Status Update: Change Healthcare Cyber Attack

The situation following the Change Healthcare Cyber Attack continues to cost the United States healthcare system millions of dollars, as well as affecting the lives of patients nationwide. Millions still have difficulty receiving their prescriptions and connecting with insurance for medical services. After weeks of chaos, the United States government has urged healthcare payers to promptly resolve the digital challenges that providers and pharmacies are encountering. Here is all you need to know about the cyber attack to prepare for UnitedHealth’s full return.

Who is Change Healthcare and What Happened?

Change Healthcare, owned by UnitedHealth Group (UHG), is the United States’ largest processor of medical claims and payment cycle management.  In short, they connect payers, providers, and patients with the U.S. healthcare system, handling one in every third patient record. This company processes 15 billion dollars in healthcare transactions annually making it a clear target for outside threats.

On February 21, Change Healthcare discovered an unauthorized party had gained access to multiple of their IT systems. According to their public filing with The Securities and Exchange Commission, the company immediately took action, isolating the impacted systems.

That said, major damage was already done. Hackers had accessed patient data including social security numbers and encrypted company files. The group demanded a hefty ransom to decrypt these sensitive files and threatened to release the data if payment was not received. Since then, Change Healthcare has been offline, causing payment disruptions for tens of thousands of hospitals, physician groups, and other organizations.

The Fallout

Initial reports focused on pharmacies’ inability to fill medications, but three weeks later, the public saw the severity of the issue. The attack has impacted payments to hospitals, physicians, pharmacists, and other healthcare providers across the country. These providers have been left concerned about their ability to care for patients due to the cash flow and coverage uncertainty. However, this has not stopped them. Hospital systems have found workarounds, seeming to take a step back to the stone age of paper documentation. While this has allowed for essential patient care, likely, a significant amount of money won’t be paid out due to form misplacement and the lack of formal authorizations.

“Assuming that between 5% and 10% of U.S. health care claims are affected by the attack, providers are losing between $500 million and $1 billion in daily revenue.” Compass Point analyst Max Reale estimated the impact, “Cash-constrained operators will begin to feel the full brunt of the slowdown in payments for services between late March and early April, assuming it takes about 30 to 45 days to process a claim and receive payment.”

Update: The Response

After the attack on March 1, Optum, the compromised program of Change Healthcare, stepped in to help. They established temporary funding assistance for short-term cash flow needs.

The notice read, “We understand the urgency of resuming payment operations and continuing the flow of payments through the healthcare ecosystem. While we are working to resume standard payment operations, we recognize that some providers who receive payments from payers that were processed by Change Healthcare may need more immediate access to funding.”

Three weeks post-attack, The U.S. Department of Health and Human Services stepped in. They stated, “In a situation such as this, the government and private sector must work together to help providers make payroll and deliver timely care to the American people.”

Further government action ensued, The White House is moving to remove challenges for healthcare providers and address cybersecurity issues. They plan to distribute emergency funds to providers and suppliers facing cash flow issues. In their statement, they called on UnitedHealth and private sector leaders to do the same.

In addition, The Center for Medicare and Medicaid Services(CMS) has taken steps to reduce disruptions by expediting payments for Medicare providers and suppliers.  Specifically, the attack has resulted in a streamlined process for providers to change clearinghouses to ensure payments and insurance plans while preparing the necessary parties for paper claims and submissions. 

These efforts are aimed at supporting all providers, but specifically smaller systems that face existential concerns such as making payroll and supporting their most vulnerable patients.

As for the six terabytes of stolen data, the hackers held it hostage for a staggering price of 22 million dollars. Due to the sensitive nature of the data, the White House urged UnitedHealth Group to quickly give in to the hackers’ demands. While only time will reveal the true cost of this breach, it is clear it will alter the way the United States Medical associations manage their cyber resilience.

Update: The Hackers

Many have reported their suspicions about the hackers’ identity. UnitedHealth suspects the attack was nation-state-associated. The media supports this claim, pointing a finger at ALPHV, also known as BlackCat. This well-known ransomware group has had many names over the years claiming responsibility for other major attacks globally including universities, government agencies and companies in the energy, technology, manufacturing, and transportation sectors. A recent notable attack was the Colonial Pipeline shutdown in 2022. Their hack and rebrand practice has made them the target of law enforcement agencies worldwide. 

Since payment was posted, BlackCat has shut down all of its servers and ransomware sites. In fact, on March 4, when payment was processed, the group uploaded a fake law enforcement seizure banner.

Security researcher Fabian Wosar commented, “BlackCat did not get seized. They are ‘exit scamming’ their affiliates.” And exit scamming they were.

Assumed BlackCat actors claimed their associates screwed them over, and as a response, they intend to sell the ransomware’s source code for 5 million dollars. 

Update: On the Lookout

There is no real way to know if any of the stolen data was leaked or if the ransomware’s source code will be used again. This makes it vital to increase all organizations’ cyber resilience and keep on the lookout for ALPHV/BlackCat’s rebranded comeback.

Since the hack, the company has been working diligently to safely return online. On March 7, the company restored 99% of Change Healthcare pharmacy network services and on March 15, Change Healthcare’s electronic payments platform began proceeding with payer implementations. The company has scheduled further network testing and software checks starting on March 18.

Protecting Your Organization

This hack reminds all of us how volatile our systems can be, and how important it is to remain proactive with security. Digital IT News received commentary from Netwrix’s VP of Security Research, Dirk Schrader regarding the best way to protect your organization from threat actors such as BlackCat.

“High dependency of our day-to-day living on proper functioning supply chains is our reality. High-profile attacks affect hundreds of thousands of individuals. Colonial Pipeline or MoveIT stories, attacks on IT service providers like Kaseya and Materna, to name a few, might vary in scale and vertical, but all of them prove the need for a coordinated approach to increase the cyber resiliency of vital services like healthcare, energy, water, transportation, etc. “The domino effect of an infiltration of the supply chain can be devastating. Cyber resilience is defined as the ability to deliver the intended outcome despite adverse cyber events, and critical infrastructure is not limited to internal security incidents.

He later outlined precautions, “Organizations that are part of a critical infrastructure should pay special attention to ensuring they might effectively operate under the ongoing attack and regularly assess the risks associated with their supply chain.” He recommended all third-party dependencies should implement, or reexamine a response plan to cover scenarios such as these. 

This hack has reminded the world how imperative strong cyber security truly is. Looking forward, we have sneaking suspicions this breach will permanently alter how healthcare needs will be processed and secured.


About Author

Bio: Riley Wilson, a journalist from the bustling streets of Pittsburg, possesses a unique perspective shaped by her upbringing in the southern United States. Her unique eye reflects an urban, capitalistic driving edge softened by her southern charm. While her last career focused on community and small business, she is now taking the IT world by storm. Outside of the office, Riley gives back by volunteering her time at community-building organizations and goes for regular hikes with her dog Wilson.