The Change Healthcare cyberattack has caused massive disruption to healthcare services in the United States, including huge financial hardship for healthcare providers due to a lengthy outage of Change Healthcare’s systems. That outage has hampered billings and payments for healthcare services and involved the exposure and theft of the personal and protected health information of around 190 million individuals, who are now at risk of fraud and identity theft.
As further information about the Change Healthcare cyberattack and data breach is released, this article will be updated so please check back regularly.
Change Healthcare Cyberattack Notification Process Approaching Completion
January 25, 2025
The biggest healthcare data breach in history was far worse than the previous estimate suggested – almost twice as bad in fact. The Change Healthcare ransomware attack involved the theft of approximately 190 million individuals’ personal and protected health information. The previous estimate provided by Change Healthcare in October 2024 was 100 million healthcare records.
The final total has yet to be confirmed by Change Healthcare as the file review is still not completed, although the end is in sight. Change Healthcare does not anticipate identifying any more affected clients, with the file review now in the final stages. It has taken more than 11 months to get to this point and for the affected individuals to receive notifications about the theft of their data. Change Healthcare has confirmed that the vast majority of individual notifications have now been mailed.
Change Healthcare has offered complimentary credit monitoring and identity theft protection services to the affected individuals, and while its monitoring has uncovered no misuse of the stolen data, that information remains in the hands of cybercriminals as the $22 million ransom paid to the ransomware group did not result in the deletion of the stolen data.
The Blackcat ransomware group pulled an exit scam and kept the ransom payment, leaving the affiliate behind the attack unpaid. Another attempt at extortion was made by the RansomHub ransomware group, although no further payments were made. As such, anyone receiving a notification letter should ensure they sign up for the complimentary services as soon as possible.
Given the severity of the data breach and the far-reaching impact of the Change Healthcare cyberattack on the U.S. healthcare industry, the HHS’ Office for Civil Rights took the unusual step of initiating a HIPAA compliance investigation before the data breach had even been reported. OCR has yet to publish the findings of that investigation. If HIPAA violations are identified, a substantial financial penalty can be expected, although the maximum fine for a HIPAA violation at the highest level of culpability – willful neglect that has not been corrected within 30 days – is currently around $2.13 million per violation category, per calendar year that the violation has persisted.
Change Healthcare Cyberattack Notification Process Approaching Completion
January 15, 2025
This week we learned that the process of notifying individuals affected by the Change Healthcare cyberattack is still ongoing; however, Change Healthcare does not anticipate identifying any further affected customers and said the file review is “substantially complete”. Change Healthcare has notified all affected customers but is still waiting for instruction from certain customers about whether they require Change Healthcare to mail notification letters to the affected individuals on their behalf.
The Breach Notification Rule of the Health Insurance Portability and Accountability Act (HIPAA) requires notifications to be issued to the affected individuals within 60 days of the discovery of a data breach. When there is a data breach at a business associate of a HIPAA-regulated entity, the business associate must inform the affected covered entities without unnecessary delay and no later than 60 days after the breach is discovered. Ultimately it is the responsibility of each covered entity to ensure that individual notification letters are mailed to the affected individuals but they may delegate that responsibility to the business associate.
While Change Healthcare discovered the cyberattack on February 21, 2024, Change Healthcare has only recently identified all of the affected customers. 11 months after the ransomware group encrypted files on its network and some of the estimated 100,000,000 affected individuals have still not been notified that their data was stolen in the attack.
In the latest Change Healthcare cyberattack update, it was confirmed that notification letters have been mailed on a rolling basis as the file review has progressed, with the first notification letters mailed on June 20, 2024, four months after the cyberattack was detected. Batches of notification letters were also mailed on August 8, 2024, September 16, 2024, November 21, 2024, and December 4, 2024.
Change Healthcare has confirmed that a third-party firm has been engaged to monitor the dark web for data leaks, and despite the data thieves having been in possession of the stolen data for almost a year, Change Healthcare said it is not aware of any misuse of the stolen data. Two years of complimentary credit monitoring services have been offered to the affected individuals.
Interestingly, TechCrunch has reported that the substitute breach notification letter on the Change Healthcare website has been set to NoIndex. TechCrunch queried this with UnitedHealthcare but received no response about this apparent attempt to hide the notification letter.
Now that the notification process is drawing to an end, Change Healthcare may soon provide a final total of the number of individuals affected by the Change Healthcare cyberattack. The HHS Office for Civil Rights data breach portal still lists the incident as involving the protected health information of 100 million individuals.
Nebraska Files Lawsuit Over Change Healthcare Cyberattack
December 18, 2024
The first lawsuit has been filed against Change Healthcare by a state Attorney General over the February 2024 ransomware attack and data breach. Nebraska Attorney General Mike Hilgers filed the lawsuit on Monday alleging Change Healthcare, UnitedHealth Group, and Optum violated Nebraska’s Consumer Protection Act, Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006, and the Uniform Deceptive Trade Practices Act.
The personal and health information of an estimated 100 million individuals was stolen in the Change Healthcare cyberattack, including the data of at least 575,000 Nebraskans. An affiliate of the BlackCat ransomware-as-a-service (RaaS) operation obtained the credentials of a low-level customer support employee from a Telegram channel used for advertising stolen credentials. The credentials were used to access Change Healthcare’s Citrix portal, a virtual desktop used to manage Change Healthcare’s applications. The account did not have multi-factor authentication enabled.
While the hacker only had low-level access, it was possible to access a server that hosted Change Healthcare’s medication management application, SelectRX. The hacker then created privileged accounts with administrative-level access and was able to compromise Change Healthcare’s critical IT infrastructure. The hacker was in Change Healthcare’s systems for 9 days, during which a huge amount of sensitive data was exfiltrated. The hacker deployed malware, including multiple backdoors in case the access was detected and blocked. It was not. The attack was detected when ransomware was used to encrypt files.
“This data breach is historic. Not only because it compromised the most sensitive privacy and financial data of Nebraskans, but also because it shut down the payment and claim processing systems that form a significant part of the backbone of the medical payment processing industry,” said AG Hilgers. “Healthcare providers, including critical access hospitals in rural areas, have unfairly been forced to absorb financial pain, forcing major cash flow issues and, in some cases, delayed services. And to make matters worse, Change has woefully disregarded the duty to provide notice to Nebraskans, depriving them of a fighting chance to be prepared for possible scams and fraud. We’re filing this suit to hold Change accountable.”
The lawsuit alleges the attack was exacerbated by the defendants’ poor security practices, such as outdated software, insufficient network segmentation, poor backup practices, and a lack of 2-factor authentication. The security failures meant Change Healthcare failed to detect the intrusion and data theft, and the poor security practices contributed to the lengthy outage of Change Healthcare’s systems. The lawsuit also takes issue with the length of time it took to notify the affected individuals. Notifications were not sent for 5 months, and that process is still ongoing.
