Change Healthcare cyberattack fallout continues
Change Healthcare, part of Optum, suffered a cyberattack in late February.
UPDATE 5/2/2024 - This article has been updated to reflect new information about the Change Healthcare cyberattack.
5/2/2024 - UHG CEO Andrew Witty estimated that the data breach resulting from the Change Healthcare cyberattack will impact approximately one-third of Americans, though the investigaiton remains underway.
Witty testified that it would likely take "several months of continued analysis" to determine who was impacted by the breach and to issue notifications.
At two federal hearings held on May 1, lawmakers grilled Witty on why the Citrix portal was not protected with MFA, why UHG's initial loan program in the wake of the attack failed to meet the needs of providers, and what UHG is doing to remedy the situation.
"The Change hack is a dire warning about the consequences of 'too big to fail' mega-corporations gobbling up larger and larger shares of the health care system. It is long past time to do a comprehensive scrub of UHG's anti-competitive practices, which likely prolonged the fallout from this hack," said Rep. Ron Wyden, D-OR.
"For example, Change Healthcare’s exclusive contracts prevented more than one third of providers from switching clearinghouses, even though Change’s systems were down for weeks."
Witty repeatedly told lawmakers that he would do everything in his power to "make this right," encouraging providers to reach out to UHG with concerns.
---
5/1/2024 - In a written testimony published in advance of Wednesday’s House Energy and Commerce Committee hearing, UnitedHealth Group CEO Andrew Witty shed light on his decision to pay the ransom to cyber threat actors and provided additional details about the attack.
“This was one of the hardest decisions I’ve ever had to make. And I wouldn’t wish it on anyone,” Witty said, explaining that it was ultimately his decision to pay the ransom.
Witty also said that ALPHV cybercriminals gained access to Change Healthcare systems on February 12, nine days before it deployed ransomware. The threat actors used compromised credentials to remotely access a Change Healthcare Citrix portal that was not protected with multi-factor authentication (MFA).
“We are committed to providing this financial assistance for providers for as long as it takes to get their claims and payments flowing at pre-incident levels,” Witty said. “If there are providers or payers in your states who need help, please put us in touch with them. We pledge to do everything in our power to fix their system or underwrite their cashflow, simple as that.”
Witty will deliver his full testimony on May 1 before the members of the Subcommittee on Oversight and Investigations. Witty also delivered a testimony to the Senate Committee on Finance on May 1.
---
4/22/2024 - UHG has not yet provided a formal breach notification to HHS following the cyberattack. In an April 22 update, UHG stated that the review of impacted data is "likely to take several months of continued analysis before enough information will be available to identify and notify impacted customers and individuals."
Under HIPAA, covered entities have 60 calendar days from the discovery of the breach to report it to OCR.
Although the breadth of the impacted data is still unknown, UHG has provided some insight into how its data review is unfolding. The company's initial review has uncovered files containing PHI and PII, "which could cover a substantial proportion of people in America," the latest update stated. However, UHG said it has not yet seen evidence of exfiltration of doctors' charts or full medical histories.
UHG also confirmed that 22 screenshots containing PHI and PII allegedly from exfiltrated Change Healthcare files were posted on the dark web for about a week, but no further publications of data are known at this time.
UHG has offered to make breach notifications on behalf of its customers when the time comes in order to ease reporting obligations.
As previously noted, OCR opened an investigation into the Change Healthcare attack in mid-March, following weeks of disruptions across the sector. On April 19, OCR released an FAQ regarding the cyberattack and its investigation, which it said is primarily focused on "whether a breach of unsecured PHI occurred and on Change Healthcare’s and UHG’s compliance with the HIPAA Rules."
OCR confirmed that it has not yet received a breach report from UHG or any impacted healthcare entity, and emphasized that all covered entities impacted by the cyberattack are expected to file a breach notification if applicable. OCR directed covered entities to contact Change Healthcare and UHG with any questions about how it plans to issue a HIPAA breach notification.
---
UHG's review of data impacted by the cyberattack is still underway, but its latest update confirms that some health data was compromised.
"At this time, we know that the data had some quantity of personal health information and personally identifiable information," UHG said."We are working to determine the quantity of impacted data, and we are fully committed to providing notifications to impacted individuals when determinations are able to be made — and will work with the Office for Civil Rights and our customers in doing so."
