Change Healthcare Ransomware Attack Is Impacting Millions

by | Mar 15, 2024

Technology is an essential part of the healthcare system. It allows online access to patient records, quick transmission of insurance claims, and instant sharing of test results between providers. That accessibility has transformed medical care and made it more effective than ever. Yet, these seamless systems also create greater risk, as seen with the millions impacted by the Change Healthcare ransomware attack in February.

What Is Change Healthcare?

Change Healthcare is a healthcare tech firm headquartered in Nashville, Tennessee, with locations in multiple countries, including Belgium, France, Luxembourg, Germany, and Saudi Arabia. The firm was born from a merger between McKesson Corporation and Change Healthcare Holdings. It offers solutions in networking, software analytics, and technology-enabled services, focusing on streamlining healthcare operations and promoting value-based care.

Summary of the Change Healthcare Ransomware Attack

On February 21, 2024, Change Healthcare suffered a significant cybersecurity breach by the group behind the BlackCat ransomware. This attack encrypted data on the company’s systems, holding it hostage until a ransom was paid. Although Change Healthcare has not confirmed this, security researchers have suggested that the attackers were paid a $22 million ransom in Bitcoin.

The breach has severely affected the healthcare industry, affecting numerous services and millions of Americans. The U.S. Department of Health and Human Services (HHS) is actively supporting the recovery process. They are still having ongoing discussions with the UnitedHealth Group, the parent company of Change Healthcare, as well as state partners and healthcare providers.

The Centers for Medicare & Medicaid Services (CMS) is also aiding healthcare providers in response to the crisis. That includes changes in claims processing systems, relaxed authorization requirements, and advance funding. HHS has noted that countering and preventing cybersecurity threats like this is a joint effort due to the interconnected nature of many healthcare services.

How the Hackers Gained Access Is Unconfirmed

The exact method used by the ransomware group ALPHV, also known as BlackCat, to infiltrate Change Healthcare’s network remains unclear. Although the specific details have not been shared publicly, information about previous tactics the group has used is available. These include hijacking legitimate websites, exploiting remote access tools, and abusing group policy objects (GPOs) to gain additional access. Most of their attacks have involved malware or ransomware.

There was also speculation about a potential link to vulnerabilities in the ConnectWise Screen Connect application. The timeline of their security incident was near when the Chase Healthcare ransomware attack happened. While they were quick to fix the exploit, there was a window of time when it could be abused. That connection has not been confirmed and was denied by ConnectWise in a press release. More details are expected to emerge in the coming months as cybersecurity teams continue to work on the incident.

The Ransomware Attack Also Hurt Third-Party Partners 

The ransomware attack has had a broad impact on the industry. In the case of third-party partners, like Eli Lilly and Company, there may be indirect reputational damage even if the breach wasn’t caused directly by them. Disgruntled patients who are having trouble getting medications may seek out alternate brands to avoid extra costs or delays. Communication continues to be a vital part of the process, though there is a limit to what third-party partners can do since the cyberattack didn’t directly hit them.

The Breach Caused Savings Card Programs To Go Down

Eli Lilly and Company, a pharmaceutical company, reported they were having a savings card outage caused by the breach. Many of their treatments can be expensive but are free for patients who qualify for their program. While they’re providing some alternate payment methods, including a post-transaction reimbursement (PTR) option, this ransomware attack is delaying some patients from getting the medications they’ve been prescribed.

When Are Systems and Services Expected To Be Restored?

UnitedHealth Group, the parent company of Chase Healthcare, has given a timeline for the restoration of some of the systems and services:

Pharmacy Services: Electronic prescriptions, including claim submissions and insurance reimbursements, should now be functional again.

Payments Platform: The electronic payment processing systems should work on March 15. Patients and businesses alike will be able to make online payments.

Medical Claims: Starting on March 18, claims network connectivity and software will begin restoration. It’s expected that everything will fully roll out again the week following.

While most systems and services are expected to be restored by the end of March, unexpected complications can still occur. Chase Healthcare is still encouraging businesses and patients to consider using the workarounds provided until everything is fully tested and operational.