According to the lawsuit, the lengthy outage of Change Healthcare’s systems and the data breach have caused considerable harm to providers and patients – harm that could have been prevented if straightforward security measures had been implemented.
The lawsuit seeks civil monetary penalties, restitution, and an order from the court requiring the defendants to implement stronger data security measures. Other state Attorneys General are expected to file similar lawsuits. A spokesperson for UnitedHealth Group said, “We believe this lawsuit is without merit and we intend to defend ourselves vigorously.”
Talks to Commence on Change Healthcare Cyberattack Settlement
December 4, 2024
Following a large healthcare data breach, class action lawsuits are usually filed by individuals seeking compensation for having their sensitive data stolen and to recover out-of-pocket expenses incurred as a result of the data breach. It is now common for several lawsuits to be filed, which are typically consolidated into a single lawsuit since they are based on similar facts and assert similar claims.
The confirmation that the Change Healthcare cyberattack involved the exposure and theft of the protected health information of potentially 1 in 3 Americans triggered a wave of lawsuits. In June 2024, 50 of those lawsuits were consolidated by a Federal Judicial Panel on Multidistrict Litigation into a single action that is being heard by U.S. District Court Judge Donovan Frank in the District of Minnesota.
Judge Donovan held an initial conference with attorneys for the prosecution and defense in September. Following that conference, Judge Donovan issued a text order directing the lead counsel for the plaintiffs and defendants to hold meetings with U.S. Magistrate Judge Dulce J. Foster early in the litigation to discuss a potential settlement, and a meeting was scheduled for December 4, 2024. That meeting had to be postponed due to several members of the defense team falling ill with COVID or otherwise being instructed not to fly.
Dates have now been set for those meetings, the first will see the plaintiffs’ attorneys meet with Judge Foster in Minneapolis on December 18, 2024, and attorneys for the defense will meet with Judge Foster on January 30, 2024, to discuss a potential settlement.
As with virtually all class action healthcare data breach lawsuits, a settlement is the likely outcome rather than a jury trial, provided the lawsuit is not dismissed. It is usually in the best interests of the defense to settle to avoid the uncertainty of a jury trial, as an award of damages by a jury could be substantially costlier, and a settlement is often in the best interests of the plaintiffs, as a jury may rule in favor of the defense, which means no damages or compensation and a hefty legal bill.
While settlement talks are due to commence early, that does not necessarily mean a Change Healthcare data breach settlement will be negotiated quickly. Meetings are often arranged early in the litigation process to discuss the possibility of a settlement, and it may be many months before any settlement is agreed, if at all.
Should all parties agree to a settlement, the settlement fund could be considerable. The Change Healthcare cyberattack resulted in the largest ever healthcare data breach in the United States with 100 million individuals affected. There are few examples of settlements for data breaches on this scale. The closest would be the settlement agreed by Anthem Inc. to resolve a consolidated class action lawsuit over its 2015 data breach, which involved the theft of the personal and protected health information of around 78.8 million of its plan members. Anthem Inc. agreed to pay $115 million to settle the litigation.
Clearinghouse Services Restored 9 Months After Change Healthcare Ransomware Attack
November 21, 2024
It has been nine months since an ALPHV/Blackcat ransomware affiliate encrypted files on Change Healthcare’s network and the recovery is still ongoing although Change Healthcare has recently confirmed that its clearinghouse services have been restored and are fully operational.
The ransomware attack caused a prolonged outage that affected providers across the country – the American Hospital Association (AHA) estimated that 94% of U.S. hospitals were affected. While most systems and services were at least partially restored in the first 2 months following the attack, the full restoration has not yet been completed. Change Healthcare has yet to fully restore its Clinical Exchange e-health record information exchange, its Payer Print Communication Multi-Channel Distribution System and the MedRx pharmacy claims management platform.
Following the attack, the outage caused financial difficulties for healthcare providers who experienced problems billing and being paid for their healthcare services. Cash reserves were rapidly drained at many affected providers, putting them at risk of closure. UnitedHealth Group, through its subsidiary Optum, set up a temporary funding assistance program that provided struggling providers with no-cost loans to see them through. Almost $9 billion was paid out in loans and they are now starting to be repaid. Up to October 15, 2024, $3.2 billion in loans had been repaid.
The notification process is ongoing, with some individuals only just being notified that their protected health information was compromised in the incident. Change Healthcare has reported the data breach to the HHS’ Office for Civil Rights as affecting 100 million individuals, updating its previous “placeholder” figure of 500 affected individuals. That 100 million figure may be updated again once the notification process has been completed.
A $22 million ransom was paid to prevent the release of the stolen data; however, the ALPHV ransomware group pulled an exit scam and didn’t pay the affiliate. The ransom payment did not result in the deletion of the stolen data as the affiliate behind the attack retained a copy and passed the data to the RansomHub group, which tried to obtain a further ransom payment. That second attempt at extortion was not successful.
The $22 million ransom payment, while sizeable, represents a tiny fraction of the cost of the attack, which has now surpassed $2 billion. There are also lawsuits pending and the Office for Civil Rights is investigating to determine if there were any HIPAA violations. A sizeable financial penalty could be imposed if noncompliance is discovered.
100 Million Records Compromised in Change Healthcare Cyberattack
October 24, 2024
It is now official. The ransomware attack on Change Healthcare in February 2024 is the largest healthcare data breach ever reported, affecting 100 million individuals. Change Healthcare recently updated the breach notice it sent to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) in July 2024, increasing the total from its previous “estimated” figure of 500 individuals.
The previous record was set in 2015 when Anthem Inc. announced that hackers had accessed its internal systems and potentially obtained the protected health information of 78.8 million individuals. With the updated total for the Change Healthcare data breach, almost 166 million individuals have had their personal and health data exposed or stolen in healthcare data breaches in the United States this year, only a few hundred thousand short of last year’s record-breaking total. That record is certain to be broken this year, most likely in the next month.
The number of healthcare records compromised in healthcare data breaches is staggering. Since the start of 2023, the records of more than 332 million individuals have been breached, the majority of which were due to hacking incidents. In 2024, healthcare data breaches of 500 or more records have been reported at a rate of almost 2 per day.
The healthcare industry is clearly struggling to improve cybersecurity and malicious actors are taking advantage. Healthcare IT infrastructure is complex, legacy software and appliances are still in use, there is a sprawling attack surface, and many healthcare organizations operate on thin margins and simply do not have the funds available to invest in cybersecurity.
