UnitedHealth Group (UHG) has confirmed that the cybersecurity firms Mandiant and Palo Alto Networks are assisting with the forensic investigation and that the investigation into the February 21, 2024, ransomware attack on Change Healthcare is well underway. UHG has also confirmed that the forensic investigation has uncovered the source of the intrusion. After identifying the initial attack vector, UHG identified a safe restore point and can now work on restoring the systems that are currently non-operational and can start recovering data.
At this stage, UHG has not publicly disclosed the initial attack vector. There was speculation in the days immediately after the attack that two recently disclosed vulnerabilities in ConnectWise ScreenConnect were exploited in the attack. Those vulnerabilities were discovered on February 15, and notifications about the flaws were issued on February 19, just a couple of days before the LockBit ransomware attack on Change Healthcare was detected. UHG said it will be sharing further information on its investigation and recovery in the coming days, but it is unclear whether that will include the attack vector. Typically, victims of cyberattacks do not publicly disclose exactly how their systems were breached.
UHG has confirmed that it has stood up new instances of its Rx Connect (Switch) and Rx ePrescribing services and it has begun enabling its Rx Connect, Rx Edit, and Rx Assist services, which are now available for customers who have configured direct internet access connectivity. On March 13, 2024, UHG said all major pharmacy and payment systems are up and more than 99% of pre-incident claim volume is flowing.
March 11, 2024: UnitedHealth Group Expands Financial Assistance Program and Provides Timeline for Recovery
On March 8, 2024, more than 2 weeks after the Change Healthcare ransomware attack, UnitedHealth Group provided a timeline on when it expects to have restored its systems and services. UnitedHealth Group said its electronic prescribing service is now fully functional and has been since Thursday; however, electronic payments are not expected to be available until March 15, 2024. Testing of the claims network and software will commence on March 18, and services are expected to be restored throughout that week.
UnitedHealth Group has also confirmed that its financial assistance program, provided through Optum, has been expanded to include providers that have exhausted all available connection options as well as those that work with payers who will not advance finances during the outage. The financial assistance program will see advance payments made each week based on providers’ historic payment levels and those following the cyberattack. UnitedHealth Group was criticized for the onerous terms of its financial assistance program which was made available a week after the attack, but confirmed that the funds will not need to be repaid until claims flows have completely resumed. When that happens, providers will be sent an invoice and will be given 30 days to repay the funds.
Prior authorizations are being suspended for most outpatient services for Medicare Advantage plans, utilization reviews for inpatient admissions are being put on hold until March 31, 2024, and drug formulary exception review is suspended for Medicare Part D pharmacy benefits. Pharmacies affected by the outage have been notified by Optum Rx that pharmacy benefit manager will reimburse them for claims filled during the outage “with the good faith understanding that a medication would be covered.”
“We are committed to providing relief for people affected by this malicious attack on the U.S. health system,” said Andrew Witty, CEO, UnitedHealth Group. “All of us at UnitedHealth Group feel a deep sense of responsibility for recovery and are working tirelessly to ensure that providers can care for their patients and run their practices, and that patients can get their medications. We’re determined to make this right as fast as possible.”
The additional measures have been welcomed but the American Medical Association (AMA) has warned that physician practices are still likely to face significant challenges. “The AMA agrees with UnitedHealth’s call for all payers to advance funds to physicians as the most effective way to preserve medical practice viability during the financial disruption, especially for practices that have been unable to establish workarounds to bridge the claims flow gap until the Change Healthcare network is re-established,” said the AMA. “While providing needed information on timelines and new financial measures is helpful, UnitedHealth Group has more work to do to address physician concerns. Full transparency and security assurances will be critical before connections are re-established with the Change Healthcare network.”
March 5, 2024: UnitedHealth Group Offers Temporary Funding Assistance in Response to Change Healthcare Ransomware Attack
UnitedHealth Group, the parent company of Change Healthcare, has set up a temporary financial assistance program for customers affected by the Change Healthcare ransomware attack. The program will help providers who have been unable to receive payments due to the outage at Change Healthcare. Under the financial assistance program, providers that receive payments processed by Change Healthcare will be able to apply for temporary funding through Optum Financial Services. If applications are made for temporary funding, they will be paid based on prior claims volume and will be interest-free and fee-free.
