2024 Change Healthcare ransomware attack

Last updated
2024 Change Healthcare ransomware attack
DateFebruary 21, 2024 – present
(5 months and 4 weeks)
Type Cyberattack
Suspects BlackCat

On February 21, 2024, the American company Change Healthcare, a division of UnitedHealth Group, was affected by a ransomware attack. [1] The cyberattack shut down the largest healthcare payment system in the United States. [2]

Contents

Attack

On February 22, 2024, UnitedHealth Group filed a notice to the Securities and Exchange Commission stating that a "suspected nation-state associated cybersecurity threat actor" gained access to Change Healthcare's information technology system. Following UnitedHealth Group's initial filing, CVS Health, Walgreens, Publix, GoodRX, and BlueCross BlueShield of Montana reported disruptions in insurance claims. [3] The cyberattack affected family-owned pharmacies and military pharmacies, including Naval Hospital Camp Pendleton. [4] Healthcare company Athenahealth was affected, according to Forbes . [5]

On February 29, 2024, UnitedHealth Group confirmed that the ransomware attack was "perpetrated by a cybercrime threat actor who...represented itself to [the company] as ALPHV/Blackcat." In the same update, the company stated that it was "working closely with law enforcement and leading third-party consultants, Mandiant and Palo Alto Networks" to address the matter. [6]

On March 4, 2024, Reuters reported that a bitcoin payment equivalent to nearly $22 million USD was made to a cryptocurrency wallet "associated with ALPHV." UnitedHealth has not commented on the payment, instead stating that the organization was "focused on the investigation and the recovery." On the same day, a Wired reporter stated that the transaction looked "very much like a large ransom payment." . On April 30, 2024, UHG's CEO Andrew Witty confirmed in a statement that they paid the ransom.

Response

On March 1, 2024, UnitedHealth Group's Optum division launched a Temporary Funding Assistance Program to help bridge the gap in short-term cash flow needs for providers who received payments from payers that were processed by Change Healthcare. [7] [8] The American Hospital Association (AHA) stated that the program was "not even a band-aid" on the payment problems identified by the company, citing its "onerous" terms and conditions including Optum's ability to recoup funds "immediately and without prior notification," and to "change the agreement simply by providing notice." [9]

On March 5, 2024, the U.S. Department of Health and Human Services announced flexibilities for hospitals impacted by the attack. [10] The American Hospital Association (AHA) was critical of these measures, stating that the proposed flexibilities were "not an adequate whole of government response." [11]

On March 12, 2024, UnitedHealth CEO Andrew Witty was summoned to a meeting by the Biden administration, during which HHS Secretary Xavier Becerra and White House domestic policy chief Neera Tanden urged Witty and other members of UHG leadership to increase the amount of funding available to providers who have been impacted by the protracted outage. Healthcare providers from across the sector were also in attendance and voiced their concerns about the ongoing financial and operational impacts of the Change cyberattack. [12] [13]

Related Research Articles

<span class="mw-page-title-main">Health Insurance Portability and Accountability Act</span> United States federal law concerning health information

The Health Insurance Portability and Accountability Act of 1996 is a United States Act of Congress enacted by the 104th United States Congress and signed into law by President Bill Clinton on August 21, 1996. It aimed to alter the transfer of healthcare information, stipulated the guidelines by which personally identifiable information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and addressed some limitations on healthcare insurance coverage. It generally prohibits healthcare providers and businesses called covered entities from disclosing protected information to anyone other than a patient and the patient's authorized representatives without their consent. The bill does not restrict patients from receiving information about themselves. Furthermore, it does not prohibit patients from voluntarily sharing their health information however they choose, nor does it require confidentiality where a patient discloses medical information to family members, friends or other individuals not employees of a covered entity.

UnitedHealth Group Incorporated is an American multinational health insurance and services company based in Minnetonka, Minnesota. Selling insurance products under UnitedHealthcare, and health care services and care delivery aided by technology and data under Optum, it is the world's eleventh-largest company by revenue and the largest health care company by revenue.

In the healthcare industry, pay for performance (P4P), also known as "value-based purchasing", is a payment model that offers financial incentives to physicians, hospitals, medical groups, and other healthcare providers for meeting certain performance measures. Clinical outcomes, such as longer survival, are difficult to measure, so pay for performance systems usually evaluate process quality and efficiency, such as measuring blood pressure, lowering blood pressure, or counseling patients to stop smoking. This model also penalizes health care providers for poor outcomes, medical errors, or increased costs. Integrated delivery systems where insurers and providers share in the cost are intended to help align incentives for value-based care.

