2024 Change Healthcare ransomware attack

Last updated
2024 Change Healthcare ransomware attack
DateFebruary 21, 2024 – present
(2 months, 1 week and 5 days)
Type Cyberattack
Suspects BlackCat

On February 21, 2024, the American company Change Healthcare, a division of UnitedHealth Group, was affected by a ransomware attack. [1] The cyberattack shut down the largest healthcare payment system in the United States. [2]

Contents

Attack

On February 22, 2024, UnitedHealth Group filed a notice to the Securities and Exchange Commission stating that a "suspected nation-state associated cybersecurity threat actor" gained access to Change Healthcare's information technology system. Following UnitedHealth Group's initial filing, CVS Health, Walgreens, Publix, GoodRX, and BlueCross BlueShield of Montana reported disruptions in insurance claims. [3] The cyberattack affected family-owned pharmacies and military pharmacies, including Naval Hospital Camp Pendleton. [4] Healthcare company athenahealth was affected, according to Forbes . [5]

On February 29, 2024, UnitedHealth Group confirmed that the ransomware attack was "perpetrated by a cybercrime threat actor who...represented itself to [the company] as ALPHV/Blackcat." In the same update, the company stated that it was "working closely with law enforcement and leading third-party consultants, Mandiant and Palo Alto Networks" to address the matter. [6]

On March 4, 2024, Reuters reported that a bitcoin payment equivalent to nearly $22 million USD was made to a cryptocurrency wallet "associated with ALPHV." UnitedHealth has not commented on the payment, instead stating that the organization was "focused on the investigation and the recovery." On the same day, a Wired reporter stated that the transaction looked "very much like a large ransom payment." . On April 30, 2024, UHG's CEO Andrew Witty confirmed in a statement that they paid the ransom.

Response

On March 1, 2024, UnitedHealth Group's Optum division launched a Temporary Funding Assistance Program to help bridge the gap in short-term cash flow needs for providers who received payments from payers that were processed by Change Healthcare. [7] [8] The American Hospital Association (AHA) stated that the program was "not even a band-aid" on the payment problems identified by the company, citing its "onerous" terms and conditions including Optum's ability to recoup funds "immediately and without prior notification," and to "change the agreement simply by providing notice." [9]

On March 5, 2024, the U.S. Department of Health and Human Services announced flexibilities for hospitals impacted by the attack. [10] The American Hospital Association (AHA) was critical of these measures, stating that the proposed flexibilities were "not an adequate whole of government response." [11]

On March 12, 2024, UnitedHealth CEO Andrew Witty was summoned to a meeting by the Biden administration, during which HHS Secretary Xavier Becerra and White House domestic policy chief Neera Tanden urged Witty and other members of UHG leadership to increase the amount of funding available to providers who have been impacted by the protracted outage. Healthcare providers from across the sector were also in attendance and voiced their concerns about the ongoing financial and operational impacts of the Change cyberattack. [12] [13]

Related Research Articles

<span class="mw-page-title-main">Health Insurance Portability and Accountability Act</span> United States federal law concerning health information

The Health Insurance Portability and Accountability Act of 1996 is a United States Act of Congress enacted by the 104th United States Congress and signed into law by President Bill Clinton on August 21, 1996. It aimed to alter the transfer of healthcare information, stipulated the guidelines by which personally identifiable information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and addressed some limitations on healthcare insurance coverage. It generally prohibits healthcare providers and businesses called covered entities from disclosing protected information to anyone other than a patient and the patient's authorized representatives without their consent. The bill does not restrict patients from receiving information about themselves. Furthermore, it does not prohibit patients from voluntarily sharing their health information however they choose, nor does it require confidentiality where a patient discloses medical information to family members, friends or other individuals not employees of a covered entity.

UnitedHealth Group Incorporated is an American multinational health insurance and services company based in Minnetonka, Minnesota. Selling insurance products under UnitedHealthcare, and health care services and care delivery aided by technology and data under Optum, it is the world's eleventh-largest company by revenue and the largest health care company by revenue.

A blended threat is a software exploit that involves a combination of attacks against different vulnerabilities. Blended threats can be any software that exploits techniques to attack and propagate threats, for example worms, trojan horses, and computer viruses.

