UnitedHealth Group-Owned Change Healthcare Hit by Cyberattack, Impacting U.S. Health System
On the morning of February 21, Change Healthcare, a significant player in the U.S. health system, made an announcement stating that some of its applications were "currently unavailable." By the afternoon, the company attributed the situation to a "cybersecurity" issue, which quickly escalated into a full-blown crisis.
Recently acquired by insurance giant UnitedHealth Group, Change Healthcare reportedly fell victim to a cyberattack, causing a widespread and expanding impact. The company's core business revolves around maintaining health care pipelines, including payments, requests for insurers to authorize care, and various other crucial functions. According to Change Healthcare, their cloud-based network supports a staggering 14 billion clinical, financial, and operational transactions annually.
Exponential Impact
Initial reports primarily highlighted the repercussions on pharmacies, yet experts point out that the issue's scope goes beyond that. The American Hospital Association revealed that many of its members are experiencing payment delays, and doctors are unable to verify patients' coverage for care. However, this is just the tip of the iceberg.
The CommonWell institution, responsible for facilitating medical records sharing among health providers, also relies on Change technology and holds records for approximately 208 million individuals as of July 2023. As a result, the system has been disabled as a precautionary measure, indicating the potential for the crisis to worsen over time.
Identification of the Perpetrator
Media reports have implicated ALPHV, a notorious ransomware group, also known as Blackcat, as the perpetrator of the cyberattack. This group has previously targeted various entities and has been linked to numerous law enforcement investigations globally. While UnitedHealth Group has labeled it as a "suspected nation-state associated" attack, some analysts have raised doubts about this assertion. ALPHV has a history of targeting entities such as casino companies MGM and Caesars, and the Department of Justice previously alleged that the group's victims had paid hundreds of millions of dollars in ransoms.
Historical Context
Contrary to being a new issue, a study published in December 2022 revealed that the annual number of ransomware attacks on hospitals and other providers had doubled from 2016 to 2021. This long-standing problem has significantly impacted health care operations, often leading to a shift to manual processes and causing vulnerabilities due to system slowdowns. Moreover, a separate study in May 2023 uncovered that cyberattacks resulted in increased waiting times, median length of stay, and incidents of patients leaving against medical advice at neighboring emergency departments, categorizing cyberattacks as a "regional disaster."
Implications for Patients
With each passing year, more Americans' health data falls victim to breaches, exposing individuals to identity theft and medical errors. Past incidents have caused severe disruptions, such as a 2017 attack forcing a rural West Virginia hospital to reboot its operations and impeding pharma company Merck's production targets for an HPV vaccine. Following the recent cyberattack on Change Healthcare, the repercussions include potential rerouting of patients to less affected pharmacies, delayed billing for patients, and the likelihood of individuals receiving notices about data breaches.
This poses a risk of identity theft for affected patients, potentially resulting in long-term implications for their privacy and well-being. The severity of the situation is underscored by a nearly 21% increase in mortality for patients in a ransomware-stricken hospital, as per an October preprint from researchers at the University of Minnesota.
The Point of Vulnerability
The Health Information Sharing and Analysis Center has attributed the vulnerability to flaws in an application called ConnectWise ScreenConnect, a tool used by tech support teams for remote troubleshooting. This seemingly trivial attack has prompted the group to caution its members about potential additional victims and advised them to update their technology. In response to the attack, the American Hospital Association recommended its members disconnect from systems associated with Change and its corporate parent, UnitedHealth's Optum unit. The impact expands to the millions of Americans who seek medical services and are covered by insurance plans offered by UnitedHealth and its affiliated practitioners.
Government Involvement
Despite efforts by the Department of Justice and the State Department to address the ALPHV group, the federal government's involvement in the aftermath of this attack has been relatively subdued. The FBI and the Department of Health and Human Services have participated in briefing calls organized by the American Hospital Association to update members about the situation. However, the lack of a more assertive government response has raised concerns among industry professionals, with calls for increased funding for security in rural hospitals and the implementation of mandatory cybersecurity standards by agencies such as the Food and Drug Administration.
Conclusion
The recent cyberattack on Change Healthcare has exposed the vulnerabilities within the U.S. health care system, emphasizing the urgency for comprehensive cybersecurity measures and government intervention to mitigate the impacts on patient safety and data security.
Share news