There are cybersecurity regulations for healthcare organizations – The HIPAA Security Rule – but those regulations were enacted more than 2 decades ago and are woefully out of date. Even the regulator (OCR) doesn’t have enough funding to effectively enforce compliance with those regulations. OCR’s budget has remained flat for years, yet its workload has increased massively. OCR investigates all large data breaches to determine whether the breached entity was compliant with the HIPAA Rules but it is operating on the same budget in real terms as in 2010 when 199 large healthcare data breaches were reported. Last year there were 745 large breaches to investigate.
In January this year, OCR published two sets of cybersecurity performance goals for the healthcare sector to improve cybersecurity. They included high-impact measures that will provide the best return on security. The set of essential goals includes basic cybersecurity measures such as mitigating known vulnerabilities, email security, multifactor authentication, strong encryption, revoking credentials when workforce members leave, using unique credentials, and providing basic cybersecurity training to the workforce. Even these cybersecurity no-brainers are only voluntary.
That could soon change, as OCR has finished an update to the HIPAA Security Rule which is currently being reviewed by the White House. OCR expects to issue a Notice of Proposed Rulemaking before the end of 2024. The update will include new cybersecurity requirements, and while the nature of those new requirements has not yet been released, they are expected to include the essential cybersecurity measures OCR published in January this year. Due to the processes that must be followed, it is unlikely that these new requirements will become mandatory until 2026.
Change Healthcare Cyberattack Cost to Rise to $2.46bn
October 18, 2024
The average cost of a healthcare data breach in 2024 is $9.77 million, according to IBM’s 2024 Cost of a Data Breach Report although mega data breaches – those involving more than 1 million records – cost considerably more. A breach involving 50-60 million records costs an average of $375 million according to the IBM report, but for Change Healthcare the cost is predicted to be far higher than IBM’s average figure. Change Healthcare’s parent company, UnitedHealth Group (UHG), has published its Q3 2024 earnings report and has increased the estimated cost from the initial estimate of $1.6 billion at the end of Q1, 2024 to $2.457 billion by year-end.
The scale of the Change Healthcare data breach has yet to be confirmed. UHG CEO Andrew Witty testified before a Senate Finance Committee earlier this year, and when pressed to provide an estimate of the number of affected individuals, said a substantial proportion of Americans may have been affected. Change Healthcare’s systems touch the data of 1 in 3 Americans so the Change Healthcare data breach could be the largest healthcare data breach of all time, affecting 110 million Americans or more.
The HHS’ Office for Civil Rights requires HIPAA-regulated entities such as Change Healthcare to report data breaches promptly. Since the investigation was ongoing when the breach was reported, Change Healthcare was not in a position to confirm exactly how many individuals had been affected. The breach was reported to OCR as involving the protected health information of 500 individuals.
After receiving the report, OCR updated its information page on the Change Healthcare ransomware attack to explain why that figure may have been provided, confirming that the HIPAA Breach Notification Rule permits an estimate to be provided of the number of affected individuals if the total is not known when the breach report is submitted. That total needs to be updated when the final figure is known. The OCR breach portal still shows the figure of 500 affected individuals 8 months after the attack was first detected.
When Witty testified before the Senate Finance Committee in June 2024, he explained what was known about the attack and UHG’s response to the attack and data breach. While progress had been made at the time in restoring systems and data, the investigation was still in the early stages. Senators’ questions were answered; however, detailed information could not be provided. Witty did confirm that the attackers accessed a server that did not have multifactor authentication enabled, escalated privileges, and gained privileged access to Change Healthcare’s Microsoft Active Directory Server.
Committee chair, Sen Ron Wyden (D-OR), followed up with UHG after the hearing and asked several more questions about the incident and cybersecurity at Change Healthcare leading up to the attack. He has now written to Witty again seeking further information.
In the October 15, 2024 letter to Witty, Sen. Wyden said, “You testified about this incident before the Committee in June, during which you provided vague, unclear information about the incident and the degree to which it was caused by your company’s lax cybersecurity practices.” He explained that follow-up questions were sent, but “your responses did not satisfactorily answer my questions.” In the latest letter, Sen. Wyden seeks specific information about cybersecurity audits at Change Healthcare.
In one of the previous responses, UHG said that external security auditors were hired to review Change Healthcare’s technology infrastructure before the attack. Sen. Wyden wants to know whether the server initially accessed was included in those security audits. He also asked Witty to disclose the specific technical technique that the malicious actors used to escalate privileges and whether that privilege escalation technique had been identified by the security auditors. If so, whether they made recommendations for Change Healthcare to defend against it.
Adequate defenses against that privilege escalation technique had clearly not been implemented prior to the attack, but they should now be in place. Sen Wyden wants to know what action has been taken to prevent that technique from being used again and whether those measures have been tested to ensure they are effective. Sen Wyden has given UHG until November 8, 2024, to answer those questions. He also wants to know the names of the companies that conducted the audits and wants copies of the audit reports for the five years before the February 2024 attack, including reports from before UHG acquired Change Healthcare in 2022.
HHS’ Office for Civil Rights Notified About Change Healthcare Cyberattack and Data Breach
August 1, 2024
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has been notified about the Change Healthcare cyberattack and data breach. Under the Health Insurance Portability and Accountability Act (HIPAA), the Secretary of the HHS must be notified about a breach of the unsecured protected health information of 500 or more individuals without unnecessary delay and no later than 60 days from the date of discovery of the data breach.
The Change Healthcare cyberattack was detected on February 21, 2024; however, a data breach was not confirmed for several weeks, despite claims from the ransomware group behind the attack that data had been stolen. The Change Healthcare notice of data breach states that data theft was not confirmed until March 7, 2024, and that it was not possible to obtain a copy of the data for analysis until March 13, 2024. The data breach notifications are therefore late, and Change Healthcare risks a financial penalty for the HIPAA failure.
The Change Healthcare data breach notification to the HHS should have provided an indication of just how big the Change Healthcare data breach was. Andrew Witty, the CEO of Change Healthcare’s parent company (UnitedHealth Group), had previously stated that the breach could affect a substantial proportion of Americans, and the Change Healthcare website states that its systems touch the data of 1 in 3 Americans. The breach was therefore expected to involve the data of more than 110 million Americans, yet the data breach was reported to the HHS as affecting 500 individuals.
The reason that total was used is because:
- The file review has not yet been completed so the total number of affected individuals is not yet confirmed
- 500 individuals is the trigger point for a data breach to require reporting within 60 days under the HIPAA Breach Notification Rule
- HIPAA requires an estimate of the number of affected individuals to be provided if the final total is not known at the point the breach is reported. An updated total can be provided to OCR when the number of affected individuals is confirmed.
It is unclear how long it will take to find out how big the Change Healthcare data breach is. UnitedHealth Group has previously stated that it could take several months before the file review is completed, although the file review is more than 90% completed.
