UHG CEO to Testify Before House E&C Subcommittee About Change Healthcare Ransomware Attack
UnitedHealth Group (UHG) CEO Andrew Witty is due to testify before the House Energy and Commerce Oversight Investigations Subcommittee on Wednesday, May 1, 2024, about the Change Healthcare Ransomware attack. A copy of his written testimony is available here.
Witty said in his written testimony, “We have been working 24/7 from the day of the incident and have deployed the full resources of UnitedHealth Group on all aspects of our response and restoration efforts. I want this Committee and the American public to know that the people of UnitedHealth Group will not rest – I will not rest – until we fix this.”
He said UHG “repels an attempted intrusion every 70 seconds – thwarting more than 450,000 intrusions per year,” however, on February 12, 2024, one of those attacks succeeded and a threat actor gained access to the Change Healthcare network. Witty said the threat actor then “moved laterally within the systems in more sophisticated ways and exfiltrated data.” Ransomware was deployed 9 days after the initial intrusion on February 21, 2024, and data on Change Healthcare’s systems was encrypted, preventing access to those systems.
Witty said the perimeter was secured and UHG prevented the malware from spreading to the broader health system. Those efforts were successful, as the intrusion was confined to Change Healthcare and did not spread to any external environment, including Optum, UnitedHealthcare, and UHG. “We are working tirelessly to uncover and understand every detail we can, which we will use to make our cyber defenses stronger than ever,” explained Witty.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Witty also confirmed that the threat actor gained initial access to the Change Healthcare network using compromised credentials to remotely access a Change Healthcare Citrix portal used for remote access to desktops. The Citrix portal did not have multifactor authentication enabled. He explained that it was initially unclear how access had been gained, so the decision was taken to sever connectivity with Change Healthcare’s data centers. While that move was hugely disruptive, he said it was the right thing to do to contain the attack and limit the harm caused. He also confirmed that it was his decision to pay the ransom. The decision was “guided by the overriding priority to do everything possible to protect people’s personal health information,” and it was one of the hardest decisions he has ever had to make.
He also said that the complicated nature of the data review means it will likely take months to identify and notify the affected individuals. For the individuals affected, that means they could be at risk of identity theft and fraud long before they even find out if their data has been stolen. Witty said UHG is working with industry experts to monitor the Internet and dark web to determine if any of the stolen data is published, and “rather than waiting to complete this review, we are providing free credit monitoring and identity theft protections for two years, along with a dedicated call center staffed by clinicians to provide support services. Anyone concerned their data may have been impacted should visit changecybersupport.com for more information.”
UHG has now provided more than $6.5 billion in accelerated payments and interest-free loans to help providers who have been unable to file and collect insurance claims; however, many patients, hospitals, and health systems continue to be affected by the attack. UHG said in an April 22, 2024, press release that it would “help ease reporting obligations on other stakeholders whose data may have been compromised as part of this cyberattack,” and that UHG “has offered to make notifications and undertake related administrative requirements on behalf of any provider or customer.” The American Hospital Association (AHA) and the Medical Group Management Association (MGMA) have called for OCR to hold UHG to its promise to send out breach notifications to the affected individuals.
April 23, 2024: UHG: Substantial Proportion of US Population May Be Affected by Change Healthcare Cyberattack
Andrew Witty, Chief Executive of UnitedHealth Group (UHG) has confirmed that a ransom was paid to prevent the publication of data stolen in the Change Healthcare cyberattack. While the amount paid was not disclosed, it has been widely reported that $22 million was paid to the Blackcat ransomware group behind the attack. The data was not deleted and was obtained by another ransomware group, RansomHub, which tried to extort Change Healthcare and UHG and then leaked screenshots of the stolen data when payment was not forthcoming.
UHG issued a statement confirming that based on the initial results of its investigation, protected health information and/or personally identifiable information was compromised in the attack. Details of the exact types of data involved have not been confirmed, although UHG said it has not found any evidence of exfiltration of doctors’ charts and full medical histories. UHG has yet to confirm the number of people affected by the breach, but has warned that it could cover, “a substantial proportion of people in America.” Change Healthcare states on its website that the information of one in three Americans is touched by its systems, which means it could be the largest ever healthcare data breach, potentially involving the protected health information of more than 100 million Americans.
As for when notifications will be issued, that too is unclear. It has almost been 60 days from the date of discovery of the cyberattack (February 21, 2024), but it was only confirmed on April 15, 2024, that protected health information had been breached. The review of the affected information is ongoing to determine how many individuals have been affected and the types of information involved. “Given the ongoing nature and complexity of the data review, it is likely to take several months of continued analysis before enough information will be available to identify and notify impacted customers and individuals,” said UHG. “As the company continues to work with leading industry experts to analyze data involved in this cyberattack, it is immediately providing support and robust protections rather than waiting until the conclusion of the data review.” A dedicated website has been created with further information.
An update has also been provided on the restoration of Change Healthcare’s services. UHG said pharmacy services and medical claims across health systems are back to near-normal levels, although a small number of providers continue to be adversely affected. Payment processing is at approximately 86% of pre-incident levels, and around 80% of Change Healthcare’s functionality has now been restored. The remaining services are expected to be restored in the coming weeks.
Details of the nature of the breach have yet to be disclosed; however, The Wall Street Journal has reported that the hackers gained access to Change Healthcare’s systems 9 days before ransomware was deployed on February 21, 2024. According to the WSJ source, who is familiar with the attack, compromised credentials were used to access its systems, multifactor authentication was not enabled on the compromised account, and lateral movement occurred from February 12 to February 24, which would have allowed the attackers to gain access to significant amounts of data.
