What will be the downstream effects of the Change Healthcare cyberattack?

May 07, 2024 - In the months since UnitedHealth Group’s (UHG) Change Healthcare fell victim to a ransomware attack, providers have been working to recover financially and operationally amid disruptions to claims processing and several other services. Given that Change Healthcare processes 15 billion transactions annually and touches one in every three patient records in the US, its recovery process is expected to be lengthy and complex, with long-lasting impacts on the industry.

Jill McKeon, associate editor at HealthITSecurity, discusses the timeline of the Change Healthcare cyberattack so far, explores the ramifications of UHG paying a ransom to threat actors, and delves into how this event fits into the broader healthcare cybersecurity landscape.

Kelsey Waddill:

Hello and welcome to Healthcare Strategies. I'm Kelsey Waddill, multimedia manager and managing editor at Xtelligent Healthcare.

If you've been tracking healthcare news at all in 2024, you'll likely have heard about the Change Healthcare cyber attack. This attack on the largest clearinghouse in the U.S. brought many healthcare functions in the country to a temporary standstill and resulted in a $22 million ransom payment from Change Healthcare's parent company, United Health Group. It also sparked more fervent conversation around some of the major gaps in cyber security strategy, policy, and enforcement.

Here to break down the details of this incident and explore the repercussions we have my colleague, Jill McKeon, associate editor at Health IT Security. She has been following the event closely and you could find all of her coverage on healthitsecurity.com. We are both here in TechTarget's podcasting studio today with a lot to talk about. Jill, it's so much fun to actually be able to sit across from you as we have this conversation, and I'm so excited. Thank you for coming onto Healthcare Strategies.

Jill McKeon:

Yeah, thank you for having me.

Kelsey Waddill:

We have a lot to cover today. There's no way that we're going to get into all of the details. There's just a lot that's been going on in the past couple of months in terms of this cyber attack. But I want to start out just by at least covering as much of as we can of the timeline here and getting us caught up on what the "who, what, when, where" of this situation is. So can you run us through the timeline of events as it currently stands when we are recording this on May 2nd?

Jill McKeon:

Sure. So Change customers and the public first heard about this incident on February 21st when Optum posted a notice on its website alerting customers that some of its applications were unavailable. And later that day they confirmed that Change Healthcare was experiencing a network interruption related to a cybersecurity issue. So it was later confirmed that the notorious BlackCat Ransomware gang had deployed ransomware and had received a $22 million transaction that appeared to be a ransomware payment.

Meanwhile, every healthcare entity type--from major pharmacy chains like CVS and Walgreens to independently owned practices--are starting to really feel the effects of their clearinghouse being out of commission for just a few days. After all, Change says that it touches one and every three patient records in the U.S..

Kelsey Waddill:

That's significant.

Jill McKeon:

It is. So fast-forward to late April and early May where we are now, UHG is continuing to restore its services and patients and providers are now anxiously awaiting a breach notification from Change. So under HIPAA, covered entities have 60 days from discovery to file a breach report with the HHS Office for Civil Rights or OCR. And UHG recently stated in a press release that its initial review suggests that the data impacted in the ransomware attack likely covers "a substantial portion of people in America".

Kelsey Waddill:

Great. That's pretty broad.

Jill McKeon:

Definitely. So the most recent development in this situation occurred yesterday on May 1st when UHG CEO Andrew Witty testified at a hearing before the House Energy and Commerce Subcommittee on Oversight and Investigations and revealed that BlackCat cybercriminals had gained access to Change Healthcare systems on February 12th, nine days before they deployed ransomware. So the threat actors used compromised credentials to remotely access a Change Healthcare Citrix portal that was not protected with multi-factor authentication. Witty also said that it was his decision to pay the $22 million ransom and that it was one of the hardest decisions he's ever had to make. So that's where we're at today.

Kelsey Waddill:

Yeah, that's a lot happening in only the span of a couple of months. So Jill, before we go any further, I just want to pause because I'm not on our Health IT Security site all the time, and I imagine that a lot of the people who are affected are not actually super well versed in what all of these things mean. When do you call it a breach or when does that 60-day period start when UHG has to notify that there was a breach? So can you just walk us through the basics really quickly of did the 60 days start on February 12th? Did it start when we know that hackers got into the system? Does it start on the 21st when UHG found out about the ransomware? Is there some other kind of deadline when it starts? Can you break that down for us?

Jill McKeon:

Sure. Under the HIPAA Breach Notification rule, as we discussed, entities have 60 days from the discovery of a breach of protected health information to notify OCR. So that's a pretty good amount of time. We don't quite know specifically with UHG when they discovered that information was breached. So that might've been the same day as the cyber attack, or it might have been much later when they started to get into the investigation of what date it was impacted. But we know that as of a couple weeks ago when recording this, that they have confirmed that patient data was impacted by this event. So we know that the clock is ticking. We don't exactly know when it started. And OCR is definitely expecting a data breach. And it's also important to note that OCR released a Frequently Asked Questions document, and one of those questions is "what HIPAA breach notification duties do covered entities have with respect to the Change Healthcare cyber attack?"