OCR has published an update to its website explaining the “500 individuals” figure. “Change Healthcare’s breach report to OCR identifies 500 individuals as the “approximate number of individuals affected”. This is the minimum number of individuals affected that results in a posting of a breach on the HHS Breach Portal,” wrote OCR. “Change Healthcare is still determining the number of individuals affected. The posting on the HHS Breach Portal will be amended if Change Healthcare updates the total number of individuals affected by this breach.”
Notifications Mailed to Individuals Affected by Change Healthcare Cyberattack
July 20, 2024
Notification letters have started to be mailed to the individuals affected by the Change Healthcare cyberattack. A copy of the notification letter can be viewed on the link at the bottom of the July 10, 2024, update below.
Individuals receiving the notification letter may be confused since Change Healthcare is a business associate used by healthcare organizations and there is no direct relationship between Change Healthcare and the patients and health plan members affected by the data breach. To help clear up some of that confusion, we have explained why Change Healthcare holds personal and health data, what the data breach means, and what individuals receiving the notification letter should do.
Why Does Change Healthcare Have My Data?
You are unlikely to have any direct dealings with Change Healthcare as it operates behind the scenes. Change Healthcare Provides services to many healthcare organizations, including facilitating billing for healthcare services to ensure that healthcare providers are paid for their services. In order to provide those services, Change Healthcare must be provided with patient data, including personally identifiable information, health information, and insurance information.
Are the Change Healthcare Data Breach Notifications Legit?
The Change Healthcare breach involved unauthorized access to the personal and protected health information of many Americans. The number of individuals affected has still not been confirmed, but the Change Healthcare data breach may affect 1 in 3 Americans. Most of the affected healthcare organizations have asked Change Healthcare to send notification letters on their behalf since the data breach occurred at Change Healthcare. Some of the affected healthcare organizations may choose to issue notification letters themselves.
If you receive a notification letter in the mail, your data is likely to have been stolen in the ransomware attack, so the notifications are likely legitimate. You should read the notification letter carefully, as it includes steps that you should take to protect yourself against identity theft, fraud, and other misuse of your personal and health information.
Credit monitoring and identity theft protection services are being offered free of charge and you should ensure you sign up for those services as cybercriminals likely have your data. That data breach occurred as early as February 12, 2024. Cybercriminals (a ransomware group) stole data in the attack. The ransomware group behind the attack shut down its operation after being paid a $22 million ransom payment. A second ransomware group obtained the data stolen in the attack and claimed it would sell the data to the highest bidder.
Change Healthcare has created a website where you can get further information and has set up a helpline – 1-866-262-5342, (Mon-Fri, 8 a.m. to 8 p.m. CT) – where you can get further information. While the data breach notifications are legitimate, you should exercise caution since scammers may attempt to take advantage of this data breach. Be wary of any notifications that arrive via email or anyone contacting you asking for personal information. Do not disclose personal information via email or over the phone.
Change Healthcare Data Breach Notification Published
July 10, 2024
The Change Healthcare data breach letter has been published and provides further information on the types of data stolen in the Change Healthcare ransomware attack. The notification letters will start being sent to the affected individuals on July 20, 2024; however, the process may take some time as the file review is ongoing. Change Healthcare is still not in a position to provide an update on the number of individuals affected.
The notification letters confirm that an unauthorized third party (the Blackcat ransomware group) accessed its internal systems between February 12 and February 20, 2024 and that the ransomware attack was detected on February 21, 2024. Change Healthcare confirmed on March 7, 2024, that a significant amount of data had been exfiltrated from its network, although it was not possible to obtain a copy of that data for analysis until March 13, 2024. Change Healthcare has confirmed that a significant proportion of Americans have been affected.
The Change Healthcare notice of data breach states the types of information involved vary from individual to individual and may include one or more of the following:
- Health insurance information (such as primary, secondary, or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers);
- Health information (such as medical record numbers, providers, diagnoses, medicines, test results, images, care and treatment);
- Billing, claims, and payment information (such as claim numbers, account numbers, billing codes, payment cards, financial and banking information, payments made, and balance due); and/or
- Other personal information such as Social Security numbers, driver’s licenses, state ID numbers, or passport numbers.
Credit monitoring and identity theft protection services are being offered free of charge, the individuals affected can call a toll-free number to obtain more information about the data breach – 1-866-262-5342, (Mon-Fri, 8 a.m. to 8 p.m. CT) – and a website has been set up that provides detailed information about the incident.
Since data is known to have been stolen in the attack and the RansomHub ransomware group has claimed it is selling the stolen data, the affected individuals should ensure they sign up for those free services and take steps to protect themselves against identity theft and fraud.
In addition to signing up for the free credit monitoring and identity theft protection services, individuals should monitor their accounts and statements from health insurers for unauthorized activity and report any irregularities to the relevant financial institution and local law enforcement immediately.
You can view the Change Healthcare notice of data breach here.
Affected Providers Notified About Change Healthcare Ransomware Attack and Data Breach
June 22, 2024
Change Healthcare data breach notifications have started to be issued to the healthcare organizations affected by the cyberattack, which means individual notifications should be issued to the affected individuals within 60 days.
In a recent update about the Change Healthcare cyberattack, UnitedHealth Group confirmed that the file review is around 90% completed, although it is not yet possible to determine the exact types of data involved for each of its HIPAA-covered entity clients.
Those clients are now being notified that the types of data involved likely include names, addresses, birth dates, diagnostic images, payment information, Social Security numbers, passport numbers, state ID numbers, and health insurance information, but not medical charts or medical histories.
An update has also been provided on when Change Healthcare anticipates mailing individual notifications on behalf of the affected covered entities. Those notification letters should start to be mailed by the end of July, although Change Healthcare said it may not have up-to-date contact information. Since the file review is still ongoing, Change Healthcare may identify further individuals who have been affected, in which case those notifications will be mailed after the end of July.
Change Healthcare also reminded the affected covered entities and individuals that complimentary credit monitoring services are available immediately.
HHS Confirms That HIPAA Allows Change Healthcare to Issue Data Breach Notifications
June 4, 2024
There has been considerable confusion about who is responsible for issuing individual notifications about the Change Healthcare cyberattack and data breach. The Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule requires notifications to be issued when there is a breach of unsecured healthcare data.
In the event of a breach of unsecured personally identifiable health information – called protected health information (PHI) under HIPAA – notifications must be issued to the Department of Health and Human Services (HHS), the affected individuals, and the media. Those notifications must be issued without unnecessary delay and no later than 60 days from the date of discovery of a data breach. It has been more than 3 months and notifications have still not been issued.