“We understand the urgency of resuming payment operations and continuing the flow of payments through the health care ecosystem,” Explained UnitedHealth. “While we are working to resume standard payment operations, we recognize that some providers who receive payments from payers that were processed by Change Healthcare may need more immediate access to funding.”
The financial assistance program is only available for providers who have been affected by the disruption to payment distribution. Financial assistance is not being offered to providers that have faced claims submission disruption, therefore, only a small number of providers will qualify for assistance. The terms of the financial assistance program are also worrying. Any funds provided will need to be paid back when normal operations resume and repayments will need to be made within 5 days of receiving notice. The terms of the financial assistance include allowing Optum Financial Services to take back the funds without advance communication.
While the move has been welcomed by provider groups, they say it will do little to alleviate the financial strain on many of the affected providers who are experiencing severe cash flow problems due to the increased workload from having to implement workarounds for filing claims and prior authorization requests. The American Hospital Association (AHA) said the assistance being offered “falls far short of plugging the gaping holes in funding caused by the Change Healthcare outage.” The assistance being offered only addresses one of the two problems caused by the Change Healthcare outage. It helps address the problem of payers being unable to pay via Change Healthcare, although the AHA said the terms and conditions are “shockingly onerous.” The AHA said no assistance is being offered at present to ease the burden on providers who are unable to bill payers in a timely manner due to the ongoing disruption of Change Healthcare’s clearinghouse and claims submission systems.
The recovery process has been slow for Change Healthcare. The Blackcat ransomware attack caused an outage that has lasted for almost 2 weeks. On March 1, 2024, Change Healthcare confirmed that it had set up a new instance of its Rx ePrescribing service and had successfully tested the new instance with vendors and retail pharmacies; however, the Clinical Exchange ePrescribing provider tools remain offline, as do around 100 of Change Healthcare’s IT products.
There have been reports in the media that indicate Optum paid a $22 million ransom payment to the ALPHV/Blackcat ransomware group for the decryption key and to ensure that the stolen data is deleted. The affiliate behind the attack claims that the ALPHV/Blackcat group stole the ransom and has now shut down the operation. The affiliate claims to have 4TB of the data stolen from Change Healthcare.
UnitedHealth Provides Update on Incident Response and Recovery
UnitedHealth Group has provided further updates on the recovery process. On March 1, 2024, a new instance of Change Healthcare’s Rx ePrescribing service was made available and UnitedHealth Group said it has already processed more than 3 million transactions, and volume is increasing daily as more system vendors reconnect. Workarounds are continuing to be deployed for claims, and UnitedHealth Group says 90% of claims are now flowing uninterrupted, with claims expected to increase to around 95% by next week (w/c 3/11); however, there are still issues with Change Healthcare’s payment capabilities although progress is being made on restoring them. “Our teams have been diligently working on restoration of the core environment. We expect our data center rebuild and restoration of database center services to be complete this week,” explained UnitedHealth Group. “From there, we will turn our full attention to application and service restoration.”
On March 7, UnitedHealth Group said a new instance of the Rx Connect (Switch) service is now online and it is actively working to restore full service and connectivity claim traffic and has begun enabling Rx Connect, Rx Edit, and Rx Assist services, which are now available for customers who have configured direct internet access connectivity.
While progress is being made on restoring services, attention will soon turn to the scale of the data breach. Given that Change Healthcare processes 15 billion healthcare transactions each year and says one in three patient records in the United States are touched by its clinical connectivity solutions, this could turn out to be one of the largest healthcare data breaches of all time. At least 5 class action lawsuits have already been filed in Tennessee and Minnesota on behalf of patients who allege their information was stolen in the attack, and that number is expected to continue to grow as the extent of the data breach becomes clear.
March 2, 2024: Change Healthcare Confirms Blackcat Ransomware Attack as Rx ePrescribing Service Reestablished
The Blackcat ransomware ground claims to have stolen a vast amount of data from Change Healthcare in the recent cyberattack. In a statement posted, and later removed, from its data leak site, a member of the group claimed to have stolen 6TB of data from UnitedHealth, which the group alleges includes “highly selective data” from all Change Healthcare clients, including Medicare, CVS Caremark, Health Net, and Tricare, the U.S. military medical health agency. Screenshots of some of the data were shared as proof of data theft. The group also claims to have stolen the source code of Change Healthcare applications. The group claims to have stolen the data of millions of patients, including medical records, insurance records, dental records, payment information, claims information, and patients’ PHI, including health data, contact information, and Social Security numbers.