Under the HIPAA Breach Notification Rule, covered entities are required to file a breach report with OCR within 60 days of discovery. In addition, the nature of Change Healthcare's business likely means that some of its healthcare organization customers also had data involved in the breach, which could trigger additonal notifications.
"We are committed to providing updates as we progress through the data, not just at the end," UHG emphasized. "We also know customers are interested in hearing about what data is impacted to determine if they have notification obligations. We will be offering to do the notification work for customers where permitted."
---
4/12/2024 - WIRED received samples of Change Healthcare data allegedly stolen by RansomHub, and it appears to be legitimate. RansomHub claims to be holding four terabytes of stolen data and is demanding a ransom from Change Healthcare.
RansomHub claims that it has no affiliation with ALPHV, the group that previously held Change Healthcare's data for ransom and received a $22 million payment.
---
4/11/2024 - A second ransomware gang is reportedly holding stolen Change Healthcare data for ransom, but the validity of the threat group's claims remains unclear. RansomHub, a new and lesser known threat group, claims that BlackCat/ALPHV stole the $22 million ransomware payment from RansomHub actors, which was allegedly paid by UnitedHealth Group in order to restore its systems. RansomHub says that it is them, not BlackCat, that maintains the stolen data.
Security researchers are theorizing that RansomHub is a rebrand of ALPHV, or that the disgruntled affiliate who allegedly never receved their cut of the ransom payment is now moving to RansomHub to try to obtain the payment. Other security researchers have suggested that RansomHub is just trying to intimidate UnitedHealth Group, or that the entire claim is false.
"Our team has been following the ALPHV/BlackCat ransomware attack and the surrounding speculation behind their decision to close up shop. This new information supports a few theories that our team has suggested but no matter the case, it's unfortunate that Change Healthcare is caught in the middle of this conflict between two rival gangs," said Malachi Walker, security advisor at DomainTools.
"The theory that internally, BlackCat was worried about moles within their group, is supported if information BlackCat leveraged to compromise Change Healthcare was shared with RansomHub. The theory that BlackCat rebranded to RansomHub, while not supported yet by any hard evidence, also makes sense. Even if not connected to BlackCat, RansomHub could be claiming ties to their victims to scare them into making a payment."
To Victor Acin, head of threat intel at Outpost24, this development signifies that the stolen Change Healthcare data remains vulnerable to exploitation.
"Ransomware groups, especially those offering RaaS, are very particular about their credibility; ultimately, the trust that victims place in these groups is key to successfully ransoming their data. No one will pay a ransom if they do not believe they will retrieve their data and recover from the attack," Acin said.
"However, in this case, the temptation of keeping the 22 million payout was apparently big enough to jeopardize their entire operation. The remaining question was what would happen to the data belonging to the affected victim; considering it has resurfaced on RansomHub, we can infer that it was in the hands of the affiliate who was now missing around 18 million dollars and was not willing to let go of such a sum."
---
In a March 27th update, UnitedHealth Group said it had begun the process of determining whether any patient data was stolen during the cyberattack. UHG engaged a vendor to conduct a review of data that is "likely" to contain personally identifiable information and claims data. At this time, it is too soon to say with certainty the content of the data that the threat actor accessed.
"This is taking time because Change Healthcare’s own systems were impacted by the event and difficult to access, so it was not safe to immediately pull data directly from the Change systems," UHG stated. "We recently obtained a dataset that is safe for us to access and analyze. Because of the mounting and decompression procedures needed as a first step, we have only recently reached a position to begin analyzing the data."
To date, UHG had not seen evidence of any data being published on the web.
In other news, the US Department of State is offering a reward of up to $10 million for information or identification of ALPHV/BlackCat threat actors, who previously claimed responsibility for the Change Healthcare cyberattack.
---
3/19/2024 - Change Healthcare will start releasing medical claims preparation software in an effort to resume services impacted by the recent cyberattack. The software will be available within the next couple of days to thousands of customers, UnitedHealth Group said in an announcement on March 18th.
“We continue to make significant progress in restoring the services impacted by this cyberattack,” Andrew Witty, CEO of UnitedHealth Group, said in the announcement. “We know this has been an enormous challenge for health care providers and we encourage any in need to contact us.”
