Change Healthcare hack needs federal help, management groups say

Federal regulators need to get involved in a health care cyberattack that is having repercussions around the nation.

This month, Change Healthcare has been dealing with a computer network hack that has disrupted its operations and those of other health care systems and hospitals. On Feb. 29, Change Healthcare identified the perpetrator as ALPHV/Blackcat, also known as BlackCat or Noberus, which had gained a reputation as a major hacking group targeting various industries, especially health care, in developed nations.

“Our experts are working to address the matter and we are working closely with law enforcement and leading third-party consultants, Mandiant and Palo Alto Network, on this attack against Change Healthcare's systems,” said a statement posted Feb. 29 on Change Healthcare’s website. “We are actively working to understand the impact to members, patients and customers.
“Patient care is our top priority, and we have multiple workarounds to ensure people have access to the medications and the care they need,” the Change Healthcare statement said. “Based on our ongoing investigation, there's no indication that except for the Change Healthcare systems, Optum, UnitedHealthcare and UnitedHealth Group systems have been affected by this issue.”

Change Healthcare in October 2022 joined with Optum, part of the UnitedHealth Group.

Asking for help

This week, the American Hospital Association (AHA) and the Medical Group Management Association (MGMA) sounded the alarm to the U.S. Department of Health and Human Services (HHS) for federal help. The situation is “alarming,” with serious consequences for medical groups and hospitals.

“We request HHS utilize all the tools at its disposal to mitigate these impacts, so medical groups do not have to take drastic actions to remain in operation,” said the letter from Anders Gilberg, MGMA senior vice president for government affairs. “Guidance, financial resources, enforcement discretion, and more are needed to avoid escalating an already serious situation.”

Disrupted services

MGMA catalogued member reports:

• Substantial billing and cash flow disruptions, with no electronic claims processing and delays to paper and electronic statements.
• Limited or no electronic remittance advice from health plans.
• Rejected prior authorization requests.
• Inability to perform eligibility checks for patients.
• Delays or stoppages for electronic prescriptions, forcing people to self pay for medications or go without them.
• Lack of connectivity to data infrastructure.

The computer woes come on top of cuts to physician reimbursement by Medicare, high inflation and staffing shortages, Gilberg’s letter said. “The timing could not be worse,” because medical practices outside of health systems use credit at the start of the year as they accrue enough revenue to cover salary and expenses.

AHA: This ‘could be massive’

While the exact affects remain unclear, the problem “could be massive,” according to AHA President and CEO Richard J. Pollack. He cited Change Healthcare’s data stating the company processes 15 billion health care transactions a year, touch one of every three patient records.

“Any prolonged disruption of Change Healthcare’s systems will negatively impact many hospitals’ ability to offer the full set of health care services to their communities,” Pollack’s letter said. “After all, without this critical revenue source, hospitals and health systems may be unable to pay salaries for clinicians and other members of the care team, acquire necessary medicines and supplies, and pay for mission critical contract work in areas such as physical security, dietary and environmental services.”

Meanwhile Change Healthcare still is earning interest on “potentially billions of dollars that belong to health care providers,” Pollack added. He suggested federal regulators use enforcement discretion and flexibility for some regulations related to the processing of the health care claims.

AHA also has web updates dedicated to the incident.

Cyber industry analyst bleepingcomputer.com reported the hack affected Change Healthcare, which is used by more than 70,000 pharmacies across the United States. Citing a statement from Blackcat, that report claimed data involves personal information about millions of people.

Cyberwar declared?

In December, the U.S. Department of Justice (DOJ) announced “a disruption campaign” against Blackcat. The group had targeted computer networks of more than 1,000 victims around the world, becoming the second-largest ransomware-as-a-service hacker. Victims around the world paid hundreds of millions of dollars in ransoms, according to DOJ.

The FBI developed a decryption tool that helped more than 500 affected victims restore their computer systems, saving an estimated $68 million.

“In disrupting the BlackCat ransomware group, the Justice Department has once again hacked the hackers,” Deputy Attorney General Lisa O. Monaco said in a Dec. 19, 2023, news release. “With a decryption tool provided by the FBI to hundreds of ransomware victims worldwide, businesses and schools were able to reopen, and health care and emergency services were able to come back online. We will continue to prioritize disruptions and place victims at the center of our strategy to dismantle the ecosystem fueling cybercrime.”

Blackcat is back

Within days, Blackcat publicly proclaimed it had taken back control of its website from the FBI and urged retaliation, according to online news reports.

Two months later, Blackcat apparently bounced back with the Change Healthcare hack starting Feb. 21. AHA went so far as to recommend health care organizations consider disconnecting from Change Healthcare and Optum, although this week called for analysts to reevaluate risks to services deemed safe by Optum, Change Healthcare, UnitedHealthcare and UnitedHealth Group.

Health care a target

This week, HHS, the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a joint cybersecurity advisory about Blackcat, which began using victim-specific emails to notify victims of compromised computer networks.

“Since mid-December 2023, of the nearly 70 leaked victims, the health care sector has been the most commonly victimized,” that advisory said. “This is likely in response to the ALPHV Blackcat administrator’s post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023.”

The U.S. Department of State this month also posted a notice of reward up to $15 million for information leading to the identification or location of any hackers holding leadership positions in Blackcat.