HHS Publishes Webpage with HIPAA FAQs Related to Change Healthcare Cyberattack
The HHS’ Office for Civil Rights has created a webpage to answer commonly asked questions about the Health Insurance Portability and Accountability Act (HIPAA) and the Change Healthcare ransomware attack. The webpage explains the rationale behind OCR’s ‘Dear Colleague’ letter about the cyberattack and the prompt opening of an investigation of Change Healthcare and UnitedHealth Group (UHG) to establish whether they were in compliance with the HIPAA Rules. OCR said action was taken quickly due to the widespread impact of the attack on healthcare providers and patients and the unprecedented impact on patient care and privacy.
OCR confirmed that its interest in other HIPAA-regulated entities in relation to the Change Healthcare cyberattack is secondary but reminded HIPAA-regulated entities that if they have business associate relationships with Change Healthcare or UHG, they must ensure they have business associate agreements in place and reminded them of their responsibility to ensure that protected health information (PHI is safeguarded).
OCR confirmed that it has yet to receive any notification from Change Healthcare about a breach of PHI and confirmed that covered entities have up to 60 days from the date of discovery of a data breach to report any breaches of unsecured PHI. OCR said covered entities affected by the Change Healthcare cyberattack are required to issue breach notifications to the affected individuals and notify the Secretary of the HHS, and that those notifications should be issued without unreasonable delay and no later than 60 days from the date of discovery of a data breach. A notice is also required to be provided to the media. If a business associate experiences a data breach they must notify the covered entity within 60 days of discovery. The business associate should provide the covered entity, to the extent possible, with details of the breach and the affected individuals. The covered entity is responsible for issuing breach notifications when breaches occur at business associates, although they may delegate responsibility for doing so to the business associate.
HIPAA-regulated entities that have been affected by the Change Healthcare cyberattack should contact Change Healthcare/UHG if they have any questions about breach notifications to determine the extent to which Change Healthcare and UHG are willing to issue breach notifications on behalf of the affected organizations and how breach notification will occur. UHG has stated publicly that it is willing to help the affected entities with their breach notifications.
Scammers Target Nebraska Hospitals
Bryan Health has issued an alert after being notified by several patients who were contacted by people claiming to be representatives of hospitals in Nebraska telling them they are entitled to a refund related to the Change Healthcare cyberattack. The scammers ask for a credit card number to issue the refund. Bryan Health said its representatives would never ask for a credit card number over the phone to initiate a refund. Jeremy Nordquist, President, Nebraska Hospital Association (NHA), said “Nebraskans need to be vigilant for both them and their family members. If you are at all skeptical regarding the nature of a phone call, hang up and call your hospital directly.” The warning applies to all Americans. There are likely to be many scams related to the Change Healthcare cyberattack over the coming weeks and months.
April 17, 2024:Change Healthcare Investigates Potential Leak of Patient Data
Change Healthcare experienced an ALPHV/Blackcat ransomware attack and reportedly paid a $22 million ransom to prevent 6TB of stolen data from being leaked, only for the group to pull an exit scam and pocket the payment without paying the affiliate who conducted the attack.
A relatively new ransomware group – RansomHub – then issued a demand stating it had acquired the stolen data from the former ALPHV affiliate and required payment to prevent the data from being leaked. Payment has not been made and RansomHub has started to leak the stolen data. Screenshots have been leaked that appear to be data sharing agreements between Change Healthcare and several of its clients, and some files that include patient data.
The group claims it will sell the stolen data to the highest bidder in 5 days if Change Healthcare and UnitedHeath Group refuse to negotiate a suitable payment. Change Healthcare has confirmed it is aware of RansomHub’s threat but has yet to verify whether the leaked data was stolen in the February cyberattack. UnitedHealth Group has confirmed that personal health information and personally identifiable information were stolen in the attack and leading forensics experts have been engaged to review the affected files. The types of information exposed and the number of individuals affected have yet to be disclosed.
Providers Still Struggling Financially Due to Cyberattack
A survey conducted by the American Medical Association (AMA) has revealed that more than one-third (36%) of physician practices have seen claims payments suspended as a result of the ransomware attack, one-third (32%) have not been able to submit claims, two-fifths (39%) have not been able to obtain electronic remittance advice, and one-fifth (22%) have not been able to verify eligibility for benefits.
77% of respondents said they experienced service disruptions since the Change Healthcare ransomware attack and are still dealing with the effects of the attack. 80% of providers said they lost revenue from unpaid claims, 78% lost revenue from claims that they have been unable to submit, 55% have had to use personal funds to cover expenses incurred as a result of the attack, and 51% said they have lost revenue from the inability to charge patient co-pays or remaining obligations.
48% of respondents said they have had to enter new and potentially costly arrangements with alternative clearinghouses to conduct electronic transactions, and while some practices have been able to take advantage of advance payments, temporary funding assistance, and loans, issues persist with all of those measures.
“The disruption caused by this cyber-attack is causing tremendous financial strain,” said AMA President Jesse M. Ehrenfeld, MD, MPH. “These survey data show, in stark terms, that practices will close because of this incident, and patients will lose access to their physicians. The one-two punch of compounding Medicare cuts and inability to process claims as a result of this attack is devastating to physician practices that are already struggling to keep their doors open.”