As of March 15th, Change Healthcare’s electronic payments platform has been restored. UnitedHealth Group also restored nearly all of Change Healthcare’s pharmacy network services earlier this month. The company is still working on remaining issues and payer implementation restoration but expects to have third-party attestations available before services become operational, the latest announcement stated.
---
03/18/2024 - CMS recently issued guidance for states to make interim Medicaid payments to providers hit by the Change Healthcare cyberattack.
The federal agency announced the flexibilities on March 15th, which will allow states to start making Medicaid payments retroactively to the date when the cyberattack disrupted claims payment processing and for claims affected by the cyberattack.
States can begin the interim payments for Medicaid services as soon as they submit an appropriate Medicaid state plan amendment.
CMS also said in the guidance that it is reopening the 2023 Merit-based Incentive Payment System (MIPS) Extreme and Uncontrollable Circumstances (EUC) Exception Application to provide relief to clinicians impacted by the ongoing disruption to claims processing. The application will be open through the data submission period, which closes on April 15th.
---
03/10/2024 - OCR has opened an investigation into the Change Healthcare cybersecurity incident, issuing a letter detailing its inquiry into the company and UnitedHealth Group (UHG). The agency said the incident is disrupting healthcare, as well as billing information operations nationwide, posing a direct threat to patient care and essential operations.
The investigation will focus on whether a breach of protected health information (PII) occurred during the incident in February, as well as Change Healthcare’s and UHG’s compliance with HIPAA rules, according to the letter.
In the letter, OCR also noted that its interest in other entities that have partnered with Change Healthcare and UHG is secondary to this investigation.
“OCR is committed to helping health care entities understand health information regulations and to collaboratively working with entities to navigate the serious challenges we face together,” the letter stated. “OCR encourages all entities to review the cybersecurity measures they have in place with urgency to ensure that critically needed patient care can continue to be provided and that health information is protected.”
---
03/10/2024 - In a recent letter to the Departments of Health & Human Services and Labor, the American Medical Association (AMA) called for more action to protect physicians impacted by the Change Healthcare cybersecurity incident.
AMA said while beneficial for physician practices that have seen cash flows run dry as a result of the incident, repayment terms of the Change Healthcare/Optum Payment Disruption (CHOPD) Accelerated Payments to Part A Providers and Advance Payments to Part B Suppliers may be more challenging for physician practices than those used during the pandemic.
The Departments should create an inventory of all health plans currently offering advance payments, the AMA added in the letter. Additionally, the group called for the Departments to ensure Medicare Administrative Contractors (MACs) and health plans accept paper claims during this time and waive timely filing deadlines for claims and appeals.
Other requests from AMA included:
- Providing more specifics and support for physicians requesting expedited electronic data interchange (EDI) enrollment to switch claims processing clearinghouses
- Applying hardship exemptions for CMS-impacted programs automatically
- Encouraging the health information technology community to postpone user fees
“The AMA thanks HHS for CHOPD Advance Payments for Part B Suppliers,” James L. Madara, MD, CEO and executive vice president of the AMA, wrote in the letter. “We appreciate any additional assistance that HHS and DOL can provide directly to physicians and where opportunities exist for the Departments to encourage health plans to undertake actions for relief and support of physicians as they care for patients.”
---
03/08/2024 - UnitedHealth Group has provided a timeline for restoring its systems and services after weeks of downtime. The company said it expects electronic payment functionality to be available for connection by March 15. Electronic prescribing and claim submission and payment transmission will be available today. UHC said it also expects to begin testing and reestablishing connectivity to its claim network on March 18.
“We are committed to providing relief for people affected by this malicious attack on the U.S. health system,” said Andrew Witty, CEO of UnitedHealth Group. “All of us at UnitedHealth Group feel a deep sense of responsibility for recovery and are working tirelessly to ensure that providers can care for their patients and run their practices, and that patients can get their medications. We’re determined to make this right as fast as possible.”
UHC encouraged providers to use the established workarounds, such as the iEDI claim submission system, as the company works to restore full functionality. Additionally, UHC urged payers to provide funding solutions to providers amid these disruptions.
In response, the American Medical Association (AMA) stressed that the March 18 timeline will leave practices in a state of uncertainty for more than 26 days, emphasizing the need for financial assistance.
