrand and wreak havoc again.

Jenna McLaughlin, NPR News. Transcript provided by NPR, Copyright NPR.

NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.

Jenna McLaughlin
Jenna McLaughlin is NPR's cybersecurity correspondent, focusing on the intersection of national security and technology.

Stand up for civility

This news story is funded in large part by Connecticut Public’s Members — listeners, viewers, and readers like you who value fact-based journalism and trustworthy information.

We hope their support inspires you to donate so that we can continue telling stories that inform, educate, and inspire you and your neighbors. As a community-supported public media service, Connecticut Public has relied on donor support for more than 50 years.

Your donation today will allow us to continue this work on your behalf. Give today at any amount and join the 50,000 members who are building a better—and more civil—Connecticut to live, work, and play.