Change Healthcare Hack: Everything You Need To Know
Change Healthcare experienced a ransomware attack with unprecedented fallout. What happened, and what have we learned?
![[LOGO] Corvus Insurance](https://www.corvusinsurance.com/hubfs/Corvus_Logo_Horizontal(R)%20(4).svg "[LOGO] Corvus Insurance"){kind=logo}
On February 21st, an unnatural disaster hit healthcare providers across the nation. The fallout: hospitals that couldn’t file claims, healthcare practices unable to pay their staff, and individuals paying out of pocket for prescriptions.
Change Healthcare (CHC), a healthcare technology and business management vendor, was down as a result of a ransomware attack. UnitedHealth Group, which acquired Change Healthcare in 2022, announced they discovered that threat actors gained access to CHC’s environment and quickly disconnected impacted systems to stop the spread.
But CHC handles one in every three patient records in the United States. With it offline, healthcare providers were left scrambling.
What we know (so far) about the Change Healthcare hack:
Medical claims processing, pharmacy operations, and practice management slowed or stopped for thousands of hospitals, medical groups, and pharmacies.
The event prompted an investigation by the Department of Health and Human Services (HHS), which the HHS Office for Civil Rights cited as “unprecedented magnitude.” Later, a cohort of leaders from HHS, the White House, and health insurance companies discussed how to respond and recover.
To mitigate the fallout of the attack, Change Healthcare initiated a temporary funding program, and the Centers for Medicare and Medicaid Services (CMS) introduced flexibilities to provide relief for providers.
Change Healthcare's response timeline:
-
February 21: Change Healthcare discovers incident; UnitedHealth Group files 8-K with SEC
-
February 26: American Hospital Association writes a public letter to HHS warning of widespread impact
-
February 28: ALPHV/BlackCat claims responsibility for the attack
-
March 7: Change Healthcare restores 99% of their pharmacy network services
-
March 15: CHC's electronic payments platform is restored
-
March 18: Assurance, their medical claims preparation software, is back online
-
Now: Phased reconnection and testing continues in an effort to bring claims processing back to complete functionality
The culprit behind the attack
The attack was perpetrated by the notorious ransomware gang ALPHV/BlackCat, who the FBI has cited as the second most prolific ransomware-as-a-service variant in the world. In December, the FBI disrupted the gang’s efforts by seizing several websites operated by the group and offering a decryption tool to their victims.
Unfortunately, that didn’t seem to deter them or their affiliate from targeting one of the largest medical claims payment processors in the United States. ALPHV/BlackCat allegedly stole four terabytes of data — and an affiliate hacker claims they accessed data from numerous other healthcare firms partnered with CHC as well.
While Change Healthcare has not confirmed that it paid a ransom, security researchers spotted a publicly visible $22 million transaction on Bitcoin’s blockchain to an address connected to ALPHV/BlackCat.
📹 Experts discuss the fallout of the Change Healthcare hack: Watch our webinar
What this means for healthcare
he Office of Civil Rights issued a “Dear Colleague” letter stating that their investigation's primary focus is on United HealthGroup and whether a breach of private health information occurred. Impacted healthcare providers are a secondary concern for their investigation, but they included the following reminder:
“We are reminding entities that have partnered with Change Healthcare and UHG of their regulatory obligations and responsibilities, including ensuring that business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs.”
While waiting to hear updates from CHC regarding the scope of impacted data, downstream healthcare providers should do the following:
-
Review vendor contracts associated with Change Healthcare and understand what services they are on the hook for (and if any have evolved, considering the many acquisitions and mergers) and know their rights as customers.
-
Understand what information they have shared with Change Healthcare historically.
-
Follow updates from Change Healthcare closely as findings unfold and participate in calls with CHC’s Chief Information Security Officer to show due diligence.
Time for systemic overhaul
In December 2023, HHS released a concept paper outlining the Department’s cybersecurity strategy for the industry; this builds on the National Cybersecurity Strategy outlined by President Biden and introduces new healthcare-specific cybersecurity goals to increase accountability within the sector.
This incident serves as a real-life (worst-case scenario) reminder: The healthcare ecosystem is deeply interconnected. To prevent future catastrophic events, the entire industry needs to address an overreliance on a handful of vendors and meet the government’s cybersecurity standards. But sweeping systemic changes won’t happen overnight.
So, yes, operations are slowly returning to normal. But will “normal” be enough for the healthcare industry in the future?
Data privacy concerns
It’s too early to understand the full scope of losses related to the attack. UnitedHealth has not revealed much on the topic of exposed patient data, but they have just begun the massive undertaking of parsing through what information may have been accessed by threat actors.
There’s also no guarantee that ALPHV/BlackCat deleted any of the exfiltrated data, even if UnitedHealth paid the ransom. And to make matters worse, the affiliate behind the attack claims they still have a copy (and were never paid by ALPHV/BlackCat).
In short, we have no idea what or how much data ALPHV/BlackCat accessed, which means millions of patients’ sensitive health information could be compromised. Plus, the sheer scale of the breach requires a thoughtful approach to notification. Think of how many healthcare providers the average patient sees a year (dentist, pharmacist, primary care) and the confusion (or panic!) if they get a separate notification from each.
UHG stated that, “where permitted,” it will handle the notification process for customers whose data was impacted. Depending on the services healthcare providers receive from CHC, CHC may act as a clearinghouse (in and of itself a HIPAA-covered entity) or a business associate of the healthcare entities. The terms of companies’ master agreements and business associate agreements with CHC entities will determine whether UHG will handle the notification process on behalf of the entities.
Key takeaways for organizations:
Third-party risk management
In a letter to Congress, The American Hospital Association called the Change Healthcare Hack “the most significant cyberattack on the U.S. healthcare system in American history.”
While the scale is unprecedented (most vendors aren’t involved in a third of the business transactions in their industry), it provides an example of the impact third parties have on business resilience. Or rather, how quickly any organization can suffer if a critical vendor is offline.
Third-party risk management helps organizations assess and identify risks associated with third-party vendors so there’s a plan in place before a critical partner is breached. Read more about securing vendors here.
Businesses continuity and disaster recovery plans
The actions an organization takes in the first 48 hours of a business disruption dictate the speed and effectiveness of resuming business operations. To make effective and quick mobilization possible, they need a business continuity and disaster recovery (BCDR) strategy.
This doesn’t just address their own systems, but also their dependency on vendors. By organizing a BCDR, it may force conversations between business partners and IT to address critical vendors, if any, and contingency plans if they were to go offline. Learn more here.
Revisit vendor contracts and business associate agreements (BAA)
Try to avoid letting vendor contracts or BAAs go untouched for too long (especially with the frequency of mergers and acquisitions). As part of an organization’s third-party risk management, they should regularly make sure contracts are up-to-date, negotiate favorable terms (if possible), and note any provisions related to a cyber attack.