The HHS Office for Civil Rights (OCR), the main enforcer of HIPAA compliance, has previously stated that in the event of a data breach at a business associate of a HIPAA-covered entity, covered entities may delegate the responsibility for issuing notifications to the business associate; however, it is ultimately the responsibility of each affected covered entity to ensure that breach notifications are issued. OCR has not stated that Change Healthcare must send notifications but has now confirmed that it is acceptable for Change Healthcare to issue notifications.
“Affected covered entities that want Change Healthcare to provide breach notifications on their behalf should contact Change Healthcare,” said OCR Director Melanie Fontes Rainer. “All of the required HIPAA breach notifications may be performed by Change Healthcare. We encourage all parties to take the necessary steps to ensure that the HIPAA breach notifications are prioritized.”
OCR has also confirmed that the 60-day deadline for issuing notification letters does not start until covered entities receive notification from Change Healthcare that their data was involved. Once that notification is received, notifications must be issued without undue delay and no later than 60 days from the date that notification is received.
“OCR will not consider the 60-calendar day period from discovery of a breach by a covered entity to start until affected covered entities have received the information needed from Change Healthcare or UHG,” explained Fontes Rainer.
Senator: UnitedHealth Group Executives Should be Accountable for Change Healthcare Cyberattack
June 1, 2024
Following on from the subcommittee hearing, Senator Ron Wyden (D-OR) wrote to the Chairs of the Federal Trade Commission (FTC) and Securities and Exchange Commission (SEC) demanding UnitedHealth Group executives be held accountable for the Change Healthcare cyberattack and the disruption it has caused.
Compromised credentials were used to gain access to a server that did not have multifactor authentication (MFA) enabled. Sen. Wyden pointed out that for a company the size of UnitedHealth Group, MFA should have been comprehensively implemented, and that it should have been known that skipping MFA was a very bad idea, even if compensatory controls were in place.
Sen. Wyden explained that the massive disruption has pushed healthcare providers to the brink. The Change Healthcare cyberattack has caused patients harm by preventing them from getting the care they need. They now face an elevated risk of identity theft and fraud as their data has been stolen, and the theft of data – including the medical information of serving military personnel – has caused serious harm to U.S. national security.
Sen. Wyden suggested that the lack of MFA on an external-facing system and the lack of preparedness for ransomware attacks amounts to corporate negligence. Sen Wyden has called for the chairs of the FTC and SEC to investigate UnitedHealth Group in that regard.
He also criticized the board for appointing a Chief Information Security Officer (CISO) who lacked the necessary experience for the role. The CISO was appointed in June 2023 after holding other positions at UnitedHealth Group and Change Healthcare yet had not held the position of CISO or any similar cybersecurity position at any other company.
Sen. Wyden likened that decision to appointing a heart surgeon to perform brain surgery, stating, “The head of cybersecurity for the largest health care company in the world should not be someone’s first cybersecurity job.” While the CISO might be a convenient scapegoat, Sen. Wyden said the responsibility should fall on the people who appointed a person to the role who clearly did not have the necessary experience.
UnitedHealth Group CEO Explains What Went Wrong in Testimony to House Subcommittee
May 2, 2024
The CEO of UnitedHealth Group, Andrew Witty, testified before a U.S. House Energy and Commerce Committee Subcommittee on Oversight and Investigations on May 1, 2024.
A copy of Witty’s testimony was published online ahead of the subcommittee hearing, in which Witty apologized and said he was “deeply sorry” for the disruption caused. Witty confirmed that the UnitedHealth Group staff has been working 24/7 from the day of the incident and the full resources of UnitedHealth Group have been deployed on its response and restoration efforts. “UnitedHealth Group will not rest – I will not rest – until we fix this,” said Witty.
Witty explained that his company is far from alone. Cyberattacks have been increasing in frequency and significance and ransomware attacks have cost more than $1 billion in ransom payments alone in 2023. Witty explained that his company repels an intrusion every 70 seconds, and last year more than 450,000 intrusions were thwarted. On February 21, 2024, it became clear that one of those attempts had succeeded.
Witty said the company’s response was “swift and forceful.” Since the initial access vector was not initially clear, the decision was taken to sever connectivity with Change Healthcare’s data centers to “eliminate the potential for further infection.” He claims that while that move was incredibly disruptive, it was the right thing to do as it allowed UnitedHealth Group to contain the attack and prevent it from spreading to the UnitedHealthcare, UnitedHealth Group, and Optum networks.
The investigation is ongoing, but Witty was able to share some details about the initial access vector. Witty confirmed that the initial intrusion occurred on February 12, 2024, when compromised credentials were used to remotely access a Change Healthcare Citrix portal – an application used for remote access to desktop computers. Crucially, that application did not have multifactor authentication enabled. The threat actor moved laterally within its systems “in more sophisticated ways,” exfiltrated data, and then 9 days after the initial intrusion, deployed ransomware to encrypt files.
Witty explained that UnitedHealth Group has a policy requiring multifactor authentication to be implemented on all external-facing systems; however, in some cases, when servers were using older technology, multifactor authentication may have been skipped due to compensatory controls being in place.
Regarding the decision to pay the ransom, Witty said, “I have been guided by the overriding priority to do everything possible to protect peoples’ personal health information,” confirming that, “as chief executive officer, the decision to pay a ransom was mine. This was one of the hardest decisions I’ve ever had to make. And I wouldn’t wish it on anyone.”
As previously reported, Witty confirmed that the exfiltrated files included protected health information (PHI) and personally identifiable information (PII) and stated that the breach could cover “a substantial proportion of people in America.”
As for when those individuals will find out if they have been affected, Witty said “it is likely to take many months of continued analysis before enough information will be available to identify and notify customers and individuals.” In the meantime, Witty said his company is monitoring the dark web and Internet to determine if any stolen data is published.
“Rather than waiting to complete this review, we are providing free credit monitoring and identity theft protections for two years, along with a dedicated call center staffed by clinicians to provide support services,” said Witty.
Lawmakers Question Witty About UnitedHealth Group’s Cybersecurity Preparedness and Response
At the hearing, lawmakers wanted answers about how UnitedHealth Group, which had around $22 billion in profit in 2023, could fall victim to such a devastating attack, overlook such a basic security measure as multifactor authentication on a system used for remote access, and then not have the redundancies in place to allow its systems to remain operational, or at least only be down for hours or days rather than weeks and months. The attack and the lengthy outage suggest a lack of preparedness and testing of incident response protocols. Sen. Marsha Blackburn (R-TN) pointed out that UnitedHealth Group’s profits are larger than some countries’ GDP, yet UnitedHealth Group still did not have the necessary redundancies in place.
The Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule requires individuals to be notified about a data breach within 60 days of the discovery of a breach yet there is no sign of notifications even being close to being sent in the 10 weeks since the attack was detected. U.S. Senator Maggie Hassan (D-NH) reminded Witty of his obligations to issue notifications and demanded that they be sent immediately.
