A ransomware attack on Change Healthcare has halted medical payments and prescriptions across the US – as evidence mounts that the company has now paid a $22 million ransom and lawsuits against the firm described patients as “stuck in prescription purgatory” without vital medicines.
American Medical Association (AMA) President Jesse Ehrenfeld, MD on March 4 described the cyber-incident, first reported on February 21, as “an immense crisis demanding immediate attention” – with federal authorities emphasising the "urgency of strengthening cybersecurity resiliency across the ecosystem" in a new March 10 letter to healthcare leaders.
Digital health risk assurance firm First Health Advisory suggests that the incident, which has crippled Change Healthcare's IT systems, is costing health care providers over $100 million daily in unmade payments and putting patients at sustained risk. (Change Healthcare was bought for $8 billion by insurer UnitedHealth Group division in 2022. It processes 41 million healthcare transactions daily for one in three US medical patients.)
Change Healthcare ransomware attack: Feds urge action
Late Sunday Federal authorities stepped up pressure on the company as the crisis mounted. In a letter addressed to "Health Care Leaders", the US Department of Health and Human Services called for the company to “communicate more frequently and more transparently, both within the health care community and with state Medicaid agencies” and listed a set of responsibilities that it hoped UnitedHealth along with other insurance companies and payers should take up.
The company last posted publicly on March 7, saying: “We are working aggressively on the restoration of our systems and services. Assuming we continue at our current rate of progress, we expect our key system functionality to be restored and available on the following timelines:
- "Pharmacy services: Electronic prescribing is now fully functional with claim submission and payment transmission also available as of today…
- "Payments platform: Electronic payment functionality will be available for connection beginning March 15…
- "Medical claims: We expect to begin testing and reestablish connectivity to our claims network and software on March 18, restoring service through that week…
The US Health Department urged UnitedHealth "to ensure no provider is compromised by their cash flow challenges stemming from this cyberattack on Change Healthcare," and "ensure expedited delivery of funds" to impacted providers. It also asks insurance providers, especially Medicaid plans to consider making interim payments to impacted providers as pressure for a resolution mounts.
Impact of Attack
Change Healthcare disclosed that its systems had been hacked on February 21, with BlackCat/ALPHV claiming responsibility for the compromise. The initial threat vector remains unclear.
The American Healthcare Association (AHA) says that the company is involved in one in every three patient records in the company. The system blackout has led not just to payroll and provider payment disruption, but also issues to patient services such as clinical decision support, eligibility verifications and pharmacy operations. In a letter to the US Congress, dated 26th February, the AHA wrote “Hospitals, health systems and other providers are experiencing extraordinary reductions in cash flow, threatening their ability to make payroll and to acquire the medical supplies needed to provide care. The urgency of this matter grows by the day."
See also: Capita hits the fan as ransomware, local government crises flush revenues - but a tech overhaul looms
"Hospitals and health systems may be unable to pay salaries for clinicians and other members of the care team, acquire necessary medicines and supplies, and pay for mission critical contract work in areas such as physical security, dietary and environmental services," the letter added.
The letter also derided UnitedHealth's lax response, claiming that "while Change Healthcare’s systems remain disconnected, it and its parent entities benefit financially, including by accruing interest on potentially billions of dollars that belong to health care providers."
On March 5th, Reuters reported that UnitedHealth had allegedly paid $22 million in ransom to recover its data. The report remains unconfirmed as it is sourced from a hacker forum, and included a link showing that 350 bitcoins had been paid into a wallet associated with BlackCat.
The allegation was neither confirmed nor denied by UnitedHealth, which maintained to the newswire that they were only "focused on the investigation and the recovery."
The incident is the latest reminder of how devastating ransomware can be to the healthcare sector. In the UK a managed services provider to the NHS, Advanced in 2022 revealed a ransomware attack on August 5 that took out seven different widely used healthcare applications it owns and hosts with significant downstream impact. Ireland's Health Services Executive (HSE) meanwhil on May 14, 2021, suffered a major ransomware attack that caused all its IT systems nationwide to be
shut down. PWC's post-mortem for the HSE deserves to be widely read.