Change Healthcare has yet to determine the extent of any data breach at this early stage of its investigation. Ransomware groups usually threaten to publicly release data to pressure victims into paying the ransom, and listings are often added when victims refuse to negotiate or when negotiations break down. The rapid removal of the listing suggests that Change Healthcare is in touch with the group, although there could be other reasons for the removal of the data.
In an update on February 28, 2024, Change Healthcare confirmed that disruptions have continued for a 9th day, with some applications still experiencing connectivity issues. Change Healthcare also said it has a high level of confidence that Optum, UnitedHealthcare, and UnitedHealth Group systems were not compromised and the breach appears to be limited to Change Healthcare, with none of its clients’ systems breached.
In a February 29, 2024 update, Change Healthcare confirmed that this was an ALPHV/Blackcat ransomware attack. “Change Healthcare can confirm we are experiencing a cybersecurity issue perpetrated by a cybercrime threat actor who has represented itself to us as ALPHV/Blackcat. Our experts are working to address the matter and we are working closely with law enforcement and leading third-party consultants, Mandiant and Palo Alto Network, on this attack against Change Healthcare’s systems. We are actively working to understand the impact to members, patients and customers.”
While not specifically referencing the Change Healthcare cyberattack, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) issued a joint cybersecurity alert on February 27 warning about increased attacks on the healthcare sector by the Blackcat/ALPHV ransomware group. 70 victims have been listed on the group’s data leak site since December 2023, and the healthcare sector has been the most commonly attacked sector.
In a March 1, 2024 update, Change Healthcare explained that a new instance of its ePrescribing service has been stood up, although Clinical Exchange ePrescribing providers’ tools are still not operational. “Working with technology and business partners, we have successfully completed testing with vendors and multiple retail pharmacy partners for the impacted transaction types,” explained Change Healthcare in a March 1, 2024 status update. “As a result, we have enabled this service for all customers effective 1 p.m. CT, Friday, March 1, 2024. If you encounter issues following the activation of this script routing service, contact our support team through your normal channels or submit an online ticket via our support portal.”
February 27, 2024: Blackcat Ransomware Group Behind Change Healthcare Cyberattack
The disruption at Change Healthcare has continued into the seventh day after its February 21 cyberattack, with pharmacies across the country still struggling to process prescriptions. With Change Healthcare’s systems out of action, pharmacies have been unable to transmit insurance claims and now have significant backlogs of prescriptions that cannot be processed. On Monday, Change Healthcare confirmed that the attack is still affecting 117 of its applications and components.
Change Healthcare/Optum has been providing daily updates and has confirmed that the disruption is continuing. “We are working on multiple approaches to restore the impacted environment and will not take any shortcuts or take any additional risk as we bring our systems back online,” explained Change Healthcare in its February 26, 204 update. “We will continue to be proactive and aggressive with all our systems and if we suspect any issue with the system, we will immediately take action and disconnect. The disruption is expected to last at least through the day. We will provide updates as more information becomes available.”
Change Healthcare has engaged the services of Alphabet’s cybersecurity unit, Mandiant, which is assisting with the investigation and remediation of the cyberattack. While neither Change Healthcare nor Mandiant have commented on the nature of the attack, Reuters has reported that two sources familiar with the incident have confirmed that this was a ransomware attack, and that the ALPHV/Blackcat ransomware group is responsible. On February 27, 2024, a member of the Blakcat group confirmed that they were behind the attack.
Blackcat is known to engage in double extortion tactics, where sensitive data is exfiltrated before ransomware is used to encrypt files. Ransoms must be paid to recover encrypted files and to prevent the release of stolen data, so there is likely to have been a data breach although that has not been confirmed by Change Healthcare at this stage.
In December 2023, the Blackcat group was the subject of a US-led law enforcement operation that took down websites used by the group. The group issued a statement following the attack stating that in response to the takedown it has removed affiliate restrictions and now allows them to conduct attacks on critical infrastructure entities and healthcare organizations. It should be noted that the “rule” on not targeting healthcare organizations was not strictly followed before the takedown, as the group has conducted several attacks on healthcare organizations including McLaren Health Care and Norton Healthcare in 2023.
