How Change Healthcare’s Cyberattack Has Crippled Services Across US for More Than a Week

In a post, hacker group BlackCat said it managed to extract 6 TB of data, including information like medical records, insurance records and payment information.

On February 21st, an unexpected cyberattack on Change Healthcare, a unit of the biggest insurer in the US, UnitedHealthcare disrupted services across hospitals and pharmacies.

More than a week later, healthcare providers in America are still struggling with the fallout of the cyberattack. It has not only threatened the security of patient data but also caused delay in pharmacy prescription and paychecks to healthcare workers.

The outages of services and systems are also leading to disruption in clinical authorization for patients and delay in discharge of patients.

While the American Hospital Association (AHA) has been coordinating with the FBI, the Department of Health and Human Services and the Cybersecurity and Infrastructure Security Agency, the services have not been fully restored leading to chaos.

Initially believed to be an attack by “a suspected nation-state associated cybersecurity threat actor”, UnitedHealthcare on Thursday confirmed that ransomware group Blackcat is behind the attack.

DHN explains how the cyberattack has virtually crippled healthcare systems in the US:

From Where it Started: Cyberattack on Change Healthcare

Healthtech company Change, which is part of Optum and owned by UnitedHealth Group, first discovered the cyber assault on its unit last Wednesday.

As per the federal filing by the company, it identified that a “suspected nation-state associated cyber security threat actor” had gained access to some of the Change Healthcare information technology systems.

It said, “Immediately upon detection of this outside threat, the Company proactively isolated the impacted systems from other connecting systems in the interest of protecting our partners and patients, to contain, assess and remediate the incident.”

While the company hasn’t provided the details of duration or extent of disruption of services, it said that it is diligently working with a group of cyber security experts and federal agencies to restore services and resume normal operations as soon as possible.

The company helps healthcare systems in managing payment and revenue cycles, clinical and imaging services as well as patient and member engagement.

As per Change Healthcare, it processes around 14 billion transactions per year representing 1 in 3 US patient data such as medical and clinical records.

What Services Remain Affected?

Multiple reports have suggested that several hospitals and healthcare providers across US- clients of Change Healthcare services have faced disruption of services following the cyberattack.

The cyberattack has primarily affected following areas:

· Prior authorizations for pharmaceuticals, procedures and surgeries

· Insurance verification for inpatient stays

· Precise cost estimates for patients

· Patient billing

According to a NYT report, drug prescription services in thousands of pharmacies have been disrupted for a week.

Associated Press quoting American Health Association said that hospitals are having issues with processing claims, billing patients and checking insurance coverage for care. It said the attack also could affect the ability to pay workers and buy medicine and supplies.

Nebraska Hospital Association President Jeremy Nordquist said that the disruption of services due to cyberattack may lead to Nebraskans experiencing longer wait times regarding authorizations for procedures, as well as delays in resolution of claims.

While the hospitals are trying to figure out a workaround in light of the outage, small and mid-sized healthcare providers have taken a major hit on their revenues.

These systems majorly depend on reimbursement from insurers for their revenues.

According to reports, many hospitals/pharmacies are writing down prescriptions, which means increased burden on healthcare workers who are already among the worst affected globally due to administrative burnout.

Bad Actors Behind the Attack

Notorious ransomware group BlackCat also known as ALPHV is behind the security breach at Change Healthcare, UnitedHealthcare confirmed on Thursday.

On Wednesday BlackCat took responsibility for the attack, announcing it on the dark web. The post has since been deleted, according to CNBC.

In a post, the group said it managed to extract 6 TB of data, including information like medical records, insurance records and payment information.

The group also claimed to have stolen data from Medicare, Tricare, and CVS Health in the same message but didn’t give any timeline.

BlackCat in the past has taken responsibility for several security hacks including MGM casino breach in Las Vegas and a hack on Reddit's systems resulting in millions of dollars in financial losses.

The modus operandi of cyberattack groups generally includes holding data hostage and seeking extravagant amounts in ransom from victims.

UnitedHealthcare so far hasn’t confirmed whether it has received a request or paid any ransom amount.

US Healthcare System Reeling under Cyberattacks

In the past few years, US healthcare systems are increasingly becoming vulnerable to security breaches.

In 2020-2022, 26% of US healthcare firms experienced 6 to 10 ransomware attacks. About 106 million individuals were impacted by cyberattacks involving healthcare organizations in 2023, more than double the number in 2022.

In January 2024, Chicago-based Lurie Children's Hospital was impacted by a significant cyberattack, leading to disruptions in its operations.

The cyber incident at Lurie Children's Hospital began on January 31, 2024, and caused phone, email, and electronic systems to remain offline for nearly three weeks.

Federal agencies including Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) in an advisory said, "Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimized."

Coping with the Challenge

In response to the latest cyberattack and subsequent disruption of services, hospitals are focusing on providing patient support.

According to AHA, it is in close contact at the highest levels with UnitedHealth Group about efforts to minimize any further disruption to patient care and hospital operations resulting from this attack.

Earlier this week AHA also sent a letter requesting the Department of Health and Human Services to continue to help hospitals and health systems minimize the fallout from the cyberattack.

“Among other actions, we asked the department to consider proposals to: offer guidance to providers about how they may request Medicare advanced and accelerated payments; provide flexibility with respect to e-prescribing regulations; and provide an extension to the timely filing requirements under federally regulated health plans,” Rick Pollack, president and CEO, AHA said.