It’s been more than two weeks since Change Healthcare discovered it was hit by a cyberattack. The aftermath remains messy — patients across the country continue to struggle to obtain their prescriptions, as many of the systems that providers and pharmacies use for billing and claims are still down as a result of the cyberattack. The federal government has even stepped in to help address the fallout of the attack, urging payers to quickly alleviate the digital bottlenecks that providers and pharmacies are facing.
What is Change Healthcare? Change Healthcare is a software company that processes patient payments for healthcare organizations. It is owned by Optum, a subsidiary of insurance giant UnitedHealth Group. On its website, Change Healthcare says that it manages 15 billion transactions per year and is the country’s largest commercial prescription processor.
When did the cyberattack occur? Change Healthcare discovered that an unauthorized party had gained access to some of its IT systems on February 21, according to a public filing UnitedHealth made with the Securities and Exchange Commission. The company immediately isolated the impacted systems from other connecting systems once it had learned of the incident, the filing stated.
Who waged the cyberattack? Last week, Change Healthcare confirmed that the ransomware group BlackCat was responsible for the cyberattack. BlackCat — which is also sometimes known as AlphV — is a Russian-speaking group of cybercriminals that has been known to target the U.S. healthcare sector. The group is characterized by its “triple extortion” approach, which means it combines ransomware attacks with threats to leak stolen data and disable websites. To increase pressure on its victims to pay the ransom in the past, BlackCat has begun posting searchable data from its hacks onto the open web, as opposed to the dark web.
BlackCat made a post on the dark web last week claiming responsibility for the attack, but it has since been deleted. In the now-deleted post, the group stated that it extracted six terabytes of data from the attack, including payment information, medical records and insurance data. On March 1, a bitcoin address connected to BlackCat received a $22 million payment that some security firms say was likely made by UnitedHealth Group, according to a Wired news report. UnitedHealth Group declined to comment on whether it made that payment.
How is Change Healthcare responding? Optum has established a temporary funding assistance program “to help with short-term cash flow needs,” according to a notice posted on the company’s website March 1. “We understand the urgency of resuming payment operations and continuing the flow of payments through the healthcare ecosystem. While we are working to resume standard payment operations, we recognize that some providers who receive payments from payers that were processed by Change Healthcare, may need more immediate access to funding,” the notice read.
Optum’s notice also emphasized that the program is for providers whose payment distribution has been impacted — not for providers who have faced claims submission disruptions as a result of the cyber incident.
How are providers reacting? On Monday, the American Hospital Association sent letters to Congress and the head of UnitedHealth Group, urging them to take immediate action to better support providers that are battling ongoing disruptions. The AHA wrote that Optum’s temporary funding assistance program “will not come close to meeting the needs” of providers affected by the attack. “Unfortunately, UnitedHealth Group’s efforts to date have not been able to meaningfully mitigate the impact to our field. Workarounds to address prior authorization, as well as claims processing and payment are not universally available and, when they are, can be expensive, time consuming and inefficient to implement,” the AHA stated. “For example, manually typing claims into unique payer portals or sending by fax machine requires additional hours and labor costs, and switching revenue cycle vendors requires hospitals and health systems to pay new vendor fees and can take months to implement properly.”
The AHA also urged Congress to step in and provide assistance to hospitals, writing that “the incident demands a whole of government response.”
What is the government doing? On Tuesday, HHS released a statement saying it would help speed up payments to providers that were affected by the cyberattack. HHS told providers they can submit accelerated payment requests to their servicing Medicare administrative contractors (MACs) for individual consideration. The department stated that specific information from these MACs will be available sometime this week. Additionally, HHS asked Medicare Advantage organizations and Part D sponsors to remove or relax prior authorization requirements during the system outages, as well as offer advance funding to providers that are most affected by the attack. The department also urged Medicaid and CHIP programs to do the same.
The AHA did not find this response to be sufficient — saying that the HHS’ flexibilities won’t do enough to address “the most significant and consequential incident of its kind” in the U.S. healthcare system’s history. “The magnitude of this moment deserves the same level of urgency and leadership our government has deployed to any national event of this scale before it. The measures announced today do not do that and are not an adequate whole of government response,” the AHA wrote on Tuesday.
What are cybersecurity experts saying? Change Healthcare’s system outages are costing providers more than $100 million per day, according to an estimate from cybersecurity firm First Health Advisory. Darren Guccione, CEO of cybersecurity company Keeper Security, thinks that cybercriminals’ efforts to target the healthcare sector are unlikely to slow down anytime soon, he said in an emailed statement. He also noted that the Change Healthcare incident has ignited a discussion about whether the government’s swift intervention is necessary when it comes to a cyberattack of this scale. “With payment systems disrupted and warnings of dangerously low cash reserves, the situation is critical. Federal agencies can play a pivotal role in responding to ransomware attacks by offering support to the affected entities in a number of ways — both in the short term and long term,” he wrote.
Another cybersecurity expert — Chad Graham, cyber incident response manager at Critical Start — stated that while the allure of immediate government intervention to assist providers is understandable, it’s imperative to consider the benefits against broader implications. If swift federal intervention becomes normalized, this could reduce the incentive for providers to invest in robust cybersecurity measures, as they might anticipate government assistance during crises, he pointed out. “There’s the risk of setting a challenging precedent. If the government intervenes now, it could pave the way for similar expectations in future cyber incidents across various sectors, potentially leading to an unsustainable situation where the government is seen as a universal backstop against cyber threats, overwhelming its resources and capacity,” Graham wrote.
Photo: kentoh, Getty Images