The size of UnitedHealth Group was frequently mentioned in the hearing. UnitedHealth Group has been gobbling up smaller companies and has become a behemoth. That has created a situation where a single point of failure – the lack of multifactor authentication on an Internet-facing remote access solution – could bring the healthcare industry to its knees. “It is long past time to do a comprehensive scrub of UHG’s anti-competitive practices, which likely prolonged the fallout from this hack,” said Sen. Ron Wyden (D-OR), chair of the Senate Finance Committee.
“Substantial Proportion of People in America” May be Affected by the Change Healthcare Cyberattack
April 24, 2024
The Change Healthcare cyberattack on February 21, 2024, involved the theft of 6TB of data, according to the Blackcat ransomware group. The RansomHub group claimed it obtained 4TB of data when it attempted to extort UnitedHealth Group and Change Healthcare but there has been no confirmation of exactly how much patient data was compromised in the attack. Change Healthcare states on its website that its systems touch the health data of 1 in 3 Americans, so any Change Healthcare data breach has the potential to be huge.
UnitedHealth Group CEO Andrew Witty has stated that a significant proportion of that data may have been stolen in the attack. Witty confirmed for the first time that a ransom was paid to the Blackcat ransomware group to prevent the stolen data from being publicly leaked, but did not say how much was paid to the group. It has been widely reported that $22 million was transferred to the Blackcat group, which performed an exit scam and shut down its operation, claiming that there was no alternative due to a law enforcement operation.
The investigation of the Change Healthcare cyberattack is progressing and UnitedHealth Group has confirmed that the initial results of the investigation indicate personally identifiable information was compromised, including information classed as “protected health information” under the Health Insurance Portability and Accountability Act (HIPAA).
UnitedHealth Group said in a recent update that the exact types of data involved have yet to be confirmed but no evidence has been found to indicate doctor’s charts or full medical histories have been stolen. While the scale of the data breach is not yet known, UnitedHealth Group has confirmed that the breach could affect “a substantial proportion of people in America.”
Individuals waiting to hear if they have been affected could be in for a long wait, as the review of the affected data is not expected to be completed for some time. “Given the ongoing nature and complexity of the data review, it is likely to take several months of continued analysis before enough information will be available to identify and notify impacted customers and individuals,” said UnitedHealth Group in an update about the Change Healthcare data breach. “As the company continues to work with leading industry experts to analyze data involved in this cyberattack, it is immediately providing support and robust protections rather than waiting until the conclusion of the data review.”
When healthcare organizations experience data breaches it can take months before individual notifications are mailed. Files must be reviewed to identify the individuals affected, the types of data involved must be confirmed, contact information must be verified, and only then can notification letters be issued. UnitedHealth Group has confirmed that credit monitoring and identity theft protection services are being made available and it is not necessary to wait until a notification letter is received. Further information on signing up for those services can be found on a website that has been set up to provide further information about the cyberattack and data breach.
While it has not been disclosed by UnitedHealth Group, sources close to the investigation told the Wall Street Journal that the Blackcat affiliate behind the attack had access to Change Healthcare’s systems for 9 days before ransomware was deployed and that compromised credentials were allegedly used to access its systems. To prevent compromised credentials from granting access to accounts, multifactor authentication should be implemented, but according to the Wall Street Journal, they were not enabled on the compromised account.
That would be a major oversight for any company, let alone one the size of Change Healthcare that handles such vast amounts of sensitive data.
RansomHub Starts Leaking Data Stolen in Change Healthcare Ransomware Attack
April 15, 2024
It would appear that the RansomHub ransomware group does hold a copy of the data stolen in the Blackcat ransomware attack on Change Healthcare. RansomHub has uploaded samples of the data allegedly stolen in the attack to its dark web data leak site, some of which include patient data. The data appears to include documents related to billing, insurance, and medical records. UnitedHealth Group has yet to confirm whether the leaked data is genuine. On April 12, 2024, a spokesperson for Change Healthcare confirmed to Wired that no evidence has been found indicating this is a separate attack.
It is not unusual for evidence of data theft to be published by ransomware groups on dark web data leak sites to pressure victims into paying. There are 5 days remaining before RansomHub claims it will sell the stolen data, and the posting of samples of data indicates UnitedHealth Group is not prepared to pay. That is perfectly understandable since $22 million has already been paid to the Blackcat group, only for the group to pocket the funds in an apparent exit scam.
“The more we go through the data, the more we are shocked by the amount of financial, medical, and personal information we find and it will be more devastating than the first attack itself,” wrote RansomHub. “Five days remain on the clock. The devastating effect can still be mitigated. Insurance providers should be really concerned as this will impact them and their clients beyond measure.”
RansomHub Ransomware Group Claims to Have a Copy of the Stolen Change Healthcare Data
April 8, 2024
Things have gone from bad to worse for Change Healthcare and UnitedHealth Group. While it has not been publicly confirmed that the ransom was paid, evidence has been provided by the affiliate behind the attack that a $22 million ransom was paid to the ALPHV/Blackcat group. Now UnitedHealth Group has received another ransom demand, this time from a different ransomware group – RansomHub.
RansomHub was not involved in the initial attack but claims to have obtained 4 TB of data stolen in the attack and issued a ransom demand, giving UnitedHealth Group 12 days to pay. “Change Healthcare and United Health you have one chance in protecting your clients data,” wrote RansomHub. “The data has not been leaked anywhere and any decent threat intelligence would confirm that the data has not been shared nor posted.” The group claims the stolen data will be sold to the highest bidder if the ransom is not paid.
RansomHub has been actively recruiting affiliates since the ALPHV/Blackcat group pulled an exit scam. It is possible that Blackcat recruited the affiliate and is attempting to get payment. RansomHub is a relatively new ransomware operation and is not thought to be connected to ALPHV/Blackcat, so partnering with the ransomware group may have been seen as the best option for the affiliate to get paid.
As to whether UnitedHealth Group will pay, that seems unlikely. A $22 million ransom was paid to prevent the release of the stolen data, and that payment appears to have amounted to nothing. UnitedHealth Group is unlikely to pay another ransom when there is no guarantee that the data will be deleted and will not be sold anyway. It is also unclear whether RansomHub actually has a copy of the stolen data.
Change Healthcare Data Breach Lawsuits Mount
April 5, 2024
Multiple class action lawsuits have been filed in response to the Change Healthcare ransomware attack and data breach, including by individuals who claim their sensitive data was stolen, even though that has yet to be confirmed by Change Healthcare/UnitedHealth Group. At least two dozen lawsuits have already been filed and more can be expected over the coming weeks. The lawsuits allege that Change Healthcare failed to implement appropriate cybersecurity measures despite there being a high risk of a cyberattack. Since highly sensitive data was stolen, the plaintiffs allege they face an imminent and elevated risk of identity theft and fraud.
