– UPDATE 3/8/2024 – This article has been updated to reflect new information about the Change Healthcare cyberattack.
UnitedHealth Group has provided a timeline for restoring its systems and services after weeks of downtime. The company said it expects electronic payment functionality to be available for connection by March 15. Electronic prescribing and claim submission and payment transmission will be available today. UHC said it also expects to begin testing and reestablishing connectivity to its claim network on March 18.
“We are committed to providing relief for people affected by this malicious attack on the U.S. health system,” said Andrew Witty, CEO of UnitedHealth Group. “All of us at UnitedHealth Group feel a deep sense of responsibility for recovery and are working tirelessly to ensure that providers can care for their patients and run their practices, and that patients can get their medications. We’re determined to make this right as fast as possible.”
UHC encouraged provdiers to use the established workarounds, such as the iEDI claim submission system, as the company works to restore full functionality. Additionally, UHC urged payers to provide funding solutions to providers amid these disruptions.
In response, the American Medical Association (AMA) stressed that the March 18 timeline will leave practices in a state of uncertainty for more than 26 days, empahsizing the need for financial assistance.
READ MORE: Quest Diagnostics Settles Unlawful PHI Disposal Allegations For $5M
“The AMA agrees with UnitedHealth’s call for all payers to advance funds to physicians as the most effective way to preserve medical practice viability during the financial disruption, especially for practices that have been unable to establish workarounds to bridge the claims flow gap until the Change Healthcare network is reestablished,” the group stated. “While providing needed information on timelines and new financial measures is helpful, UnitedHealth Group has more work to do to address physician concerns. Full transparency and security assurances will be critical before connections are reestablished with the Change Healthcare network.”
Meanwhile, providers and patients across the country are still feeling the financial impact of this incident. A care home in Pennsylvania closed abruptly on March 1 after employees walked out due to not getting paid, the Pittsburgh Post-Gazette first reported.
“As a result of this breach and platform shutdown, cash flow to providers across the country has been impacted, creating a devastating domino effect in the healthcare system nationwide,” Jefferson Hills Healthcare and Rehabiltation Center stated in a March 3 letter announcing the closure.
The care home said that the incident has had a “dramatic impact” on its cash flow and its ability to provide quality care to residents. In addition, the Pennsylvania Department of Health put the facility in “immediate jeopardy” following a missed payroll cycle that was a direct result of the cash flow challenges posed by the Change Healthcare cyberattack, the care home said.
Other factors contributed to the closure, including an admission ban due to deficiencies identitied under previous ownership. With all these factors combine, it became infeasible to maintain staffing levels. All patients were transferred to other facilities, and it is unclear whether the facility will reopen.
READ MORE: Authorities Successfully Disrupt LockBit Ransomware Group
As providers continue to grapple with these disruptions, the threat actors responsible for the attack are dealing with the aftermath of the attack as well. According to a report from WIRED, ALPHV/BlackCat threat actors received a payment of $22 million, suggesting that UHC paid the ransom. UHC has not confirmed nor denied the claim. However, a BlackCat affiliate who allegedly provided BlackCat with access to Change Healthcare’s network has since claimed that they were cheated out of their share of the ransom, causing disputes within the group, KrebsonSecurity reported. Since this claim was made, BlackCat appears to have ceased all operations.
—
2/29/2024 – Change Healthcare has confirmed that BlackCat/ALPHV was behind the cyberattack.
“Change Healthcare can confirm we are experiencing a cybersecurity issue perpetrated by a cybercrime threat actor who has represented itself to us as ALPHV/Blackcat,” the company’s latest notice to customers stated. “Our experts are working to address the matter and we are working closely with law enforcement and leading third-party consultants, Mandiant and Palo Alto Network, on this attack against Change Healthcare’s systems. We are actively working to understand the impact to members, patients and customers.”
Change stated that it has “multiple workarounds to ensure people have access to the medications and the care they need” and affirmed that Optum, UnitedHealthcare and UnitedHealth Group systems do not appear to be impacted.e.
READ MORE: HHS, NIST Finalize Joint HIPAA Security Rule Guidance
“We are working on multiple approaches to restored the impacted environment and continue to be proactive and aggressive with all our systems, and if we suspect any issue with the system, we will immediately take action,” the notice continued.
BlackCat claims that it exfiltrated 6 TB of data that “relates to all Change Health clients that have sensitive data being processed by the company.”
The group claims to have exfiltrated data pertaining to Medicare, TriCare, CVS, MetLife, and more. The group also denied that it used the ConnectWise ScreenConnect vulnerabilities for initial access.
—
2/26/2024 – Pharmacies across the country are still feeling the impacts of the Change Healthcare cyberattack on the sixth day of downtime. UnitedHealth Group’s latest update did not provide a timeline for restoring its systems.
“We are working on multiple approaches to restore the impacted environment and will not take any shortcuts or take any additional risk as we bring our systems back online,” UnitedHealth Group stated. “We will continue to be proactive and aggressive with all our systems and if we suspect any issue with the system, we will immediately take action and disconnect.”
Major pharmacy chains such as CVS and Walgreens have experienced disruptions due to the attack. Tricare, which serves US service members and their families, said that the incident had impacted “all military pharmacies worldwide.”
The American Pharmacists Association (APhA) released a statement on February 23 urging patients to check in with their pharmacies if they are need of medications urgently. APhA said that due to the cyberattack, “many pharmacies throughout America could not transmit insurance claims for their patients.”