Lawmakers Seek Answers on What Went Wrong
On April 8, 2024, Senators Josh Hawley (R-MO), ranking member of the Senate Judiciary Subcommittee on Privacy, Technology and the Law, and Subcommittee Chair, Richard Blumenthal (D-CT), wrote to UnitedHealth Group Chief Executive Officer Andrew Witty seeking answers about the attack. One of the key questions was why there was a lack of redundancy to prevent a major outage. The Senators also requested information about how its network was breached, asked for a timeline of events following the attack, and wanted to who about the steps UnitedHealth Group is taking to fill the revenue gap providers are experiencing and what is being done to identify the providers and patients whose data was stolen in the attack. The Senators requested answers before April 15, 2024.
On April 15, 2024, members of the House of Representatives Committee on Energy and Commerce wrote to Andrew Witty demanding answers to a long list of questions about the status and impact of the cyberattack and system restoration, the identification and immediate response to the cyberattack, the cybersecurity protocols and dedicated resources in place, the response to the healthcare community, and requested updates on the recovery by April 29, 2024.
At an April 16, 2024, hearing before the Energy and Commerce Health Subcommittee, Subcommittee Ranking Member Anna G. Eshoo (D-CA) criticized UnitedHealth Group over its acquisition of Change Healthcare – an acquisition that was opposed by the Department of Justice. “The attack shows how UnitedHealth’s anti-competitive practices present a national security risk because its operations now extend through every point of our health care system,” said Rep. Eshoo. “The cyberattack laid bare the vulnerability of our nation’s health care infrastructure.” Questions were also asked about whether the government allowed UnitedHealth Group was allowed to become too dominant through its mergers and acquisitions and whether enough was done to prevent inevitable cyberattacks given how big a target Change Healthcare is. UnitedHealth Group was asked to attend the hearing, but no representative turned up.
UnitedHealth Group Anticipates $1.6 Billion Loss This Year Due to Ransomware Attack
UnitedHealth Group has spent around $872 million in Q1, 2024, responding to the Change Healthcare ransomware attack, with $593 million spent on direct-response costs and $279 million lost due to business disruption. UnitedHealth has also provided $6 billion in temporary, interest-free funding to providers affected by the outages who have been unable to bill for their services and anticipates the costs in 2024 to increase to between $1.35 billion and $1.6 billion. Despite the losses due to the cyberattack, UnitedHealth Group has exceeded expectations in Q1, 2024, with revenues up $8 billion year-over-year.
April 8, 2024: New Ransomware Group Claims to Have Data from Change Healthcare Ransomware Attack
The ALPHV/Blackcat affiliate behind the Change Healthcare ransomware attack has claimed not to have been paid a share of the $22 million ransom payment and the ALPHV ransomware operation has since been shut down. The affiliate, who operates under the name notchy, claimed to hold a copy of the 6TB of data stolen in the attack; however, the data does not appear to have been publicly leaked and cybersecurity researchers have not identified any attempts to sell the data, and Notchy has been quiet since making the initial claims and appears to be laying low.
There have been some developments, however. A new ransomware group called Ransom Hub has emerged that has issued a ransom demand to Change Healthcare, Optum Group, and UnitedHealth Group. The Ransom Hub post, which was found by security researcher Dominic Alvieri, states that ALPHV stole the $22 million that was paid to prevent the release of the stolen data and that ALPHV does not hold the stolen data.
Ransom Hub claims to have the only copy of the stolen data and the post lists some of the affected healthcare providers. Ransom Hub is threatening to leak the stolen data and has given Change Healthcare and UnitedHealth Group 12 days to pay the ransom. “Change Healthcare and United Health you have one chance in protecting your clients data,” said Ransom Hub on its dark web site. “The data has not been leaked anywhere and any decent threat intelligence would confirm that the data has not been shared nor posted.”
Vx-underground engaged with the Ransom Hub group, which claimed to have recruited previous ALPHV affiliates, suggesting that notchy may be one of the affiliates that has joined the operation; however, there are other possible explanations as VX Underground explained, “it is not clear if RansomHub is a rebrand of ALPHV ransomware group, the affiliate at ALPHV is moving to RansomHub, or if this is a scam by RansomHub ransomware group trying to intimidate Change Healthcare into paying again.”
“Ransomware payouts is a tricky business because you’re dealing with criminals who can’t be trusted. Various theories exist on recent reports that RansomHub is now claiming data from United Health and Change HealthCare, which was recently breached by AlphV,” Ken Dunham, Cyber Threat Director at Qualys Threat Research Unit told The HIPAA Journal. “This can be explained through shifts in the criminal marketplace, lying by bad actors, multiple compromises, or other scenarios. It is not uncommon, as an incident responder, to discover not just one threat inside of a compromised environment, but two or more. It is also not uncommon for companies that give in to bad actors performing extortion, such as ransomware and DDoS payouts, to become “soft targets”, quickly hit again with additional forms of extortion again and again.”
Change Healthcare Seeks Consolidation of Lawsuits
Lawsuits against Change Healthcare have been mounting, with at least two dozen lawsuits now filed in response to the attack and data breach. The lawsuits have been filed by patients who claim their sensitive data was stolen in the attack and by healthcare providers who have been affected by the prolonged outage of Change Healthcare’s systems. Change Healthcare has responded by filing a motion that seeks consolidation and transfer of the lawsuits to Change Healthcare’s home district, the United States District Court for the Middle District of Tennessee. While lawsuits have been filed by individuals and providers, Change Healthcare has asked the court to consolidate all lawsuits, since they include common factual and legal issues arising from the attack and they assert substantially identical causes of actions.