Healthcare providers affected by the continuing outages are also taking legal action to try to recover costs. They claim that the ransomware attack has put their businesses at risk. While providers and patients are taking legal action for different reasons, Change Healthcare maintains that all of the lawsuits make similar claims and are based on the same facts, and is attempting to have the lawsuits consolidated in its home state of Tennessee where the evidence and key witnesses are located.
Change Healthcare said all of the legal actions are based on the incorrect and unfounded theory that because there was a cyberattack and data breach its cybersecurity defenses must have been deficient. Change Healthcare maintains that was not the case.
Data Theft Confirmed by UnitedHealth Group
March 29, 2024
The Blackcat group behind the Change Healthcare ransomware attack has stated that 6TB of data was stolen in the attack and the affiliate claims to have retained a copy of the data after Blackcat pulled an exit scam. UnitedHealth Group has been unable to confirm what data was stolen in the attack as analysis could not start until it was safe to recover the data.
In a recent update, UnitedHealth Group confirmed a restore point has been identified so the data can be recovered; however, it has taken time to complete mounting and decompression procedures. A copy of the exfiltrated data has been obtained and analysis has started. UnitedHealth Group said it is now focused on the data review. While the exact types of data involved have yet to be determined, UnitedHealth Group said personally identifiable information was likely compromised in the Change Healthcare cyberattack, which may include eligibility, claims, and financial information. The dark web is being monitored and the stolen data does not appear to have been disclosed.
The recovery process is progressing, and while key systems have been restored, Change Healthcare is some way off restoring all of its services. Its eligibility processing, clinical data exchange, and retrospective episode-based payment models are due to be restored over the coming 3 weeks.
$10 Million Reward Offered for Information on the Identity and Location of Blackcat Cyber Actors
March 27, 2024
The U.S. Department of State is seeking information on individuals linked to the ALPHV/Blackcat ransomware group, their affiliates, and any proof that the group is linked to any foreign governments. Under the Rewards for Justice program, up to $10 million is being offered as a reward for information that leads to the identification or location of those individuals.
Department of Health and Human Services Issues Guidance for Affected Healthcare Providers
The U.S. Department of Health and Human Services (HHS) in conjunction with the Administration for Strategic Preparedness and Response (ASPR), has published guidance for healthcare providers affected by the Change Healthcare cyberattack that includes useful resources and tools from health plans and payers for providers in need of assistance, including alternative clearinghouses and information on how to obtain advance payments.
UnitedHealth Group Identifies Initial Access Vector
March 15, 2024
Assisted by Mandiant and Palo Alto Networks, UnitedHealth Group has identified the initial access vector used in the Change Healthcare ransomware attack, although that information has not (yet) been disclosed. Now that it is clear how and when the Blackcat group gained access, UnitedHealth Group has identified a safe restore point – a critical step in its recovery. Work can now commence on restoring the systems that are still offline.
UnitedHealth Group has confirmed that it has stood up new instances of its Rx Connect (Switch) and Rx ePrescribing services, and claims volume is back to around 99% of the pre-incident level. The Rx Connect, Rx Edit, and Rx Assist services will shortly be available.
Ransom Paid Following Change Healthcare Ransomware Attack
March 5, 2024
A $22 million ransom appears to have been paid by UnitedHealth Group to prevent the release of data stolen from Change Healthcare in its February 2024 ransomware attack.
According to the ransomware remediation firm Coveware, the average ransom payment in Q4, 2023 for a ransomware attack was $408,644 and the median ransom payment was $185,972. The ransom supposedly paid by UnitedHealth Group subsidiary Optum to prevent the release of the stolen Change Healthcare data was $22 million, around 118 times the average ransom payment.
Paying a ransom is always a risk as there is no guarantee that encrypted data will be recoverable. It is common for encrypted files to be corrupted and the supplied decryptors do not always work. According to the 2023 Ransomware Trends Report from Veeam, 1 in 4 companies that paid a ransom failed to get their data back. Even if some data can be recovered, it is relatively rare for there not to be at least some data loss.
Ransoms are not only paid to obtain the decryption keys. Many companies are able to recover their data from backups but still pay the ransom to prevent the threat actors from leaking or selling the stolen data. Ransomware groups typically refrain from publishing the stolen data and take down their data leak site listing when payment is made but there is no guarantee that all copies of the data will be deleted.
Ransomware groups may provide proof that data has been deleted, such as videos of data deletion, but that may not be the only copy of the data that is held. Victims are given no alternative but to trust the cybercriminals that have breached their systems that they will be true to their word and will delete all copies of the stolen data. Ransomware groups are financially motivated, and the stolen data is valuable. Retaining a copy of the stolen data to sell at a later date would provide the operators with additional income.
The law enforcement operation against the LockBit ransomware group – Operation Cronos – headed by the UK’s National Crime Agency (NCA) resulted in access being gained to LockBit’s primary administration environment, including its public-facing leak site on the dark web and its source code. A considerable amount of intelligence was gathered from those systems. The NCA reports that some of the data on LockBit’s systems belonged to victims who paid the ransom, confirming that data is not always deleted.
ALPHV/Blackcat Ransomware Group Shuts Down in Apparent Exit Scam
In this case, UnitedHealth Group’s $22 million gamble appears not to have worked. The Blackcat affiliate allegedly behind the attack, Notchy, claims to have been cheated out of their share of the ransom payment and still holds a copy of the stolen data.
“After receiving the payment ALPHV team decide to suspend our account and keep lying and delaying when we contacted ALPHV admin,” wrote the affiliate Notchy. “Sadly for Change Healthcare, their data still with us.” If the affiliate’s claim is true, and there is no reason to suggest it isn’t, then it appears that the $22 million payment has achieved very little.
On March 5, 2024, a member of the Blackcat group issued a statement confirming the group would be shutting down, had already arranged the sale of its source code, and claimed that there was no alternative. “We can officially state that we got screwed by the feds.”
The ALPHV/Blackcat data leak site now displays a seizure notice indicating it has been lost to law enforcement; however, several researchers suggested that is unlikely to be the case, and that the posted seizure notice appears to have been copied and pasted from the notice posted by the FBI when Blackcat’s infrastructure was seized in a December 2023 operation.
The $22 million payment appears to have been pocketed in an apparent exit scam. Fabian Wosar, Emsisoft’s head of ransomware research, suggests that is exactly what the group is doing, and any affiliates who have not yet been paid will see their share of the ransom payments pocketed.
Having not been paid for conducting the attack, the affiliate is likely to attempt to recoup the lost income. What that will entail remains to be seen. There could be a further extortion attempt or the stolen data may be sold.
