Ransomware payment debate resurfaces amid Change Healthcare incident

A hotly debated flashpoint in the cybersecurity community is getting renewed attention as healthcare stakeholders work to rebound from a major ransomware attack that’s roiled the U.S. health insurance market over the past month.

The Feb. 21 Change Healthcare ransomware attack carried out by the ALPHV/Blackcat hacking gang has delayed prescription fillings and led to cash crunches at clinics and other facilities. The American Healthcare Association said that 94% of hospitals are signaling financial impact due to the incident, with some providers losing upwards of $1 billion per day in revenues.

Change Healthcare reportedly made a $22 million ransom payment to the hackers. Soon after, the cybercrime collective appeared to stage a fake takedown of their own site. But analysts expect the group to reemerge under a new name.

The U.S. over the past year has been working with international partners to take a firm stance against ransom payments, though surveyed experts have not agreed on a single policy.

Some cyber industry leaders say that paying ransoms should be banned because it emboldens cybercriminals and helps fund more illicit activities, and that, in some cases, paying a ransom does not necessarily guarantee that compromised data will be returned.

Others argue that total bans put too much pressure on victims, and that sometimes payments need to be made in order to recover vital systems, like those seen in hospitals and critical infrastructure.

In a briefing with reporters Monday, the Department of Health and Human Services said it has not yet taken an official position on whether ransom payments should be banned, and later told Nextgov/FCW it would defer to the National Security Council and FBI on the matter.

The White House is maintaining its previously established position that ransoms should not be paid because payment incentivizes cybercriminals to conduct more ransomware attacks.

The Biden administration “strongly discourages paying of ransoms, to stop the flow of funds to these criminals and disincentivize their attacks,” Anne Neuberger, deputy national security advisor for cyber and emerging technology at NSC said in a statement to Nextgov/FCW.    

The FBI declined to comment for this story. In a previously released internet crime complaint report, the Bureau took a similar stance to the White House, arguing that ransom payments “may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.”

Ransomware operatives targeted companies around the world last year, with the number of firms targeted reaching an all-time high compared to findings in previous years, according to a January analysis from Check Point, a cybersecurity firm.

HHS’s civil rights office last week said it is probing Change Healthcare parent company UnitedHealth over how it complied with Health Insurance Portability and Accountability Act, or HIPAA, which is meant to enforce safeguards for patients’ healthcare data. A senior HHS official declined to comment on progress because the investigation is ongoing.

The agency previously announced steps to enhance cybersecurity standards in existing programs. That includes potentially leveraging the major payer programs at HHS – Medicare and Medicaid – as well as authorities under the Health Insurance Portability and Accountability Act to enforce compliance. 

White House officials last week met with healthcare policy participants and agency heads to discuss the incident, which included UnitedHealth CEO Andrew Witty. A senior HHS official also said Monday that the agency is in touch with the company nearly every day and multiple times a day.

Officials have been working to roll out emergency financing plans that would accelerate payments to certain providers and suppliers experiencing shortfalls in funding. Nearly all claims are flowing again, which HHS called “massive progress” compared to three weeks ago.