According to Change Healthcare, consolidating the lawsuits will prevent duplicative discovery, inconsistent pretrial rulings, and will conserve the resources of the parties and the courts, and the Middle District of Tennessee has the strongest connection to the litigation. The only common defendant in each of the actions is Change Healthcare, which is headquartered in Tennessee, where key custodians, witnesses, and evidence are also located. The Middle District of Tennessee is also where the first action was filed, along with around half of the subsequent actions.
The lawsuits filed by individuals and providers all make similar allegations – That Change Healthcare failed to implement reasonable and appropriate cybersecurity measures to prevent unauthorized access to its network, something that Change Healthcare denies. “All the actions are based on the incorrect and unfounded theory that, because a cyberattack occurred, Change’s security must have been deficient and plaintiffs must have been have harmed,” said Change Healthcare in its filing.
At least 13 lawsuits have been now filed by individuals whose data was allegedly stolen in the attack. They claim that they face an imminent and heightened risk of identity theft and fraud as a result of the theft of their data. At least 11 lawsuits have been filed by healthcare providers who were affected by the outages at Change Healthcare, that caused a delay in insurance claims and has threatened the viability of their businesses.
Disruption Continues to Be Experienced by Providers Despite Restoration of Change Healthcare Systems
Many of Change Healthcare’s systems have now been restored, with the remainder expected to be restored in the next few weeks. The latest update on April 5, 2024, said medical network and transaction services such as Pharmacy solutions, Exchange clearinghouse, Assurance Reimbursement Management, Clearance Patient Access Suite, and Reimbursement Manager, as well as claims and eligibility transactions are being prioritized.
While medical claims are now flowing through Change Healthcare’s network, providers are still facing delays due to the substantial billing backlog and the unavailability of certain systems. Change Healthcare’s Assurance and Relay Exchange clearinghouses are back online and have been for a few weeks; however, it has taken time for commercial payers and government payers to reconnect the claims network, with providers across the country still waiting for many claims to be paid. UnitedHealth Group has continued to offer financial assistance and has provided more than $4.7 billion in temporary financial assistance to the affected providers.
March 29, 2024: UnitedHealth Group Confirms Data Stolen in Change Healthcare Ransomware Attack
It has been more than 5 weeks since Change Healthcare suffered a Blackcat ransomware attack. The ALPHV/BlackCat is known to exfiltrate data in its attacks, the group claimed to have stolen 6TB of data, and a ransom of $22 million was paid to a Blackcat account to prevent the release of the stolen data. The affiliate behind the attack claimed not to have been paid for the attack, the ALPHV/Blackcat group said the ransom was seized by law enforcement and was never received, and the affiliate claimed to hold a copy of the stolen data still.
Neither Change Healthcare nor its parent company, UnitedHealth Group, have publicly disclosed whether a ransom was paid but UnitedHealth Group has now confirmed that data was stolen in the attack. UnitedHealth Group said it has started analyzing the exfiltrated files to determine how many individuals have been affected and the types of data involved. UnitedHealth Group said it was unable to confirm whether data had been stolen until now as Change Healthcare’s systems were difficult to access and it was not safe to pull any data out of those systems directly. The delay was due to the time taken to complete mounting and decompression procedures, but a dataset has now been obtained that can be safely accessed and analyzed.
No timescale has been provided so far about when that analysis will be completed but UnitedHealth Group said attention is focused on the data review. While it is currently unclear what types of data were stolen in the attack, UnitedHealth Group said personally identifiable health information, eligibility and claims information, and financial information are likely to have been compromised. So far, UnitedHealth Group has not identified the publication of any of the stolen data on the dark web.
Key systems have now been restored but many Change Healthcare IT products and services remain offline. UnitedHealth Group said substantial progress has been made in recovering those systems, with eligibility processing, clinical data exchange, and retrospective episode-based payment models expected to be restored in the next 3 weeks. United Health Group has also confirmed that it has paid out more than $3.3 billion in loans to healthcare providers under its temporary funding program to help ease the financial strain caused by delays to the processing of insurance claims and providers will have 45 days to pay back the loans. 40% of the $3.3 billion has been provided to safety net hospitals and federally qualified health centers that serve high-risk patients and communities.
HHS Issues Guidance for Providers Affected by Change Healthcare Ransomware Attack
The Department of Health and Human Services (HHS), Centers for Medicare and Medicaid Services (CMS), and the Administration for Strategic Preparedness and Response (ASPR) have issued guidance to help entities impacted by the Change Healthcare ransomware attack.
The attack forced Change Healthcare to take more than 100 systems and services offline, and those systems have remained offline for several weeks. While key products and services have been restored, some Change Healthcare systems are still offline. It is likely to take several more weeks before all services are restored. HHS Deputy Secretary Andrea Palm, ASPR Administrator and Assistant Secretary Dawn O’Connell, and CMS Administrator Chiquita Brooks-LaSure said they continue to hear from providers who are still experiencing difficulty getting answers from healthcare plans about the availability of prospective payments or the flexibilities that may be needed while Change Healthcare’s systems remain unavailable.
They explained that the HHS has asked health plans to provide national contact information that the affected providers can use, and have shared resources to help affected providers get the answers they need. Affected providers have been urged to try to get answers from regional points of contact for their health plans in the first instance, and to use the provided contact information if they are unable to get a response.
They have also taken the opportunity to remind healthcare providers about the HHS voluntary Healthcare and Public Health Cybersecurity Performance Goals, which will help them to strengthen preparedness, improve resiliency against cyberattacks, and better protect patient health information.
