Tips for covering the wake of the Change Healthcare cyberattack

Many questions remain unanswered about the Change Healthcare cyberattack, as we reported in a story post on April 5. One of the nation’s largest clearinghouses for insurance billing and payments, Change Healthcare was victimized on Feb. 21 in a hack that severely disrupted operations for hospitals, medical offices and pharmacies nationwide. 

One of the consequences of that attack is that 24 entities whose payments have been delayed have filed lawsuits against Change and its parent company, UnitedHealth Group in multiple states, as Mike Scarcella reported April 4 for Reuters. The plaintiffs have charged that the payment processor of failing to protect personal data from February’s cyber hack, he added.

In this tip sheet, we cover what likely happened in this case (considered by the American Hospital Association to be “the most significant and consequential incident of its kind”), why the recovery process is still ongoing and what to watch for based on the ongoing fallout.  

How did the cyberattack happen?

It’s still not been made public how the attack occurred, and if IT professionals at Change and its parent companies, Optum and UnitedHealth Group, did all that they needed to prevent it.

A dedicated website that UnitedHealth maintains about Change’s response to the cyberattack simply says they “discovered a threat actor gained access to one of our Change environments.” 

A spokesperson for the federal Cybersecurity and Infrastructure Security Agency (CISA) told us they could not comment on the specifics of the case. However, Dean Sittig, Ph.D., a professor at the University of Texas Health School of Biomedical Informatics, told us that sources including Bleeping Computer had suggested a vulnerability in the Change platform network, and apparently the company did not patch it in time to prevent the attack. 

The ransomware group, ALPHV, also known as BlackCat, claimed responsibility for the attack, and on March 1, received a $22 million ransom in bitcoin that most likely was made by Change, reported Jessica Lyons for The Register. Change has not admitted publicly to making such a payment. 

Making the case more complicated, the attack occurred using ransomware as a service, or RaaS, CNBC reported in March. Under this business model, one ransomware group gives or sells its code or malware to other hackers, who then use it to carry out ransomware attacks, sometimes in exchange for giving the first group a cut of the proceeds.  

“RaaS is like hiring a thief to rob your neighbor’s house,” Sittig explained. “You pick the house and say, ‘I’ll text you when they leave on vacation.’ Then, you agree to pay the thief either a fixed fee or a share of what they take from the house.” 

The U.S. State Department is offering a reward of up to $10 million for information about anyone holding a leadership position within the ALPHV/BlackCat group, and $5 million for information on hackers involved in these groups, UPI reported. 

Why does it take so long to recover?

As mentioned in the previous post, Change Healthcare originally estimated it would have operations back online by mid-March. But its website has a timeline for product restoration extending through the week of April 29. 

Why the long recovery? It’s a combination of ensuring hackers are no longer in the system and securing the vulnerability that allowed them to breach it in the first place, John Riggi, national advisor for cybersecurity and risk for the American Hospital Association (AHA), told Becker’s Health IT. 

The Joint Commission and the AHA have told health care organizations to prepare for a month of downtime following a cyberattack, but Riggi told Becker’s Health IT that resuming normal operations following this attack could take even longer, meaning disruptions could linger for months to a year. The cyberattack caused the company to shut down 119 services and platforms, leaving some hospitals, clinics, billing firms and pharmacies unable to send bills or claims, and unable to process prescription discount cards, according to reports in Bleeping Computer and AMIA’s Informatics SmartBrief newsletter. 

What can companies do to prevent similar attacks?

Adopting cybersecurity strategies is crucial for health companies, Justin Kozak, executive vice president of Founder Shield, a commercial insurance brokerage, wrote in Healthcare IT Today. Such strategies include investing in firewalls, encryption, multifactor authentication and training employees to be vigilant, he said. A leading cause of cybersecurity breaches is clicking on suspicious links, he added. 

What could happen next?

While Change Healthcare works to restore its systems, other pieces of the story continue to unfold, leaving plenty of room for more reporting:

• The federal Department of Health and Human Services announced initiatives to expedite payments to hospitals and other affected providers, including allowing hospitals with cash flow problems to request accelerated payments, Becker’s Health IT and others reported. 