“The AMA agrees with UnitedHealth’s call for all payers to advance funds to physicians as the most effective way to preserve medical practice viability during the financial disruption, especially for practices that have been unable to establish workarounds to bridge the claims flow gap until the Change Healthcare network is reestablished," the group stated. “While providing needed information on timelines and new financial measures is helpful, UnitedHealth Group has more work to do to address physician concerns. Full transparency and security assurances will be critical before connections are reestablished with the Change Healthcare network.”
Meanwhile, providers and patients across the country are still feeling the financial impact of this incident. A care home in Pennsylvania closed abruptly on March 1 after employees walked out due to not getting paid, the Pittsburgh Post-Gazette first reported.
"As a result of this breach and platform shutdown, cash flow to providers across the country has been impacted, creating a devastating domino effect in the healthcare system nationwide," Jefferson Hills Healthcare and Rehabilitation Center stated in a March 3 letter announcing the closure.
The care home said that the incident has had a "dramatic impact" on its cash flow and its ability to provide quality care to residents. In addition, the Pennsylvania Department of Health put the facility in "immediate jeopardy" following a missed payroll cycle that was a direct result of the cash flow challenges posed by the Change Healthcare cyberattack, the care home said.
Other factors contributed to the closure, including an admission ban due to deficiencies identified under previous ownership. With all these factors combined, it became infeasible to maintain staffing levels. All patients were transferred to other facilities, and it is unclear whether the facility will reopen.
As providers continue to grapple with these disruptions, the threat actors responsible for the attack are dealing with the aftermath of the attack as well. According to a report from WIRED, ALPHV/BlackCat threat actors received a payment of $22 million, suggesting that UHC paid the ransom. UHC has not confirmed nor denied the claim. However, a BlackCat affiliate who allegedly provided BlackCat with access to Change Healthcare's network has since claimed that they were cheated out of their share of the ransom, causing disputes within the group, KrebsonSecurity reported. Since this claim was made, BlackCat appears to have ceased all operations.
---
2/29/2024 - Change Healthcare has confirmed that BlackCat/ALPHV was behind the cyberattack.
"Change Healthcare can confirm we are experiencing a cybersecurity issue perpetrated by a cybercrime threat actor who has represented itself to us as ALPHV/Blackcat," the company's latest notice to customers stated. "Our experts are working to address the matter and we are working closely with law enforcement and leading third-party consultants, Mandiant and Palo Alto Network, on this attack against Change Healthcare's systems. We are actively working to understand the impact to members, patients and customers."
Change stated that it has "multiple workarounds to ensure people have access to the medications and the care they need" and affirmed that Optum, UnitedHealthcare and UnitedHealth Group systems do not appear to be impacted.
"We are working on multiple approaches to restored the impacted environment and continue to be proactive and aggressive with all our systems, and if we suspect any issue with the system, we will immediately take action," the notice continued.
BlackCat claims that it exfiltrated 6 TB of data that "relates to all Change Health clients that have sensitive data being processed by the company."
The group claims to have exfiltrated data pertaining to Medicare, TriCare, CVS, MetLife, and more. The group also denied that it used the ConnectWise ScreenConnect vulnerabilities for initial access.
---
2/26/2024 - Pharmacies across the country are still feeling the impacts of the Change Healthcare cyberattack on the sixth day of downtime. UnitedHealth Group's latest update did not provide a timeline for restoring its systems.
"We are working on multiple approaches to restore the impacted environment and will not take any shortcuts or take any additional risk as we bring our systems back online," UnitedHealth Group stated. "We will continue to be proactive and aggressive with all our systems and if we suspect any issue with the system, we will immediately take action and disconnect."
Major pharmacy chains such as CVS and Walgreens have experienced disruptions due to the attack. Tricare, which serves US service members and their families, said that the incident had impacted "all military pharmacies worldwide."
The American Pharmacists Association (APhA) released a statement on February 23 urging patients to check in with their pharmacies if they are in need of medications urgently. APhA said that due to the cyberattack, "many pharmacies throughout America could not transmit insurance claims for their patients."
"This situation may take several days to resolve, so in the meantime, we would ask the public to please keep in mind the incredible extra stress this situation places on pharmacies and pharmacy personnel," said Michael D. Hogue, PharmD, FAPhA, FNAP, FFIP, executive vice president and CEO of APhA.
Two people familiar with the matter told Reuters on Monday that hackers working for BlackCat ransomware gang were behind the attack. However, BlackCat, the FBI, and CISA have not confirmed these allegations. The Department of Justice (DOJ) disrupted BlackCat actors in December 2023 and released decryption keys to victims, but some of the group's known affiliates remained active after the takedown.