Department of State Offers $10 Million Reward for Information on ALPHV/Blackcat Ransomware Group
The U.S. Department of State has confirmed that there is a reward of up to $10 million for information leading to the identification or location of any individual linked to the ALPHV/Blackcat ransomware group, their affiliates, or links to a foreign government under the Rewards for Justice (RFJ) program.
March 25, 2024: Clarification Sought from OCR About Change Healthcare Ransomware Breach Notifications
The American Hospital Association (AHA) has written to the Department of Health and Human Services seeking clarification about data breach notifications, should it turn out that protected health information has been compromised. OCR recently announced that due to the impact of the Change Healthcare ransomware attack, the decision had been taken to investigate Change Healthcare promptly to establish whether it was compliant with the HIPAA Rules. In a “Dear Colleague” letter, OCR Director Melanie Fontes Rainer said, “While OCR is not prioritizing investigations of health care providers, health plans, and business associates that were tied to or impacted by this attack, we are reminding entities that have partnered with Change Healthcare and UHG of their regulatory obligations and responsibilities, including ensuring that business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs as required by the HIPAA Rules.”
The AHA expressed concern about Fontes Rainer’s statement and is seeking clarification on which entities need to issue notifications. The AHA explained in the letter that Change Healthcare is a covered entity and, as such, has a duty to notify OCR and the affected individuals about any data breach, even in cases where Change Healthcare acts as a business associate. “We remain concerned, however, that OCR may require hospitals to make breach notifications to HHS and affected individuals, if it is later determined that a breach occurred,” stated the AHA in the letter. “We are seeking additional clarification that hospitals and other providers do not have to make additional notifications if UnitedHealth Group and Change Healthcare are doing so already… our concern is simply that requiring breach notifications in these circumstances will confuse patients and impose unnecessary costs on hospitals, particularly when they have already suffered so greatly from this attack.
The Washington State Hospital Association (WSHA) has also been contacted by its members who have expressed concern about the notification requirements after reading OCR’s letter. With respect to the business associate agreement and notification warnings in the letter, WSHA said, “This statement reminds hospitals they can get ahead of this issue by reviewing now the various sets of obligations on both their part and the part of Change contained in the BAAs they have in place. Examples of these obligations include breach notification timing and who provides the notice, indemnification, and insurance requirements.”
Patients Report Scam Calls Following Change Healthcare Cyberattack
The Minnesota Hospital Association and Minnesota Attorney General have issued warnings as scammers appear to be targeting patients affected by the Change Healthcare ransomware attack. Patients have reported receiving calls from individuals claiming to be representatives from hospitals, clinics, and pharmacies who are offering refunds or demanding payment. While these calls could indicate that data stolen in the attack is already being misused, it could just be opportunists taking advantage of the situation. Lou Ann Olson of the MHA urged everyone to exercise caution and be wary of scams. “Your hospital will not call or email you to ask for a credit card number,” said Olson. She urged patients to contact their healthcare provider directly if they receive a call, text, or email related to the Change Healthcare cyberattack.
Change Healthcare Criticized for Slow Recovery
Cybersecurity experts have criticized Change Healthcare over its response to the cyberattack, which has caused outages lasting more than 4 weeks. While around 20 services have now resumed, more than 100 are still offline. While it is not unusual for a recovery from a ransomware attack to take several weeks, the extent to which Change Healthcare’s systems are used by healthcare providers means the impact has been far-reaching, and as such, Change Healthcare should have been aware of this and been better prepared to ensure that disruption was minimized.
“The fact that it has taken a company that provides such a critical service so long to recover is obviously a concern. Not only the time it took to recover its IT systems, but the fact that it seemingly didn’t have a backup plan that could be quickly and speedily put in place,” said Emsisoft threat analyst, Brett Callow. Other cybersecurity experts have questioned whether appropriate backups were in place and if an incident response plan was in place that had been properly tested.
UnitedHealth Provides $2.5B in Financial Assistance to Affected Providers and Starts Working on $14M Claims Backlog
UnitedHealth Group has confirmed that it has advanced more than $2.5 billion to healthcare providers affected by the outages at Change Healthcare and has software due to be made available to help with claims preparations. “We recognize the event has caused different levels of impact among providers; therefore, we continue to offer temporary funding assistance at no cost,” the company said. “We know many providers, especially smaller practices, are struggling, and we encourage those who need further assistance to access these resources.”
UHG also said on March 22, 2024, that it expected its biggest clearinghouses to be back online during the weekend, and that the backlog of more than $14 billion in claims will start to flow soon afterwards.
March 15, 2024: UHG Identifies Attack Vector Used in Change Healthcare Ransomware Attack
UnitedHealth Group (UHG) has confirmed that the cybersecurity firms Mandiant and Palo Alto Networks are assisting with the forensic investigation and that the investigation into the February 21, 2024, ransomware attack on Change Healthcare is well underway. UHG has also confirmed that the forensic investigation has uncovered the source of the intrusion. After identifying the initial attack vector, UHG identified a safe restore point and can now work on restoring the systems that are currently non-operational and can start recovering data.
At this stage, UHG has not publicly disclosed the initial attack vector. There was speculation in the days immediately after the attack that two recently disclosed vulnerabilities in ConnectWise ScreenConnect were exploited in the attack. Those vulnerabilities were discovered on February 15, and notifications about the flaws were issued on February 19, just a couple of days before the LockBit ransomware attack on Change Healthcare was detected. UHG said it will be sharing further information on its investigation and recovery in the coming days, but it is unclear whether that will include the attack vector. Typically, victims of cyberattacks do not publicly disclose exactly how their systems were breached.