Kelsey Waddill:

"Covered entities" being like providers and....

Jill McKeon:

Right. All the entities that were impacted on the downstream effects of this breach. And OCR kind of pasted their standard HIPAA text of saying, "Following a breach of unsecured PHI, covered entities must provide notification to impacted individuals and HHS." So that would imply that each entity is submitting their own breach notification, which, knowing the scale of this attack, would be pretty significant. So a lot of industry groups are kind of pushing back on that and seeing if they can get any type of enforcement discretion and ease those responsibilities considering the impact that this is already having, adding that onto the workload might be pretty significant.

Kelsey Waddill:

A little ambitious maybe.

Jill McKeon:

So we'll see if that happens. And I know UHG has also said that they would take the responsibility of notifying consumers on behalf of these entities. But we don't quite know what that will look like yet and how that will affect the workload of these individual entities.

Kelsey Waddill:

Yeah. Who are already scrambling to just get paid.

Jill McKeon:

Right.

Kelsey Waddill:

Okay. That kind of clarifies some things. So what was the industry and federal response like to this event? And also, I mean, you kind of touched on this, but UHG's response as well, what actions did they take?

Jill McKeon:

Yeah, so starting with the industry, several groups such as the American Hospital Association [AHA], the American Medical Association [AMA], and other groups have been very vocal about how this ransomware attack has impacted providers. The AHA has called this incident "the most significant and consequential cyber attack on the US healthcare system in American history." And the AMA has released multiple surveys that shed light on provider impact, including figures that indicate that 55 percent of respondents had to use personal funds to cover their practice's expenses, and 31 percent could not make payroll while Change systems were unavailable. So this has obviously had a really big impact on these providers and not to mention patients. These organizations also called on both HHS and UHG to take action and offer enforcement discretion and provide financial assistance. So they're really not letting UHG off the hook here.

Kelsey Waddill:

Yeah.

Jill McKeon:

So as of May 1st, UHG had said it advanced more than $6.5 billion in accelerated payments and no interest, no fee loans to thousands of providers. They also set up a temporary funding assistance program for claims not covered by UHG, which was met with a lot of criticism from the AHA when it first came out. Providers were receiving sums of money that just weren't helping them make up for the losses, and Change has since said that they have updated that program and are offering more substantial payments. But in terms of government response, a few weeks after the ransomware attack occurred, HHS broke its silence and gave specific guidance to Medicare providers who needed to change clearing houses. And they took action through CMS to encourage other payers to waive or expedite solutions and prepare for an influx of paper claims. They also announced a formal investigation into the Change Healthcare cyberattack which will specifically focus on whether a breach of protected health information occurred.

Kelsey Waddill:

So a lot of things happening at once to try to get us through this crisis, which it is a crisis. It's a nationwide crisis at this point. So you talked a little bit about the provider response there and a little bit about what UHG has been doing to kind of mitigate on that end a lot of the losses that healthcare providers are just losing money hand over fist. So let's dig a little bit more into what the recovery process for an event this big looks like. Can you talk a bit about that?

Jill McKeon:

Sure. So in his written testimony, UHG CEO Witty said that payment processing by Change Healthcare is at approximately 86 percent of pre-incident levels and medical claims are largely flowing, once again with a few exceptions. But he also noted that the full recovery will take a very long time because they are essentially rebuilding everything from scratch with a more secure advanced solution to prevent future attacks. So there's still a really long road ahead for recovery for UHG, not to mention the impact that the breach information will have on everyone involved. But providers, even the ones who were able to use the available workarounds, are not really in the clear. Even if they have regained access to Change systems, this incident resulted in serious cashflow issues for a lot of organizations, especially smaller entities that may have not had the cash reserves to dip into. Additionally, the organizations that accepted funding assistance from Change will eventually have to pay that money back. So for a lot of providers, that's still an issue.

Kelsey Waddill:

Yeah, I remember seeing in Witty's written comments that he was pulling in Amazon and Microsoft and all these different major companies to be onsite to try to fix this. So it definitely seems like an all hands on deck effort on UHG's end, but also not necessarily great prospects for the providers who are losing money and then also now have to pay back a loan. So maybe [a] mixed bag.

So some of these effects have been mitigated, we've talked about that portion of the process. And I know from your coverage that I've read of this incident that certain services like Relay Exchange are back up and running now, and UHG has stood up some of its services again, which is--that's good. But so, what do you expect to see in terms of some of the longer-ranging impacts of this incident? I know a lot of the focus right now is just get everything, the immediate kind of problems resolved. But obviously, I mean, what I've been hearing from even folks that we talked to at HIMSS 2024 is that this is not just "a few weeks and we've fixed it" problem. This is a months- (at least) long process. So, where are you seeing things that are going to take longer to resolve?