A blended threat is a software exploit that involves a combination of attacks against different vulnerabilities. Blended threats can be any software that exploits techniques to attack and propagate threats, for example worms, trojan horses, and computer viruses.

In the United States, a pharmacy benefit manager (PBM) is a third-party administrator of prescription drug programs for commercial health plans, self-insured employer plans, Medicare Part D plans, the Federal Employees Health Benefits Program, and state government employee plans. PBMs operate inside of integrated healthcare systems, as part of retail pharmacies, and as part of insurance companies.

<span class="mw-page-title-main">American Hospital Association</span> Trade organization

The American Hospital Association (AHA) is a health care industry trade group. It includes nearly 5,000 hospitals and health care providers.

Catamaran Corporation is the former name of a company that now operates within UnitedHealth Group's OptumRX division. It sells pharmacy benefit management and medical record keeping services to businesses in the United States and to a broad client portfolio, including health plans and employers. Working independently of the government and insurance companies allowed it to operate as a third party verifier; the RxCLAIM online claim processing system allowed for prescription drug claims to be processed online if the customer lived in and filled his/her prescription in the United States. SXC had three separate but interrelated business segments which dealt with prescription drug programs. For 2013, 23% of company revenue came from Cigna Corporation.

An accountable care organization (ACO) is a healthcare organization that ties provider reimbursements to quality metrics and reductions in the cost of care. ACOs in the United States are formed from a group of coordinated health-care practitioners. They use alternative payment models, normally, capitation. The organization is accountable to patients and third-party payers for the quality, appropriateness and efficiency of the health care provided. According to the Centers for Medicare and Medicaid Services, an ACO is "an organization of health care practitioners that agrees to be accountable for the quality, cost, and overall care of Medicare beneficiaries who are enrolled in the traditional fee-for-service program who are assigned to it".

Change Healthcare Inc. is a provider of revenue and payment cycle management that connects payers, providers, and patients within the U.S. healthcare system. The name also refers to a company founded in 2007 which subsequently became part of the current conglomerate. The company operates the largest financial and administrative information exchange in the United States.

<span class="mw-page-title-main">Unison Healthcare Group</span>

Unison Healthcare Group, started out as "Unison" (友信行), is a Taiwanese medical device distributor founded in 1955, headquartered in Taipei. The corporation provides equipment and systems ranging from radiology, cardiology, orthopedic, telemedicine, medical imaging to medical robots. It is also a turnkey project and total solution provider for hospitals, offering overseas technical support in over 45 countries, such as Mainland China, Mongolia, Vietnam and Thailand.

EMIS Health, formerly known as Egton Medical Information Systems, supplies electronic patient record systems and software used in primary care, acute care and community pharmacy in the United Kingdom. The company is based in Leeds. It claims that more than half of GP practices across the UK use EMIS Health software and holds number one or two market positions in its main markets. In June 2022 the company was acquired by Bordeaux UK Holdings II Limited, an affiliate of UnitedHealth's Optum business for a 49% premium on EMIS's closing share price.

GoodRx Holdings, Inc. is an American healthcare company that operates a telemedicine platform and free-to-use website and mobile app that track prescription drug prices in the United States and provide drug coupons for discounts on medications. GoodRx checks drug prices at more than seventy-five thousand pharmacies in the United States. The platform allows individuals to consult with a doctor online and obtain a prescription for certain types of medications at a cost of US$20, regardless of insurance status. Medical testing services, which vary in price, are also offered through the platform.

Optum, Inc. is an American healthcare company that provides technology services, pharmacy care services and various direct healthcare services.

Ascension is a large private healthcare system in the United States. Ascension had 142,000 employees, 142 hospitals, and 40 senior living facilities operating in 19 states and the District of Columbia as of the end of 2021. Ascension is the largest nonprofit and largest Catholic health system in the United States. It also operates a conglomerate of for-profit firms, including subsidiaries involved in private equity, venture capital, insurance, medical software, and pharmacy delivery. From 2014 to 2017 it co-owned a facility in the Cayman Islands.