UHG has confirmed that it has stood up new instances of its Rx Connect (Switch) and Rx ePrescribing services and it has begun enabling its Rx Connect, Rx Edit, and Rx Assist services, which are now available for customers who have configured direct internet access connectivity. On March 13, 2024, UHG said all major pharmacy and payment systems are up and more than 99% of pre-incident claim volume is flowing.
March 11, 2024: UnitedHealth Group Expands Financial Assistance Program and Provides Timeline for Recovery
On March 8, 2024, more than 2 weeks after the Change Healthcare ransomware attack, UnitedHealth Group provided a timeline on when it expects to have restored its systems and services. UnitedHealth Group said its electronic prescribing service is now fully functional and has been since Thursday; however, electronic payments are not expected to be available until March 15, 2024. Testing of the claims network and software will commence on March 18, and services are expected to be restored throughout that week.
UnitedHealth Group has also confirmed that its financial assistance program, provided through Optum, has been expanded to include providers that have exhausted all available connection options as well as those that work with payers who will not advance finances during the outage. The financial assistance program will see advance payments made each week based on providers’ historic payment levels and those following the cyberattack. UnitedHealth Group was criticized for the onerous terms of its financial assistance program which was made available a week after the attack, but confirmed that the funds will not need to be repaid until claims flows have completely resumed. When that happens, providers will be sent an invoice and will be given 30 days to repay the funds.
Prior authorizations are being suspended for most outpatient services for Medicare Advantage plans, utilization reviews for inpatient admissions are being put on hold until March 31, 2024, and drug formulary exception review is suspended for Medicare Part D pharmacy benefits. Pharmacies affected by the outage have been notified by Optum Rx that pharmacy benefit manager will reimburse them for claims filled during the outage “with the good faith understanding that a medication would be covered.”
“We are committed to providing relief for people affected by this malicious attack on the U.S. health system,” said Andrew Witty, CEO, UnitedHealth Group. “All of us at UnitedHealth Group feel a deep sense of responsibility for recovery and are working tirelessly to ensure that providers can care for their patients and run their practices, and that patients can get their medications. We’re determined to make this right as fast as possible.”
The additional measures have been welcomed but the American Medical Association (AMA) has warned that physician practices are still likely to face significant challenges. “The AMA agrees with UnitedHealth’s call for all payers to advance funds to physicians as the most effective way to preserve medical practice viability during the financial disruption, especially for practices that have been unable to establish workarounds to bridge the claims flow gap until the Change Healthcare network is re-established,” said the AMA. “While providing needed information on timelines and new financial measures is helpful, UnitedHealth Group has more work to do to address physician concerns. Full transparency and security assurances will be critical before connections are re-established with the Change Healthcare network.”
March 5, 2024: UnitedHealth Group Offers Temporary Funding Assistance in Response to Change Healthcare Ransomware Attack
UnitedHealth Group, the parent company of Change Healthcare, has set up a temporary financial assistance program for customers affected by the Change Healthcare ransomware attack. The program will help providers who have been unable to receive payments due to the outage at Change Healthcare. Under the financial assistance program, providers that receive payments processed by Change Healthcare will be able to apply for temporary funding through Optum Financial Services. If applications are made for temporary funding, they will be paid based on prior claims volume and will be interest-free and fee-free.
“We understand the urgency of resuming payment operations and continuing the flow of payments through the health care ecosystem,” Explained UnitedHealth. “While we are working to resume standard payment operations, we recognize that some providers who receive payments from payers that were processed by Change Healthcare may need more immediate access to funding.”
The financial assistance program is only available for providers who have been affected by the disruption to payment distribution. Financial assistance is not being offered to providers that have faced claims submission disruption, therefore, only a small number of providers will qualify for assistance. The terms of the financial assistance program are also worrying. Any funds provided will need to be paid back when normal operations resume and repayments will need to be made within 5 days of receiving notice. The terms of the financial assistance include allowing Optum Financial Services to take back the funds without advance communication.
While the move has been welcomed by provider groups, they say it will do little to alleviate the financial strain on many of the affected providers who are experiencing severe cash flow problems due to the increased workload from having to implement workarounds for filing claims and prior authorization requests. The American Hospital Association (AHA) said the assistance being offered “falls far short of plugging the gaping holes in funding caused by the Change Healthcare outage.” The assistance being offered only addresses one of the two problems caused by the Change Healthcare outage. It helps address the problem of payers being unable to pay via Change Healthcare, although the AHA said the terms and conditions are “shockingly onerous.” The AHA said no assistance is being offered at present to ease the burden on providers who are unable to bill payers in a timely manner due to the ongoing disruption of Change Healthcare’s clearinghouse and claims submission systems.
The recovery process has been slow for Change Healthcare. The Blackcat ransomware attack caused an outage that has lasted for almost 2 weeks. On March 1, 2024, Change Healthcare confirmed that it had set up a new instance of its Rx ePrescribing service and had successfully tested the new instance with vendors and retail pharmacies; however, the Clinical Exchange ePrescribing provider tools remain offline, as do around 100 of Change Healthcare’s IT products.
There have been reports in the media that indicate Optum paid a $22 million ransom payment to the ALPHV/Blackcat ransomware group for the decryption key and to ensure that the stolen data is deleted. The affiliate behind the attack claims that the ALPHV/Blackcat group stole the ransom and has now shut down the operation. The affiliate claims to have 4TB of the data stolen from Change Healthcare.