Jill McKeon:

Yeah, and as you said, I think a lot of providers are kind of still in the state of getting through daily operations, so they might not be ready to think about the longer-term impacts, but so, I think time will tell how this ransomware attack will change cybersecurity in healthcare as a whole, because it is such an unprecedented event that's happened to such a big company. But there are themes already emerging.

I think firstly, it fuels the case for making ransomware payments illegal, which is a very hotly contested debate in cybersecurity. Some argue that banning ransomware payments would just punish the victim while others argue it's really necessary to remove the financial incentive for threat actors. So I think a lot of this discussion will be based on should Change have paid the ransom, and what will that do to the cyber threat ecosystem? This event has already led to the introduction of new legislation. The Healthcare Cybersecurity Improvement Act of 2024, if it's passed, would allow providers to receive advanced and accelerated payments in the event of a cybersecurity incident so long as they meet minimum cybersecurity standards. So we'll see how that progresses.

Lastly, this attack exposed the impacts of having an organization as large as United Health Group touching so much of the US health care system. They process 15 billion healthcare transactions per year and just completed their merger of Optum and Change in 2022. So I think this will lead to a lot of conversations about whether these large scale consolidations are truly helping patients and providers.

Kelsey Waddill:

Yeah. Not to keep referencing this event, but we had a lot of conversations around the Change Healthcare event at HIMSS 2024, and one of the big topics was just--this would have looked a lot different if Change was its own entity just by itself. But because of its situation inside of UHG, there's a lot more opportunity for a lot more damage to be done. I mean, also Change Healthcare itself is already, like you said, billions of claims pass through this organization. It's already a big organization by itself, and then to be attached to one of the largest payers and a large provider network and all of this, that's so much data running through there. So I'm curious to see how that conversation evolves and what comes out of that policy-wise, too.

Jill McKeon:

Yeah. And the sheer size of the organization just makes them an enticing target for threat actors. So it's something that other organizations should definitely be looking out for.

Kelsey Waddill:

Yeah. And a lot more pressure, I'm guessing, to pay the ransomware too, because if you don't, all of these things will be affected, as we've seen.

I mean, kind of speaking on that topic, there are a lot of larger trends here that this incident is taking place inside of. A lot of conversations were already going on about things like consolidation, and we know that there's been a crackdown on antitrust action this year, and just trying to get the sort of consolidation under control in healthcare or to see its impact and whether that's fully a positive thing, a negative thing, how we can sort through that kind of mixed bag. So that's just one of the big trends that this incident took place inside of. I was curious if you could explain some of the other larger trends that you've been following on Health IT Security and what have been some of the key takeaways or lessons learned that healthcare leaders are sharing from this historic event that might impact or shape those conversations, those larger trends.

Jill McKeon:

Third-party risk management is the first thing that comes to mind. It's a big topic in healthcare cybersecurity, and it's also, obviously, Change is a big vendor for a lot of these healthcare organizations. So the strategy of approaching third party risk management for Change specifically might be a bit different because of how impactful they are.

But essentially, all healthcare organizations should exercise due diligence, conduct risk assessments, and have their own response plans and business continuity plans in place so that if one vendor goes down, they're still able to function and there's not a single point of failure. And also, now that we know that the compromised system at Change did not have multifactor authentication, I predict that we'll continue to see a push for implementing MFA across healthcare, even though that has already been a foundational cybersecurity practice for a long time that a lot of organizations have adopted. I think this just further proves the value of that tool. And also, I think this unfortunate incident might be used as an example for industry groups and lawmakers to advocate for minimum security standards in healthcare through regulation, rather than just guidance, to more mandated security standards that are beyond the scope of HIPAA.

Kelsey Waddill:

Oh, interesting. So attaching a penalty to not necessarily doing the minimum.

Jill McKeon:

Right, right, and kind of enforcing having standards like MFA in place.

Kelsey Waddill:

Interesting. Well, I don't think we're going to see this conversation going away anytime soon, so I'm really grateful that we got to have you on and to discuss it. And any final thoughts before we close out?

Jill McKeon:

I think the main thing that I'm really looking for is the breach notification. It will be really interesting to see what that looks like. During yesterday's testimony, Witty said that if he had to estimate, he would say about a third of America was affected by this, and that could be on the lower side of his estimation. So we'll see what that final number is.

Kelsey Waddill:

Yeah. Important to keep track of. And thank you for being on our frontline on that and for keeping your finger on the pulse of what's going on in this area of the industry. And yeah, maybe we'll have to have you on in a couple of weeks or a couple months to see where this goes. But thank you for coming on today, Jill, and for sharing your thoughts.

Jill McKeon:

Thank you.

Kelsey Waddill:

And to our listeners, thanks so much, as always, for tuning in today. We hope that you like what you heard. If you did, please remember to give us a like, subscribe to the channel, put down a review, and let others know what you thought. Also, we would love to hear what you think. So feel free to email us any questions or stories that you think we should cover on the podcast. You can reach out to me at kwaddill@techtarget.com. That's K-W-A-D-D-I-L-L@techtarget.com. I can't wait to hear from you. See you next time.