Patrick H. Conway is an American physician and an advocate of health system transformation and innovation in the public and private sector. He is a practicing pediatrician formerly serving at the Cincinnati Children's Hospital and Children's National Medical Center. He was the chief medical officer and acting administrator at the Centers for Medicare and Medicaid Services (CMS) leading quality-of-care efforts for the nation. Conway also served as the Director of the Center for Medicare and Medicaid Innovation, and was responsible for new national payment models for Medicare and Medicaid focused on better quality and lower costs.

Ryuk is a type of ransomware known for targeting large, public-entity Microsoft Windows cybersystems. It typically encrypts data on an infected system, rendering the data inaccessible until a ransom is paid in untraceable bitcoin. Ryuk is believed to be used by two or more criminal groups, most likely Russian or Ukrainian, who target organizations rather than individual consumers.

DarkSide is a cybercriminal hacking group, believed to be based in Russia, that targets victims using ransomware and extortion; it is believed to be behind the Colonial Pipeline cyberattack. It is thought that they have been able to hack and extort money from around 90 companies in the USA alone. The group provides ransomware as a service.

<span class="mw-page-title-main">Health Service Executive ransomware attack</span> 2021 cyber attack on the Health Service Executive in Ireland

On 14 May 2021, the Health Service Executive (HSE) of Ireland suffered a major ransomware cyberattack which caused all of its IT systems nationwide to be shut down.

In mid-May 2021 hospital computer systems and phone lines run by the Waikato District Health Board (DHB) in New Zealand were affected by a ransomware attack. On 25 May, an unidentified group claimed responsibility for the hack and issued an ultimatum to the Waikato DHB, having obtained sensitive data about patients, staff and finances. The Waikato DHB and New Zealand Government ruled out paying the ransom.

Hive was a ransomware as a service (RaaS) operation carried out by the eponymous cybercrime organization between June 2021 and January 2023. The group's purpose was to attack mainly public institutions to subsequently demand ransom for release of hijacked data.

References

  1. Gilbert, Daniel; Diamond, Dan; Rowland, Christopher; Bellware, Kim (2024-05-02). "Health-care hack spreads pain across hospitals and doctors nationwide". The Washington Post. ISSN   0190-8286. Archived from the original on 1 May 2024. Retrieved 2024-06-13.
  2. Abelson, Reed; Creswell, Julie (2024-03-05). "Cyberattack Paralyzes the Largest U.S. Health Care Payment System" . The New York Times. ISSN   0362-4331. Archived from the original on 15 March 2024. Retrieved 2024-06-13.
  3. Satter, Raphael; Roy, Sriparna (February 22, 2024). "Pharmacies across US disrupted following hack at Change Healthcare network". Reuters . Retrieved March 5, 2024.
  4. Czachor, Emily (February 22, 2024). "Cybersecurity breach at UnitedHealth subsidiary causes Rx delays for some pharmacies". CBS News . Retrieved March 5, 2024.
  5. Lyons, Jessica (February 22, 2024). "Cyberattack downs pharmacies across America". The Register . Retrieved March 5, 2024.
  6. "Optum Solutions Status". status.changehealthcare.com. Retrieved 2024-03-08.
  7. "UnitedHealth Group Update on Change Healthcare Cyberattack". www.unitedhealthgroup.com. Retrieved 2024-03-08.
  8. "Temporary Funding Assistance". www.optum.com. Retrieved 2024-03-08.
  9. "AHA Expresses Concerns with UHG Program in Response to Cyberattack on Change Healthcare | AHA". www.aha.org. 2024-03-06. Retrieved 2024-03-08.
  10. Affairs (ASPA), Assistant Secretary for Public (2024-03-05). "HHS Statement Regarding the Cyberattack on Change Healthcare". www.hhs.gov. Retrieved 2024-03-08.
  11. "HHS Announces Some Flexibilities for Hospitals Following Cyberattack on Change Healthcare | AHA". www.aha.org. 2024-03-06. Retrieved 2024-03-08.
  12. Diamond, Dan (2024-03-12). "White House summons UnitedHealth CEO as payment paralysis enters 3rd week". Washington Post. ISSN   0190-8286 . Retrieved 2024-03-12.
  13. Lyngaas, Sean (2024-03-12). "Biden officials press health care giant to get emergency funding flowing to providers following cyberattack | CNN Business". CNN. Retrieved 2024-03-12.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.