UnitedHealth Provides Update on Incident Response and Recovery
UnitedHealth Group has provided further updates on the recovery process. On March 1, 2024, a new instance of Change Healthcare’s Rx ePrescribing service was made available and UnitedHealth Group said it has already processed more than 3 million transactions, and volume is increasing daily as more system vendors reconnect. Workarounds are continuing to be deployed for claims, and UnitedHealth Group says 90% of claims are now flowing uninterrupted, with claims expected to increase to around 95% by next week (w/c 3/11); however, there are still issues with Change Healthcare’s payment capabilities although progress is being made on restoring them. “Our teams have been diligently working on restoration of the core environment. We expect our data center rebuild and restoration of database center services to be complete this week,” explained UnitedHealth Group. “From there, we will turn our full attention to application and service restoration.”
On March 7, UnitedHealth Group said a new instance of the Rx Connect (Switch) service is now online and it is actively working to restore full service and connectivity claim traffic and has begun enabling Rx Connect, Rx Edit, and Rx Assist services, which are now available for customers who have configured direct internet access connectivity.
While progress is being made on restoring services, attention will soon turn to the scale of the data breach. Given that Change Healthcare processes 15 billion healthcare transactions each year and says one in three patient records in the United States are touched by its clinical connectivity solutions, this could turn out to be one of the largest healthcare data breaches of all time. At least 5 class action lawsuits have already been filed in Tennessee and Minnesota on behalf of patients who allege their information was stolen in the attack, and that number is expected to continue to grow as the extent of the data breach becomes clear.
March 2, 2024: Change Healthcare Confirms Blackcat Ransomware Attack as Rx ePrescribing Service Reestablished
The Blackcat ransomware ground claims to have stolen a vast amount of data from Change Healthcare in the recent cyberattack. In a statement posted, and later removed, from its data leak site, a member of the group claimed to have stolen 6TB of data from UnitedHealth, which the group alleges includes “highly selective data” from all Change Healthcare clients, including Medicare, CVS Caremark, Health Net, and Tricare, the U.S. military medical health agency. Screenshots of some of the data were shared as proof of data theft. The group also claims to have stolen the source code of Change Healthcare applications. The group claims to have stolen the data of millions of patients, including medical records, insurance records, dental records, payment information, claims information, and patients’ PHI, including health data, contact information, and Social Security numbers.
Change Healthcare has yet to determine the extent of any data breach at this early stage of its investigation. Ransomware groups usually threaten to publicly release data to pressure victims into paying the ransom, and listings are often added when victims refuse to negotiate or when negotiations break down. The rapid removal of the listing suggests that Change Healthcare is in touch with the group, although there could be other reasons for the removal of the data.
In an update on February 28, 2024, Change Healthcare confirmed that disruptions have continued for a 9th day, with some applications still experiencing connectivity issues. Change Healthcare also said it has a high level of confidence that Optum, UnitedHealthcare, and UnitedHealth Group systems were not compromised and the breach appears to be limited to Change Healthcare, with none of its clients’ systems breached.
In a February 29, 2024 update, Change Healthcare confirmed that this was an ALPHV/Blackcat ransomware attack. “Change Healthcare can confirm we are experiencing a cybersecurity issue perpetrated by a cybercrime threat actor who has represented itself to us as ALPHV/Blackcat. Our experts are working to address the matter and we are working closely with law enforcement and leading third-party consultants, Mandiant and Palo Alto Network, on this attack against Change Healthcare’s systems. We are actively working to understand the impact to members, patients and customers.”
While not specifically referencing the Change Healthcare cyberattack, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) issued a joint cybersecurity alert on February 27 warning about increased attacks on the healthcare sector by the Blackcat/ALPHV ransomware group. 70 victims have been listed on the group’s data leak site since December 2023, and the healthcare sector has been the most commonly attacked sector.
In a March 1, 2024 update, Change Healthcare explained that a new instance of its ePrescribing service has been stood up, although Clinical Exchange ePrescribing providers’ tools are still not operational. “Working with technology and business partners, we have successfully completed testing with vendors and multiple retail pharmacy partners for the impacted transaction types,” explained Change Healthcare in a March 1, 2024 status update. “As a result, we have enabled this service for all customers effective 1 p.m. CT, Friday, March 1, 2024. If you encounter issues following the activation of this script routing service, contact our support team through your normal channels or submit an online ticket via our support portal.”
February 27, 2024: Blackcat Ransomware Group Behind Change Healthcare Cyberattack
The disruption at Change Healthcare has continued into the seventh day after its February 21 cyberattack, with pharmacies across the country still struggling to process prescriptions. With Change Healthcare’s systems out of action, pharmacies have been unable to transmit insurance claims and now have significant backlogs of prescriptions that cannot be processed. On Monday, Change Healthcare confirmed that the attack is still affecting 117 of its applications and components.
Change Healthcare/Optum has been providing daily updates and has confirmed that the disruption is continuing. “We are working on multiple approaches to restore the impacted environment and will not take any shortcuts or take any additional risk as we bring our systems back online,” explained Change Healthcare in its February 26, 204 update. “We will continue to be proactive and aggressive with all our systems and if we suspect any issue with the system, we will immediately take action and disconnect. The disruption is expected to last at least through the day. We will provide updates as more information becomes available.”