In the United States, a pharmacy benefit manager (PBM) is a third-party administrator of prescription drug programs for commercial health plans, self-insured employer plans, Medicare Part D plans, the Federal Employees Health Benefits Program, and state government employee plans. According to the American Pharmacists Association, "PBMs are primarily responsible for developing and maintaining the formulary, contracting with pharmacies, negotiating discounts and rebates with drug manufacturers, and processing and paying prescription drug claims." PBMs operate inside of integrated healthcare systems, as part of retail pharmacies, and as part of insurance companies.

<span class="mw-page-title-main">American Hospital Association</span> Trade organization

The American Hospital Association (AHA) is a health care industry trade group. It includes nearly 5,000 hospitals and health care providers.

Veradigm is a publicly traded American company that provides physician practices, hospitals, and other healthcare providers with practice management and electronic health record (EHR) technology. Veradigm also provides products for patient engagement and care coordination, as well as financial and analytics technology. The company has more than 180,000 physician users and has products in 2,700 hospitals and 13,000 extended care organizations. The company formally changed its name from Allscripts to Veradigm in January 2023.

Catamaran Corporation is the former name of a company that now operates within UnitedHealth Group's OptumRX division. It sells pharmacy benefit management and medical record keeping services to businesses in the United States and to a broad client portfolio, including health plans and employers. Working independently of the government and insurance companies allowed it to operate as a third party verifier; the RxCLAIM online claim processing system allowed for prescription drug claims to be processed online if the customer lived in and filled his/her prescription in the United States. SXC had three separate but interrelated business segments which dealt with prescription drug programs. For 2013, 23% of company revenue came from Cigna Corporation.

An accountable care organization (ACO) is a healthcare organization that ties provider reimbursements to quality metrics and reductions in the cost of care. ACOs in the United States are formed from a group of coordinated health-care practitioners. They use alternative payment models, normally, capitation. The organization is accountable to patients and third-party payers for the quality, appropriateness and efficiency of the health care provided. According to the Centers for Medicare and Medicaid Services, an ACO is "an organization of health care practitioners that agrees to be accountable for the quality, cost, and overall care of Medicare beneficiaries who are enrolled in the traditional fee-for-service program who are assigned to it".

A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, personal computer devices, or smartphones. An attacker is a person or process that attempts to access data, functions, or other restricted areas of the system without authorization, potentially with malicious intent. Depending on the context, cyberattacks can be part of cyber warfare or cyberterrorism. A cyberattack can be employed by sovereign states, individuals, groups, societies or organizations and it may originate from an anonymous source. A product that facilitates a cyberattack is sometimes called a cyber weapon. Cyberattacks have increased over the last few years. A well-known example of a cyberattack is a distributed denial of service attack.

Change Healthcare is a provider of revenue and payment cycle management that connects payers, providers, and patients within the U.S. healthcare system. The name also refers to a company founded in 2007 which subsequently became part of the current conglomerate. The company operates the largest financial and administrative information exchange in the United States.

EMIS Health, formerly known as Egton Medical Information Systems, supplies electronic patient record systems and software used in primary care, acute care and community pharmacy in the United Kingdom. The company is based in Leeds. It claims that more than half of GP practices across the UK use EMIS Health software and holds number one or two market positions in its main markets. In June 2022 the company was acquired by Bordeaux UK Holdings II Limited, an affiliate of UnitedHealth's Optum business for a 49% premium on EMIS's closing share price.

A medical device hijack is a type of cyber attack. The weakness they target are the medical devices of a hospital. This was covered extensively in the press in 2015 and in 2016.

<span class="mw-page-title-main">WannaCry ransomware attack</span> 2017 worldwide ransomware cyberattack

The WannaCry ransomware attack was a worldwide cyberattack in May 2017 by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. It propagated by using EternalBlue, an exploit developed by the United States National Security Agency (NSA) for Windows systems. EternalBlue was stolen and leaked by a group called The Shadow Brokers a month prior to the attack. While Microsoft had released patches previously to close the exploit, much of WannaCry's spread was from organizations that had not applied these, or were using older Windows systems that were past their end-of-life. These patches were imperative to cyber security, but many organizations did not apply them, citing a need for 24/7 operation, the risk of formerly working applications breaking because of the changes, lack of personnel or time to install them, or other reasons.