• HHS’ Office of Civil Rights launched an investigation into whether a breach of protected health information occurred and whether Change and UnitedHealth complied with federal privacy rules, Healthcare IT Today and others noted. 

• The U.S. Senate Finance Committee is planning a hearing with UnitedHealth CEO Andrew Witty on April 30 that will likely investigate whether Change was particularly vulnerable to cyberattacks, how executives responded and what steps Change and UnitedHealth have taken to protect data moving forward, the Washington Post reported in March. 

• A proposed class action lawsuit is one many filed against UnitedHealth Group and Change Healthcare on behalf of a California resident who fills his medical prescriptions at a CVS Pharmacy that uses the Change Healthcare platform, Becker’s Payer Issues reported. The suit, filed in Minnesota federal court, argues that UnitedHealth Group is responsible for the data breach because it “failed to implement reasonable security procedures and practices and failed to disclose material facts surrounding its deficient security protocols.”

• Meanwhile, CISA is proposing rules on mandatory cyber incident reporting for large and critical access hospitals, drug manufacturers and some medical device makers under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) that President Biden signed in 2022. The proposed rule was published in the Federal Register on April 4, with comments due by June 3. 

• Another development to watch is what might happen with the stolen patient data, Sittig said. Two days after ALPHV received the $22 million payment, someone describing themselves as an affiliate (a hacker who works with the group to penetrate victim networks) posted to a cybercriminal underground forum called RAMP that ALPHV had cheated them out of their share of the ransom, Wired magazine reported in March. “There is no honor among thieves,” Sittig said. An April 5 update by CyberScoop noted that another cybercriminal group called “notchy” claims to have stolen 4 terabytes of data in the hack including information on insurers such as CVS Caremark, MetLife and Medicare. As of this writing, it was unclear whether notchy really did have the data.

Story angles

Journalists could get multiple follow-up story ideas from this hack, including following any of the items in the bulleted list below:

• Follow up on the cyberattack’s impact on hospitals, as reported in these stories:
  • Massachusetts hospitals losing $24M a day from Change Healthcare hack (beckershospitalreview.com)
  • Some hospitals risk ‘running out of cash’ amid Change outage: Moody’s (beckershospitalreview.com)
  • 94% of hospitals take financial hit from Change hack: AHA survey (beckershospitalreview.com)
• Follow up on the cyberattack’s impact on physician practices, as reported in these stories:
  • Not just hospitals, pharmacies: Change Healthcare hack hits physician practices hard (beckershospitalreview.com)
  • Providers losing $100M daily over Change Healthcare hack: Report (beckershospitalreview.com)
• Follow up on the cyberattack’s impact on pharmacies, as reported here:
  • Ransomware hack hits prescription drug market, inconveniencing millions – The Washington Post
• Also, do hospitals and other affected entities need to inform patients that their data may have been compromised? That is mentioned in this story: Will hospitals need to notify patients about the Change hack? (beckershospitalreview.com)

Additional resources

• Washington wants to avert another Change Healthcare-like fiasco. Here’s what could be coming, STAT, March 29
• 4 things you need to know about health care cyberattacks, The New York Times, March 29
• UnitedHealth appears to be upping loan offers to providers, after Change cyberattack, STAT, March 19
• Four big questions for DC following massive health care hack, Politico, March 18
• Why UnitedHealth, Change Healthcare were targeted by ransomware hackers, and more cybercrime will hit patients, doctors, CNBC, March 15 
• Why healthcare cyberattacks last so long, Becker’s Health IT, March 7
• Large insurers say up to one-quarter of claims run through Change Healthcare, STAT, March 5
• Explaining Change Healthcare and the gravity of its cyberattack, STAT, March 4
• Information on the Change Healthcare Cyber Response. This site from UnitedHealth Group has frequently asked questions and a timeline for when the company expects various products and software services to be restored.