Change Healthcare has engaged the services of Alphabet’s cybersecurity unit, Mandiant, which is assisting with the investigation and remediation of the cyberattack. While neither Change Healthcare nor Mandiant have commented on the nature of the attack, Reuters has reported that two sources familiar with the incident have confirmed that this was a ransomware attack and that the ALPHV/Blackcat ransomware group is responsible. On February 27, 2024, a member of the Blakcat group confirmed that they were behind the attack.
Blackcat is known to engage in double extortion tactics, where sensitive data is exfiltrated before ransomware is used to encrypt files. Ransoms must be paid to recover encrypted files and to prevent the release of stolen data, so there is likely to have been a data breach although that has not been confirmed by Change Healthcare at this stage.
In December 2023, the Blackcat group was the subject of a US-led law enforcement operation that took down websites used by the group. The group issued a statement following the attack stating that in response to the takedown it has removed affiliate restrictions and now allows them to conduct attacks on critical infrastructure entities and healthcare organizations. It should be noted that the “rule” on not targeting healthcare organizations was not strictly followed before the takedown, as the group has conducted several attacks on healthcare organizations including McLaren Health Care and Norton Healthcare in 2023.
In early updates on the nature of the attack, Change Healthcare said it suspected that the attack was the work of a nation-state-associated actor; however, that appears not to be the case. ALPHV/Blackcat is a financially motivated cybercriminal group with no known links to any nation state. There have also been media reports suggesting the attack involved the exploitation of a vulnerability in ConnectWise’s ScreenConnect app. ConnectWise issued a statement saying Change Healthcare does not appear to be a direct customer, although it is possible that ConnectWise was used by a managed service provider. At this stage, no MSP partners have come forward and confirmed a breach that impacted Change Healthcare.
February 22, 2024: Change Healthcare Responding to Cyberattack
Change Healthcare, a Nashville, TN-based provider of healthcare billing and data systems, has confirmed that it is dealing with a cyberattack that has caused network disruption. The attack was detected on February 21, 2024, and immediate action was taken to contain the incident and prevent further impacts.
“Once we became aware of the outside threat, in the interest of protecting our partners and patients, we took immediate action to disconnect our systems to prevent further impact,” explained Change Healthcare on its status page. The Change Healthcare cyberattack has caused enterprise-wide connectivity issues and cybersecurity experts are working around the clock to mitigate the attack and restore the affected systems.
UnitedHealth Group owns Change Healthcare and the healthcare provider Optum. Change Healthcare provides prescription processing services through Optum which provides services to over 67,000 U.S. pharmacies and serves 129 million patients. Change Healthcare handles more than 15 billion healthcare transactions each year and says one in three patient records in the United States are touched by its clinical connectivity solutions. Change Healthcare is used by Tricare, the healthcare provider of the U.S. military, and all military pharmacies, clinics, and hospitals have been affected by the disruption caused by the Change Healthcare cyberattack, and retail pharmacies across the country are experiencing delays processing prescriptions and have been unable to send orders through insurance plans.
In a regulatory filing with the U.S. Securities and Exchange Commission (SEC) on Thursday, UnitedHealth confirmed that confirming that Change Healthcare had experienced a cyberattack that affected dozens of systems. At this stage of the incident response, it is too early to tell if any patient data has been exposed or stolen in the attack and neither UnitedHealth nor Change Healthcare could provide a timeline on when systems will be brought back online.
UnitedHealth said in its SEC filing that it suspects the cyberattack was conducted by a nation state, rather than a cybercriminal group, but did not provide further information on how that determination was made. That announcement is concerning, given the recent warnings about China maintaining access to critical infrastructure entities in the U.S. and the new sanctions due to be imposed on Russia in response to the death of Alexei Navalny.
There are also fears that the cyberattack could extend to the pharmacies connected to the Optum system. The American Hospital Association (AHA) has issued a warning to all members that they should immediately disconnect from the Optum system as a precaution. “We recommend that all healthcare organizations that were disrupted or are potentially exposed by this incident consider disconnection from Optum until it is independently deemed safe to reconnect to Optum,” the AHA said, and in the meantime switch to manual processes.
What is HIPAA and does this Cyberattack Break the Law?
All healthcare organizations that conduct transactions electronically that involve protected health information are required to comply with the Health Insurance Portability and Accountability Act (HIPAA), which sets minimum standards for privacy and security. The HIPAA Privacy Rule prohibits disclosures of protected health information to unauthorized individuals and the HIPAA Security Rule requires safeguards to be implemented to ensure the confidentiality, integrity, and availability of electronic protected health information.
If an unauthorized individual gains access to systems containing protected health information, it is classed as an impermissible disclosure of protected health information and is a reportable HIPAA breach. A cyberattack that results in access being gained to protected health information is not necessarily a HIPAA violation. The HIPAA Security Rule requires risks and vulnerabilities to be identified, and for those risks to be managed and reduced to a reasonable and appropriate level. The HIPAA Security Rule does not require risks and vulnerabilities to be eradicated entirely.
The first priority following the detection of unauthorized system activity should be to contain the incident and ensure that the threat actor is eradicated from internal systems. Systems must be safely brought back online and the nature and scope of the incident established through a forensic investigation. If it is determined that patient data has been exposed, the breach must be reported to the Department of Health and Human Services (HHS) and the affected individuals must be provided with individual notifications within 60 days of the discovery of a data breach. The HHS investigates all data breaches of over 500 records to determine if they were the result of a failure to comply with the HIPAA Rules and financial penalties can be imposed for noncompliance.
The HIPAA Journal will update this post as more information about the incident comes to light, so please check back over the coming days and months.