GoodRx Holdings, Inc. is an American healthcare company that operates a telemedicine platform and free-to-use website and mobile app that track prescription drug prices in the United States and provide drug coupons for discounts on medications. GoodRx checks drug prices at more than seventy-five thousand pharmacies in the United States. The platform allows individuals to consult with a doctor online and obtain a prescription for certain types of medications at a cost of US$20, regardless of insurance status. Medical testing services, which vary in price, are also offered through the platform.

Optum, Inc. is an American healthcare company that provides technology services, pharmacy care services and various direct healthcare services.

Patrick H. Conway is an American physician and an advocate of health system transformation and innovation in the public and private sector. He is a practicing pediatrician formerly serving at the Cincinnati Children's Hospital and Children's National Medical Center. He was the chief medical officer and acting administrator at the Centers for Medicare and Medicaid Services (CMS) leading quality-of-care efforts for the nation. Conway also served as the Director of the Center for Medicare and Medicaid Innovation, and was responsible for new national payment models for Medicare and Medicaid focused on better quality and lower costs.

Ryuk is a type of ransomware known for targeting large, public-entity Microsoft Windows cybersystems. It typically encrypts data on an infected system, rendering the data inaccessible until a ransom is paid in untraceable bitcoin. Ryuk is believed to be used by two or more criminal groups, most likely Russian, who target organizations rather than individual consumers.

DarkSide is a cybercriminal hacking group, believed to be based in Russia, that targets victims using ransomware and extortion; it is believed to be behind the Colonial Pipeline cyberattack. It is thought that they have been able to hack and extort money from around 90 companies in the USA alone. The group provides ransomware as a service.

In mid-May 2021 hospital computer systems and phone lines run by the Waikato District Health Board (DHB) in New Zealand were affected by a ransomware attack. On 25 May, an unidentified group claimed responsibility for the hack and issued an ultimatum to the Waikato DHB, having obtained sensitive data about patients, staff and finances. The Waikato DHB and New Zealand Government ruled out paying the ransom.

Hive was a ransomware as a service (RaaS) operation carried out by the eponymous cybercrime organization between June 2021 and January 2023. The group's purpose was to attack mainly public institutions to subsequently demand ransom for release of hijacked data.

References

  1. "Health-care hack spreads pain across hospitals and doctors nationwide".
  2. "Cyberattack Paralyzes the Largest U.S. Health Care Payment System". March 5, 2024.
  3. Satter, Raphael; Roy, Sriparna (February 22, 2024). "Pharmacies across US disrupted following hack at Change Healthcare network". Reuters . Retrieved March 5, 2024.
  4. Czachor, Emily (February 22, 2024). "Cybersecurity breach at UnitedHealth subsidiary causes Rx delays for some pharmacies". CBS News . Retrieved March 5, 2024.
  5. Lyons, Jessica (February 22, 2024). "Cyberattack downs pharmacies across America". The Register . Retrieved March 5, 2024.
  6. "Optum Solutions Status". status.changehealthcare.com. Retrieved 2024-03-08.
  7. "UnitedHealth Group Update on Change Healthcare Cyberattack". www.unitedhealthgroup.com. Retrieved 2024-03-08.
  8. "Temporary Funding Assistance". www.optum.com. Retrieved 2024-03-08.
  9. "AHA Expresses Concerns with UHG Program in Response to Cyberattack on Change Healthcare | AHA". www.aha.org. 2024-03-06. Retrieved 2024-03-08.
  10. Affairs (ASPA), Assistant Secretary for Public (2024-03-05). "HHS Statement Regarding the Cyberattack on Change Healthcare". www.hhs.gov. Retrieved 2024-03-08.
  11. "HHS Announces Some Flexibilities for Hospitals Following Cyberattack on Change Healthcare | AHA". www.aha.org. 2024-03-06. Retrieved 2024-03-08.
  12. Diamond, Dan (2024-03-12). "White House summons UnitedHealth CEO as payment paralysis enters 3rd week". Washington Post. ISSN   0190-8286 . Retrieved 2024-03-12.
  13. Lyngaas, Sean (2024-03-12). "Biden officials press health care giant to get emergency funding flowing to providers following cyberattack | CNN Business". CNN. Retrieved 2024-03-12.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.