In early updates on the nature of the attack, Change Healthcare said it suspected that the attack was the work of a nation-state-associated actor; however that appears not to be the case. ALPHV/Blackcat is a financially motivated cybercriminal group with no known links to any nation state. There have also been media reports suggesting the attack involved the exploitation of a vulnerability in ConnectWise’s ScreenConnect app. ConnectWise issued a statement saying Change Healthcare does not appear to be a direct customer, although it is possible that ConnectWise was used by a managed service provider. At this stage, no MSP partners have come forward and confirmed a breach that impacted Change Healthcare.
February 22, 2024: Change Healthcare Responding to Cyberattack
Change Healthcare, a Nashville, TN-based provider of healthcare billing and data systems, has confirmed that it is dealing with a cyberattack that has caused network disruption. The attack was detected on February 21, 2024, and immediate action was taken to contain the incident and prevent further impacts.
“Once we became aware of the outside threat, in the interest of protecting our partners and patients, we took immediate action to disconnect our systems to prevent further impact,” explained Change Healthcare on its status page. The Change Healthcare cyberattack has caused enterprise-wide connectivity issues and cybersecurity experts are working around the clock to mitigate the attack and restore the affected systems.
UnitedHealth Group owns Change Healthcare and the healthcare provider Optum. Change Healthcare provides prescription processing services through Optum which provides services to over 67,000 U.S. pharmacies and serves 129 million patients. Change Healthcare handles more than 15 billion healthcare transactions each year and says one in three patient records in the United States are touched by its clinical connectivity solutions. Change Healthcare is used by Tricare, the healthcare provider of the U.S. military, and all military pharmacies, clinics, and hospitals have been affected by the disruption caused by the Change Healthcare cyberattack, and retail pharmacies across the country are experiencing delays processing prescriptions and have been unable to send orders through insurance plans.
In a regulatory filing with the U.S. Securities and Exchange Commission (SEC) on Thursday, UnitedHealth confirmed that confirming that Change Healthcare had experienced a cyberattack that affected dozens of systems. At this stage of the incident response, it is too early to tell if any patient data has been exposed or stolen in the attack and neither UnitedHealth nor Change Healthcare could provide a timeline on when systems will be brought back online.
UnitedHealth said in its SEC filing that it suspects the cyberattack was conducted by a nation state, rather than a cybercriminal group, but did not provide further information on how that determination was made. That announcement is concerning, given the recent warnings about China maintaining access to critical infrastructure entities in the U.S. and the new sanctions due to be imposed on Russia in response to the death of Alexei Navalny.
There are also fears that the cyberattack could extend to the pharmacies connected to the Optum system. The American Hospital Association (AHA) has issued a warning to all members that they should immediately disconnect from the Optum system as a precaution. “We recommend that all healthcare organizations that were disrupted or are potentially exposed by this incident consider disconnection from Optum until it is independently deemed safe to reconnect to Optum,” the AHA said, and in the meantime switch to manual processes.
What is HIPAA and does this Cyberattack Break the Law?
All healthcare organizations that conduct transactions electronically that involve protected health information are required to comply with the Health Insurance Portability and Accountability Act (HIPAA), which sets minimum standards for privacy and security. The HIPAA Privacy Rule prohibits disclosures of protected health information to unauthorized individuals and the HIPAA Security Rule requires safeguards to be implemented to ensure the confidentiality, integrity, and availability of electronic protected health information.
If an unauthorized individual gains access to systems containing protected health information, it is classed as an impermissible disclosure of protected health information and is a reportable HIPAA breach. A cyberattack that results in access being gained to protected health information is not necessarily a HIPAA violation. The HIPAA Security Rule requires risks and vulnerabilities to be identified, and for those risks to be managed and reduced to a reasonable and appropriate level. The HIPAA Security Rule does not require risks and vulnerabilities to be eradicated entirely.
The first priority following the detection of unauthorized system activity should be to contain the incident and ensure that the threat actor is eradicated from internal systems. Systems must be safely brought back online and the nature and scope of the incident established through a forensic investigation. If it is determined that patient data has been exposed, the breach must be reported to the Department of Health and Human Services (HHS) and the affected individuals must be provided with individual notifications within 60 days of the discovery of a data breach. The HHS investigates all data breaches of over 500 records to determine if they were the result of a failure to comply with the HIPAA Rules and financial penalties can be imposed for noncompliance.
The HIPAA Journal will update this post as more information about the incident comes to light, so please check back over the coming days and months.
The post UHG Identifies Attack Vector Used in Change Healthcare Ransomware Attack appeared first on HIPAA Journal.