“This situation may take several days to resolve, so in the meantime, we would ask the public to please keep in mind the incredible extra stress this situation places on pharmacies and pharmacy personnel,” said Michael D. Hogue, PharmD, FAPhA, FNAP, FFIP, executive vice president and CEO of APhA.
Two people familiar with the matter told Reuters on Monday that hackers working for BlackCat ransomware gang were behind the attack. However, BlackCat, the FBI, and CISA have not confirmed these allegations. The Department of Justice (DOJ) disrupted BlackCat actors in December 2023 and released decryption keys to victims, but some of the group’s known affiliates remained active after the takedown.
Other reports have indicated that the cyberattack is tied to two vulnerabilities recently discovered in ConnectWise’s ScreenConnect app. ConnectWise has not confirmed this but said that “Change Healthcare appears not to be a ConnectWise direct customer, and our managed service provider partners have yet to come forward, stating Change Healthcare is a customer of theirs.”
Health-ISAC released a document containing indicators of compromise (IOCs) and recommendations for healthcare organizations and said that reports from cyber firm RedSense said that Change Healthcare had in fact fallen victim to ScreenConnect exploits, but the incident details cannot yet be confirmed as the investigation is ongoing.
“Regardless of what happened at Change Healthcare, RedSense anticipates more organizations will be compromised as the ScreenConnect exploit is apparently fairly trivial to execute,” Health-ISAC noted. “We would expect to see additional victims in the coming days.”
Health-ISAC recommended that organizations remain disconected from Change Healthcare until the environment is deemed safe and update ScreenConnect immediately.
—
2/23/2024 – Via a Securities and Exchange Commission (SEC) Form 8-K filing, UnitedHealth Group confirmed that a “suspected nation-state associated cyber security threat actor had gained access to some of the Change Healthcare information technology systems.”
The filing stated that UnitedHealth Group’s efforts to restore systems and return to normal operations is underway, but it cannot estimate how long that will take. The incident is only impacting Change Healthcare systems, and the rest of the company’s operations appear to be unaffected.
The American Hospital Association (AHA) has been in contact with HHS, the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) in regards to this cyberattack, it stated in a cybersecurity advisory.
“Due to the sector wide presence and the concentration of mission critical services provided by Optum, the reported interruption could have significant cascading and disruptive effects on revenue cycle, certain health care technologies and clinical authorizations provided by Optum across the health care sector,” AHA noted.
“Based upon the statements from Change Healthcare that they became aware of an ‘outside threat’ and disconnected ‘in the interest of protecting our partners and patients,’ we recommend that all health care organizations that were disrupted or are potentially exposed by this incident consider disconnection from Optum until it is independently deemed safe to reconnect to Optum.”
AHA also recommended that healthcare organizations using Optum’s services prepare contingency plans in the event that these services remain unavailable for an extended period of time.
—
2/22/2024 – Change Healthcare is experiencing a network interruption due to a cyberattack, the company stated in a notice on its website. Change Healthcare is part of health tech company Optum, which is owned by healthcare giant UnitedHealth Group as of 2022. Through its platform, Change processes patient payments for healthcare organizations across the country.
“Once we became aware of the outside threat, in the interest of protecting our partners and patients, we took immediate action to disconnect our systems to prevent further impact,” Change noted in its lastest update. “The disruption is expected to last at least through the day.”
Change posted its initial notice on February 21, when it began experiencing disruptions to some applications. A few hours later, the company reported “enterprise-wide connectivity issues.”
By Wednesday night Eastern Time, Change began calling the incident a “cybersecurity issue” and assured patients that was working with experts to address the matter.
Pigeon, Michigan-based Scheurer Family Pharmacy reported impacts from the outage that resulted in it being unable to process prescriptions temporarily, the Huron Daily Tribune reported.
“Due to a nationwide outage from the largest prescription processor in North America, we are currently unable to process prescriptions at any of our four locations of Scheurer Family Pharmacy,” Scheurer Health told patients in a Facebook post. “We are being told that this is temporary but have not been given a time for restored services.”
The pharmacy clarified to concerned patients that it was still able to accept prescriptions, but could not process them through the patients’ insurance. A later update stated that its systems were “back up and running.”
“Now with reports surfacing that Change Healthcare has experienced an outage due to a likely ransomware attack, and pharmacies across the country are experiencing delays in processing prescriptions, we’re reminded of the challenges healthcare providers face daily to ensure business continuity and patient care,” said Micky Bresman, CEO of security company Semperis.
“While it is too early to tell if the suspected ransomware attack on Change will affect the lives of patients in need of medications, they do reportedly process 15 billion transactions annually. This attack comes after numerous recent ransomware attacks on hospitals such as Lurie Children’s Hospital in Chicago and medical supply operator Henry Schein.”
This is a developing story. It will be updated as more information becomes availabl
That is a very good tip particularly to those fresh to the blogosphere.
Simple but very accurate information… Thank you for sharing this one.
A must read post!
Just wih to say yoyr artile iss as amazing. Thhe larity inn yor poat iss simply exscellent and
i could asshme yoou are aan exlert on thi subject. Fiine with yourr pesrmission allow me to
grfab your RSS fred to keeep updated with forthcoming post.
Thanks a millioon and plesase continue the gratgifying work.
Wow Thanks for this posting i find it hard to unearth excellent tips out there when it comes to this content appreciate for the blog post website