Change Healthcare May Have Not Been HIPAA Compliant

The ransomware attack against Change Healthcare brought concerns about its HIPAA compliance, specifically with handling personal health information (PHI). Under HIPAA regulations, healthcare entities are required to implement safeguards to secure PHI against unauthorized access. The breach, resulting from a ransomware attack, suggests potential lapses in these safeguards, leading to unauthorized access to millions of people’s data.

Notably, HIPAA mandates timely notification to people impacted by a data breach. Change Healthcare appears to have delayed this step, which is a central point in pending lawsuits. An investigation is ongoing to see if there were any other gaps in compliance, though the priority is restoring services and working through the breach first.

Lawsuits Are Being Brought Against UnitedHealth Group

UnitedHealth Group faces six class action lawsuits due to the Change Healthcare ransomware attack. These lawsuits suggest that they didn’t adequately protect patient data, leading to service disruptions and potential risks of identity theft for millions. Despite the effort to restore systems and services, delayed patient notification is a major point of concern. Once more information is gathered, the lawsuits could be expanded further, likely causing challenges in the coming years.

What Change Healthcare Did Right

While the stolen patient health information is still a concern, Change Healthcare’s quick response to the ransomware attack helped minimize further damage. They had a clear plan of action that involved contacting government cybersecurity resources, analyzing affected systems, and developing a timeline for getting everything back and running. That’s why an incident response plan is part of any good cybersecurity strategy.

How To Protect Your Business From Ransomware

While your business can’t control what third-party partners do, you can take additional steps to protect yourself from ransomware attacks.

Awareness and Training: Develop a program to educate employees about ransomware, its delivery methods, and how to recognize suspicious activities or emails​.

Email Security: Use strong spam filters to prevent phishing emails from reaching employees. Email providers like Google and Yahoo require businesses to have sender requirements to better authenticate emails.

Firewall Configuration: Use firewalls to deny access to known malicious IP addresses, creating a barrier between your secure internal network and untrusted external ones.

Regular Updates: Update operating systems, software, and firmware. Consider employing a centralized patch management system to ensure all devices are updated and protected against the latest threats.

Antivirus and Anti-Malware: Set your antivirus and anti-malware solutions to update automatically and perform regular scans to detect and eliminate threats​.

Privilege Management: Adopt the principle of least privilege by ensuring that employees have only the access necessary for their roles. Administrative access should be restricted and used only when necessary​.

Access Controls: Adjust file, directory, and network share permissions based on the least privilege principle. Ensure employees have only the necessary access levels to perform their job functions​.

Asset Identification and Exposure Reduction: Identify your organization’s assets visible through online tools and take steps to minimize their exposure. Services like CISA’s Cyber Hygiene Services can help organizations identify and mitigate vulnerabilities​.

Ransomware attacks, like the Chase Healthcare incident, can come from any direction. Using a combination of strategies is the best way to protect your business. There’s

Lessons From the Change Healthcare Data Breach

One key lesson from the Change Healthcare ransomware attack is the shared responsibility of healthcare companies. This responsibility ranges from system and solution providers like Change Healthcare to small doctor offices. Many of them are connected through shared systems, such as insurance claims and payment processing.

The data breach also highlighted the importance of healthcare providers being HIPAA compliant. As the pending lawsuits suggest, Change Healthcare may have not been following best practices with patient health information. The lack of timely notification to impacted people, along with the amount of data impacted by the breach, shows there may have been multiple shortcomings.

However, Change Healthcare and its parent company did well by quickly responding. They had an effective incident response plan that allowed them to discover the issue, know what steps to take, and act upon it. That allowed a quick turnaround time and helped minimize the issues patients and providers alike have been dealing with. Even though the ransomware attack impacted millions, the damage would have been greater without a plan and an effective IT team.

Does your healthcare company need help with HIPAA compliance or developing an incident response plan to counter threats like ransomware? Get in touch with us through our contact form or call us at: +1 (800) 297-8293

Get IT Support