OVERVIEW

The Change Healthcare ransomware attack presents potentially significant ramifications for hospitals, health systems, pharmacies and others that rely on the organization’s tools for healthcare payment, revenue cycle management, medication fulfillment and other health-related functions. This report reviews the impact of attack as of February 28, 2024, and outlines next steps for organizations impacted by the incident and related business interruption.

IN DEPTH

Change Healthcare, a healthcare technology company that is a business unit of Optum and owned by UnitedHealth Group, announced on February 21, 2024, that it was experiencing enterprise-wide connectivity issues and service application interruptions (the Incident). Change Healthcare offers, among other services, application tools for healthcare payment and revenue cycle management to healthcare provider customers. According to media reports, the Incident has been attributed to the ALPHV Blackcat ransomware as a service (Raas).

The ramifications of the Incident are potentially significant:

• The Incident has disrupted operations at pharmacies and health systems across the US that rely on Change Healthcare tools for healthcare payment and revenue cycle management.
• The American Hospital Association (AHA) recommended on February 24, 2024, that all healthcare organizations that “were disrupted or are potentially exposed by this incident consider disconnection from applications specified by Change Healthcare that remain unavailable due to this cyberattack.”
• According to UnitedHealth Group, more than 90% of US pharmacies have set up modified electronic claims processing workarounds to avoid disrupted systems, and the remainder have established offline processing systems.
• If the Incident is determined to have compromised patient protected health information or personal information, impacted organizations may have breach notification obligations under the Health Insurance Portability and Accountability Act (HIPAA) and/or state breach notification laws and could face regulatory investigations or privacy-related civil litigation.

According to a February 27, 2024, #StopRansomware: ALPHV Blackcat joint Cybersecurity Advisory released by the Cybersecurity & Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), the FBI has identified more than 1,000 victims worldwide of ALPHV Blackcat ransomware and/or data extortion incidents. The healthcare sector has been the most commonly targeted.

Although the initial attack vector is not yet publicly known, Health Information Sharing and Analysis Center (Health-ISAC) said in a threat intelligence bulletin on February 26, 2024, that – based on information published by intelligence firm RedSense – Change Healthcare (and other organizations) may have fallen victim to exploitation of the recently announced ConnectWise ScreenConnect vulnerabilities (CVE-2024-1708 and CVE-2024-1709). According to Health-ISAC, RedSense anticipates that more organizations will be compromised because the ScreenConnect exploit is simple to execute, and that additional victims may be identified in the coming days.

Actionable next steps for impacted Change Healthcare customers include (but are not limited to) the following:

• Communicating with payors regarding payment workarounds to bypass disrupted Change Healthcare applications.
• Monitoring the Change Healthcare Incident update website for relevant updates.
• Monitoring AHA advisories for relevant updates and recommendations, including recommendations regarding connectivity to Change Healthcare applications.
• Reviewing Health-ISAC recommendations, including recommendations regarding maintaining network connectivity with UnitedHealth Group, Optum and UnitedHealthcare, and monitoring known indicators of compromise to identify compromised systems and/or prevent unauthorized access.
• Developing a set of security- and Incident-related questions or criteria for Change Healthcare in order to reestablish connectivity with Change Healthcare systems (e.g., what assurances can be provided that the risk has been contained and remediated? What security improvements have been implemented to help ensure similar incidents do not occur again?).
• Reviewing CISA recommendations to reduce the likelihood and impact of ALPHV Blackcat ransomware and data extortion incidents.
• Monitoring Healthcare Financial Management Association (HFMA) recommendations and updates with respect to potential claims of processing- and payment-related cashflow interruptions.
• Monitoring US Department of Health and Human Services (HHS) channels for information related to AHA’s request that HHS offer guidance on how providers can access Medicare advance or accelerated payments to smooth cashflow issues.
• Potentially notifying cyber carriers and other applicable insurers of any business interruptions and of a potential security incident, even if the potential impacts of the Incident are not yet fully determined.
• Reviewing HIPAA compliance programs, including (among others) written policies and procedures and security risk analyses, in preparation for potential breach notifications, regulatory investigations, and/or privacy-related civil litigation.