Change Healthcare Confirms Ransomware Attack by the ALPHV/Blackcat Ransomware Group
February 29, 2024
Change Healthcare has confirmed that the cyberattack initially suspected as being the work of a nation-state actor was a ransomware attack by a financially motivated threat actor, ALPHV/Blackcat. According to the latest entry on UnitedHealth Group’s update page, “Our experts are working to address the matter, and we are working closely with law enforcement and leading third-party consultants, Mandiant and Palo Alto Network, on this attack against Change Healthcare’s systems. We are actively working to understand the impact to members, patients and customers.”
On February 28, 2024, cybersecurity analyst Brett Callow shared a post by the ALPHV/Blackcat group which claimed responsibility for the attack. The ransomware group alleged UnitedHealth Group had released misleading statements about the nature of the attack.
The group confirmed that the attack centered on Change Healthcare’s production and corporate environments, which are used by all clients that rely on Change Healthcare’s technology solutions, of which there are thousands, including healthcare providers, insurers, and pharmacies. The group claimed that it identified and exfiltrated 6 TB of data in the attack, including highly sensitive patient data.
ALPHV/Blackcat claimed it stole data from huge names in healthcare including Medicare, Tricare, CVS-CareMark, Loomis, Davis Vision, Health Net, MetLife, Teachers Health Trust, and tens of insurance companies. The group claims to have exfiltrated the sensitive records of millions of individuals including active US military/navy personnel. The group said it has stolen medical records, dental records, payment information, claims information, patients’ personally identifiable information including contact information and Social Security numbers, insurance records, and more than 3000 source code files for Change Healthcare’s solutions.
“Anyone with some decent critical thinking will understand what damage can be done with such intimate data on the affected clients of UnitedHealth/UnitedHealth solutions as well, beyond simple scamming/spamming,” wrote the group. “After 8 days and Change Health have still not restored its operations and chose to play a very risky game hence our announcement today”.
There had been some speculation that the group exploited a vulnerability in ConnectWise to gain access to Change Healthcare’s systems but the group claimed that was not its initial access vector.
Who are ALPHV/Blackcat?
ALPHV/Blackcat is a ransomware group that operates under the ransomware-as-a-service (RaaS) model. The group provides the encryptor and infrastructure to allow ransomware attacks to be conducted and recruits affiliates to conduct the attacks. The RaaS operators retain a percentage of any ransom payments, with the majority of the ransom payments are provided to the affiliate.
ALPHV/Blackcat engages in double extortion. Before encrypting files, sensitive data is exfiltrated from the victim’s systems and a ransom demand is issued. The ransom must be paid to obtain the keys to decrypt data and prevent the publication or sale of the stolen data. The group maintains a dark web data leak site and leaks stolen data if the ransom is not paid. It is currently unclear how much the group is demanding from Change Healthcare but given the apparent extent of data theft and the massive impact the attack is having, the ransom demand is likely several million dollars.
ALPHV/Blackcat was first identified in November 2021 and rapidly became one of the most prolific RaaS groups, with only the LockBit RaaS group conducting more attacks over the past 18 months. According to the U.S. Department of Justice, the group has conducted more than 1,000 ransomware attacks, including several attacks on critical infrastructure providers in the United States. The attacks have resulted in hundreds of millions of dollars of losses.
ALPHV/Blackcat was the subject of a law enforcement operation in December 2023 that disrupted the group’s infrastructure. The FBI was able to develop a decryption tool to allow past victims to recover their data for free. That disruption was short-lived. The group was soon able to recover. In response to the operation, the group removed restrictions for its affiliates, allowing them to attack all targets apart from those located in the commonwealth of independent states. Affiliates were encouraged to target healthcare organizations. The group had previously claimed that it had rules for affiliates preventing them from attacking medical institutions, ambulances, and hospitals.
Impact of the Change Healthcare Ransomware Attack
The Change Healthcare ransomware attack is having a nationwide impact and is causing massive disruption to healthcare operations. The outage of Change Healthcare’s systems, which are relied upon by thousands of healthcare providers and health insurers, is causing substantial billing and cash flow problems. Healthcare providers are unable to bill payers for their services, claims are not being paid, prior authorization submissions are being rejected, and it has not been possible to perform eligibility checks.
While workarounds are being implemented, the workload for the affected healthcare providers is considerable. Many providers are already struggling with staff shortages and have limited cash reserves, which will rapidly be eaten up should the outage continue. There have been reports that patients have been unable to receive essential medications unless they have the funds to pay for them in full out of their own pockets.
Change Healthcare Cyberattack Under Investigation
February 23, 2024
Change Healthcare is currently grappling with a cyberattack. Change Healthcare’s parent company, UnitedHealth Group, confirmed in a February 21, 2024, filing with the U.S. Securities and Exchange Commission (SEC) that, “A suspected nation-state associated cyber security threat actor had gained access to some of the Change Healthcare information technology systems.”
According to the filing, efforts are underway to restore systems and return to normal operations as soon as possible; however, no timescale has been provided on when that process will be completed. Change Healthcare is working with external cybersecurity experts to assess the nature and scope of the incident and secure its systems. UnitedHealth Group said it believes the attack has only affected Change Healthcare’s systems. All other systems across UnitedHealth Group and Optum are fully operational and proactive steps have been taken to isolate the impacted systems from other connecting systems to contain the incident. UnitedHealth Group warned that the attack has caused disruption and certain networks, and transactional services are temporarily not accessible.
On February 22, 2024, the American Hospital Association (AHA) advised all healthcare organizations that have been disrupted or are potentially exposed to the incident to disconnect from Optum until it has been confirmed that it is safe to reconnect and to implement downtime procedures and contingency plans. Optum is a subsidiary of UnitedHealth Group that provides technology, data, pharmacy care, and direct healthcare.
Who is Change Healthcare?
Change Healthcare is a Nashville, Tennessee-based software, data analytics, and revenue and payment cycle management company owned by UnitedHealth Group. One of the biggest roles of the company is to connect payers, providers, and patients in the U.S. healthcare system. According to the Change Healthcare website, the company processes more than 15 billion healthcare transactions a year and its systems touch the health data of 1 in 3 Americans.
Has There Been a Change Healthcare Data Breach?
Change Healthcare is currently investigating the security incident and at this early stage of the investigation, it is not possible to tell to what extent, if any, patient data has been compromised. Change Healthcare has not confirmed if this was a ransomware attack or if data has been exfiltrated from its systems. If a Change Healthcare data breach has occurred, it has the potential to be massive as the personal and health information of 1 in 3 Americans touches Change Healthcare systems. If all of that data has been stolen, the Change Healthcare data breach could affect more than 110 million Americans.
Image credits: ©NetSec.news / Change Healthcare / Gorodenkoff, AdobeStock
