Updated April 23, 2024: According to Wired, Change Healthcare has admitted to paying the initial ransom, while patient data still ended up on the dark web. UnitedHealth Group’s website has a new update explaining the scope of the hack, “which could cover a substantial proportion of people in America,” and offering support to affected patients.
Updated April 10, 2024: A second ransomware group has reportedly demanded payment from Change Healthcare. The RansomHub group claims to have 4 terabytes of Change’s data and has threatened to sell the information on the dark web unless payment is made, according to cybersecurity analyst Dominic Alvieri on LinkedIn.
Updated March 13, 2024: HHS announced that it is opening an investigation into the Change Healthcare cyber incident to focus on whether a breach of protected health information occurred and Change Healthcare’s and UHG’s compliance with the HIPAA Rules.
Updated March 5, 2024: HHS said that it plans to accelerate payments to hospitals affected by the Change Healthcare cyberattack and institute other workarounds for providers. The AMA and the American Hospital Association (AHA) welcome this development but say it isn’t enough. Some estimate that providers are experiencing costs of $100 million a day.
Updated March 4, 2024: According to Wired, the ALPHV/Blackcat hackers have received a $22 million payment in Bitcoin, suggesting that Change Healthcare may have paid a ransom. Change has declined to answer whether it paid, and cybersecurity experts caution that this news could result from disinformation from the murky world of cybercrime. Optum has announced it’s providing temporary funding assistance to some providers affected by the cyberattack.
Updated March 1, 2024: UnitedHealth Group has confirmed that the ALPHV/Blackcat ransomware group was responsible for the cyberattack on Change Healthcare last week. The incident has disrupted electronic pharmacy refills and insurance transactions nationwide. The American Hospital Association (AHA) says the impact across the entire healthcare sector is “massive,” potentially disrupting the ability of some health systems to pay salaries and equipment. The disruptions may last for weeks.
Today, the Washington Post reported that millions of Americans have experienced delays in obtaining prescriptions or have had to pay the entire bill without insurance coverage because of the cyberattack.
Change Healthcare, a national healthcare technology company announced a cyber incident affecting its network. The Tennessee-based company said it faced enterprise-wide connectivity issues that started Wednesday, February 21, 2024. Change Healthcare processes patient payments, supports clinical and imaging procedures, and patient engagement and communications.
Change Healthcare, a part of Optum and UnitedHealth Group is one of the largest healthcare technology companies in the United States. According to its website, it handles 15 billion healthcare transactions annually and manages one in three U.S. patient records through its clinical connectivity solutions.
Change Suspected a Nation-State Was Responsible
We now know that the ALPHV/Blackcat ransomware group was responsible for the cyberattack. In the early days of the investigation, UnitedHealth Group suspected “a nation-state associated cyber security threat actor.”
In an SEC filing, UnitedHealth Group disclosed that it had identified “a suspected nation-state associated cyber security threat actor” who had gained access to some Change Healthcare IT systems on February 21.
The Cybersecurity and Infrastructure Security Agency (CISA) recognizes nation-state adversaries, such as China, Russia, North Korea, and Iran, to “pose an elevated threat to our national security” due to the threats of sophisticated, targeted, and malicious cyber activity targeted at prolonged network or system intrusion.
And while the ALPHV/Blackcat group is a dangerous cybersecurity threat, some experts note that research has not confirmed a link between the group and a nation-state. If evidence of a link exists, it hasn’t been made public.
Incident Has the Attention of HC3
This incident is so significant that the Health Sector Cybersecurity Coordination Center (HC3) immediately emailed an alert to the healthcare industry, reflecting the heightened emphasis on cybersecurity threats to the healthcare sector and increased vigilance and enforcement.
“The HHS is aware that a cyber incident was identified in Optum Insight’s Change Healthcare technology systems on February 21. The HHS is working closely with Optum Insight to assess the cyber incident and its impact on patient care.”
You can learn more about HHS’ new Cybersecurity Performance Goals (CPGs).
The incident at Change Healthcare is still being investigated, and little is known about what happened or the extent of the attack. There is no indication yet that a protected health information (PHI) breach occurred. However, a news report from Michigan noted that a Michigan pharmacy could not process prescriptions due to the incident at Change Healthcare.
Becker’s article notes that the Change cyberattack affected all military pharmacies worldwide.
Change Healthcare is a HIPAA Business Associate
As we’ve noted before, a cyber incident at a third-party vendor to healthcare providers has a ripple effect among all the vendor’s customers. Change Healthcare customers include pharmacies, healthcare providers, and third-party administrators nationwide.
Change is responsible for its compliance as a HIPAA business associate. Still, its customers are responsible for conducting due diligence over Change’s compliance and obtaining a business associate agreement.
This story is still unfolding, and we’ll update the report as we learn more.