The Change Healthcare ransomware event is a critical infrastructure attack with bigger ramifications than most health system users have realized.
The U.S. healthcare industry is almost incomprehensibly massive. In 2022, health spending accounted for 17.3% of the nation’s gross domestic product–roughly $4.5 trillion. It’s also massively complex, with a tangled web of players that includes more than 6,000 hospitals, 40,000 pharmacies, 900 insurance providers, countless clinics, and practically every citizen. Over 14 million people in the U.S. work in direct patient care–that’s over 9% of all working adults. Another 560,000 work in the medical insurance industry.
As we know from following cybersecurity news and trends for years, hackers love easy targets and they love big targets. Healthcare makes a whale of a target for anyone reckless and daring enough to try. Unfortunately, the healthcare industry has made itself more appealing and, in some ways, easier to target with its efforts to consolidate critical processes.
One of the most critical processes in U.S. healthcare is revenue cycle management. Because our system is so complex, the business of getting money from the funding sources (patients, insurance providers, government) to the funding recipients (pharmacies, hospitals, clinics, providers, medical device manufacturers, etc) is big business. It’s so big, in fact, that the federal government often steps in to prevent consolidation deals that are interpreted as breaking antitrust laws.
Case in point: UnitedHealth Group’s bid to purchase software and data analytics firm Change Healthcare. When it was first announced, the Justice Department fought the deal, citing concerns over access to competitor data and the risk of pushing up healthcare costs. But the deal closed in October 2022, with UnitedHealth Group promising “a simpler, more intelligent and adaptive health system for patients, payers and care providers.”
As the pipeline connecting providers with insurance companies, Change Healthcare supports tens of thousands of physicians, doctors, dentists, pharmacies, and hospitals and the insurance companies that pay for their services. They process something like 15 billion claims worth over $1.5 trillion each year. That’s about a third of all health spending in the U.S.
The Attack
In late February, Change Healthcare was breached by an attacker and forced to take all of its operations offline to protect connected business units and partner entities. Change Healthcare has had to suspend more than 100 services it provides to the healthcare industry. Initial reports indicated that services would only be offline for three days.
Who Did It?
Change Healthcare initially reported that the attack was perpetrated by a nation state group. The group has now identified itself as ALPHV/Blackcat, a threat actor operating on a ransomware-as-a-service model. This group is known for double and triple extortion tactics and was the first to create public data leak websites on the open internet (not the dark web).
ALPHV/Blackcat affiliated groups are linked to attacks on Reddit (2023), MGM and Caesars casinos (2023) and, reportedly, the Colonial Pipeline (2021).
The FBI, CISA, and HHS recently warned healthcare organizations that ALPHV/BlackCat appeared to be honing its focus on hospitals, likely in retaliation for recent attempts by law enforcement to take over its infrastructure. After the FBI’s brief seizure in December 2023, the group migrated to Tor data leak sites and lifted its self-imposed restrictions on attacking critical infrastructure, including healthcare organizations. Nearly 70 health sector victims have been breached since the FBI takeover, with Change Healthcare only being the latest and most disruptive.
Medical World in Disarray
The American Hospital Association calls the attack on Change Healthcare “the most significant and consequential incident of its kind against the U.S. healthcare system in history.”
Anyone who’s dealt with healthcare billing knows that it can be a nightmare even when it’s working well. With Change Healthcare’s processes offline, around one-third of healthcare billing is also offline. Industry watchers estimate that health care providers are losing millions of dollars a day due to the outage. It can be hard, at first, to have sympathy for the behemoths of the industry. But there are many human stories that hurt to hear.
The Massachusetts Health and Hospital Association says that, on average, it is losing $24 million per day while Change Healthcare remains offline. The system is seeking loans or bridge payments to meet its fiscal responsibilities while it waits for workarounds from Change.
Private practice doctors and therapists are not being reimbursed for services provided. Some have dipped into personal cash reserves to pay their staff wages and clinic rents. Once that cash is gone, they may have to shut down operations or work without pay.
Individual citizens (probably some that you know) have been unable to fill prescriptions because their pharmacy benefits are funneled through Change Healthcare. Or they have filled prescriptions at exorbitant cost because manufacturer and discounter coupons (like GoodRx) are no longer being processed.
While some Change systems are coming back online, it is estimated that it will take the better part of a month for the company to be fully operational again. (Current estimates are that providers can start entering claims again on March 18–nearly one full month after the attack.) Providers across the country have slammed the billing clearinghouse for its lack of honesty about what information was leaked to hackers, and its incredibly slow return to normal operations.
What Will Change Going Forward?
The healthcare sector is highly vulnerable to attacks and breaches due to its reliance on third-party vendors. Change Healthcare may have been particularly vulnerable due to its recent merger–attackers see times of internal upheaval and change as the perfect time to strike. Employees are transitioning to new and unfamiliar software, the chain of command for security processes is not always clear, and data is being migrated to new systems.
Earlier this week, it was announced that multiple class action lawsuits have been filed over the Change Healthcare data breach. The number is expected to grow. One such lawsuit, filed in Minnesota, names United Health Group Incorporated, UnitedHealthcare Inc., Optum Inc., and Change Healthcare Inc. (UHG) as defendants. The suit claims that the breach was preventable and could have been avoided if UHG had not fallen short of industry standards for adequate cybersecurity practices.
The Change Healthcare ransomware attack has also made it evident that cybersecurity standards for the healthcare industry need to be enforced by the federal government. Thus far, the government has relied on voluntary standards to protect the industry.
This story will be playing out for years to come. The lawsuits will slowly work their way through the courts. Blackcat will decide whether or not to release the data it stole. And other attackers will decide if a $22 million ransom is worth the risk. Expect Congressional hearings and proclamations from pundits of all stripes. The Change Healthcare attack is one for the record books, and everyone in cybersecurity should pay attention.
For custom information security and compliance solutions, reach out to Asylas at 615-622-4591 or email info@asylas.com. Or complete our contact form.