EXPLAINER: What to Know About the Change Healthcare Cyberattack | Health News
Written by Black Hot Fire Network on March 4, 2024
The ramifications of a cyberattack on a critical health care technology company are still being felt across the U.S. nearly two weeks later.
“Our experts are working to address the matter, and we are working closely with law enforcement and leading third-party consultants such as Mandiant and Palo Alto Networks on this attack against Change Healthcare’s systems,” Change Healthcare said. “We are actively working to understand the impact to members, patients and customers.”
The attack has prompted high-level calls for action from the likes of Senate Majority Leader Chuck Schumer of New York and leading medical organizations. The American Medical Association called on the Department of Health and Human Services to “use all its available authorities to ensure that physician practices can continue to function, and patients can continue to receive the care that they need.”
“This massive breach and its wide-ranging repercussions have hit physician practices across the country, risking patients’ access to their doctors and straining viability of medical practices themselves,” the AMA’s president, Dr. Jesse Ehrenfeld, said in a statement. “This is an immense crisis demanding immediate attention.”
Similarly, the American Hospital Association told HHS that hospitals and health systems may require “immediate federal support” amid the fallout, noting the vast reach of Change Healthcare’s systems and warning that a prolonged disruption “will negatively impact many hospitals’ ability to offer the full set of health care services to their communities.”
AHA President and CEO Rick Pollack called the cyberattack “the most serious incident of its kind leveled against a U.S. health care organization.”
What Is Change Healthcare?
Change Healthcare, which is owned by UnitedHealth Group, manages health care technology pipelines connected to tasks such as processing insurance claims and billing, reportedly handling 15 billion transactions annually.
As noted by The Washington Post, the Justice Department in a 2022 lawsuit cited United as stating that 50% of U.S. medical claims go through Change’s “electronic data interchange clearinghouse.”
What Happened?
“On Feb. 21, 2024, we discovered a threat actor gained access to one of our Change Healthcare environments,” Change Healthcare said. “Once we became aware of the outside threat, in the interest of protecting our partners and patients, we took immediate action to disconnect Change Healthcare’s systems to prevent further impact.”
The company has not provided a specific timeline for when services will be back online.
“Our systems remain offline because of our diligence, not because of compromise,” it said. “They will remain offline until we are certain we can turn them back on safely.”
What’s the Impact of the Health Care Hack?
Many physician practices have not been able to submit claims since Feb. 21, according to the AMA, and “a considerable proportion of revenue cycle processes have ground to a halt.” The group in a letter to HHS identified top concerns among practices since the incident, including the interruption of administrative and billing processes, practices having to take on “enormous” administrative burdens and significant data privacy fears.
The outage is costing some health care providers over $100 million a day, according to an estimate from First Health Advisory, a digital health risk assurance firm. Schumer, in a letter to the federal Centers for Medicare & Medicaid Services, said Change Healthcare had suspended more than 100 services and that hospitals and other providers were facing adverse impacts on their financial solvency.
“Hospitals are struggling to process claims, bill patients, and receive electronic payments, leaving them financially vulnerable,” Schumer said. “Many hospitals are approaching a financial cliff where they will no longer be able to rely on their cash on hand.”
Schumer asked CMS to make accelerated and advanced payments available for affected providers, akin to what was offered during the COVID-19 pandemic. Meanwhile, a temporary funding assistance program for providers has been set up through Optum, which is also owned by UnitedHealth Group. But Pollack, the AHA president, sharply criticized the plan, saying it falls shy of “even a band-aid.”
Who Is Responsible for the Hack?
Change Healthcare said the group identified itself as ALPHV/BlackCat.
According to a report from Wired, the group of hackers recently received a $22 million transaction that looks like it could be a large ransom payment related to the attack. A spokesperson affiliated with Change Healthcare declined to answer whether a ransom has been paid, according to Wired.
In December, the Justice Department announced it had targeted ALPHV in a disruption campaign.
“In disrupting the BlackCat ransomware group, the Justice Department has once again hacked the hackers,” Deputy Attorney General Lisa Monaco said in a statement. “With a decryption tool provided by the FBI to hundreds of ransomware victims worldwide, businesses and schools were able to reopen, and health care and emergency services were able to come back online.”