Other reports have indicated that the cyberattack is tied to two vulnerabilities recently discovered in ConnectWise's ScreenConnect app. ConnectWise has not confirmed this but said that "Change Healthcare appears not to be a ConnectWise direct customer, and our managed service provider partners have yet to come forward, stating Change Healthcare is a customer of theirs."
Health-ISAC released a document containing indicators of compromise (IOCs) and recommendations for healthcare organizations and said that reports from cyber firm RedSense said that Change Healthcare had in fact fallen victim to ScreenConnect exploits, but the incident details cannot yet be confirmed as the investigation is ongoing.
"Regardless of what happened at Change Healthcare, RedSense anticipates more organizations will be compromised as the ScreenConnect exploit is apparently fairly trivial to execute," Health-ISAC noted. "We would expect to see additional victims in the coming days."
Health-ISAC recommended that organizations remain disconected from Change Healthcare until the environment is deemed safe and update ScreenConnect immediately.
---
2/23/2024 - Via a Securities and Exchange Commission (SEC) Form 8-K filing, UnitedHealth Group confirmed that a "suspected nation-state associated cyber security threat actor had gained access to some of the Change Healthcare information technology systems."
The filing stated that UnitedHealth Group's efforts to restore systems and return to normal operations is underway, but it cannot estimate how long that will take. The incident is only impacting Change Healthcare systems, and the rest of the company's operations appear to be unaffected.
The American Hospital Association (AHA) has been in contact with HHS, the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) in regards to this cyberattack, it stated in a cybersecurity advisory.
"Due to the sector wide presence and the concentration of mission critical services provided by Optum, the reported interruption could have significant cascading and disruptive effects on revenue cycle, certain health care technologies and clinical authorizations provided by Optum across the health care sector," AHA noted.
"Based upon the statements from Change Healthcare that they became aware of an 'outside threat' and disconnected 'in the interest of protecting our partners and patients,' we recommend that all health care organizations that were disrupted or are potentially exposed by this incident consider disconnection from Optum until it is independently deemed safe to reconnect to Optum."
AHA also recommended that healthcare organizations using Optum's services prepare contingency plans in the event that these services remain unavailable for an extended period of time.
---
2/22/2024 - Change Healthcare is experiencing a network interruption due to a cyberattack, the company stated in a notice on its website. Change Healthcare is part of health tech company Optum, which is owned by healthcare giant UnitedHealth Group as of 2022. Through its platform, Change processes patient payments for healthcare organizations across the country.
“Once we became aware of the outside threat, in the interest of protecting our partners and patients, we took immediate action to disconnect our systems to prevent further impact,” Change noted in its latest update. “The disruption is expected to last at least through the day.”
Change posted its initial notice on February 21, when it began experiencing disruptions to some applications. A few hours later, the company reported “enterprise-wide connectivity issues.”
By Wednesday night Eastern Time, Change began calling the incident a “cybersecurity issue” and assured patients that was working with experts to address the matter.
Pigeon, Michigan-based Scheurer Family Pharmacy reported impacts from the outage that resulted in it being unable to process prescriptions temporarily, the Huron Daily Tribune reported.
“Due to a nationwide outage from the largest prescription processor in North America, we are currently unable to process prescriptions at any of our four locations of Scheurer Family Pharmacy,” Scheurer Health told patients in a Facebook post. “We are being told that this is temporary but have not been given a time for restored services.”
The pharmacy clarified to concerned patients that it was still able to accept prescriptions, but could not process them through the patients’ insurance. A later update stated that its systems were “back up and running.”
“Now with reports surfacing that Change Healthcare has experienced an outage due to a likely ransomware attack, and pharmacies across the country are experiencing delays in processing prescriptions, we’re reminded of the challenges healthcare providers face daily to ensure business continuity and patient care,” said Micky Bresman, CEO of security company Semperis.
“While it is too early to tell if the suspected ransomware attack on Change will affect the lives of patients in need of medications, they do reportedly process 15 billion transactions annually. This attack comes after numerous recent ransomware attacks on hospitals such as Lurie Children’s Hospital in Chicago and medical supply operator Henry Schein.”
This is a developing story. It will be updated as more information becomes available.