A significant ransomware computer attack has affected a large part of the American healthcare system. It’s been going on since Feb. 21, and nobody seems to know exactly what it means, how long it will last, or how to fix it.
The hack struck Change Healthcare, a division of UnitedHealthcare. Change is a middleman in transactions for many prescription drug purchases by individuals, and also other transactions throughout the healthcare system.
After the announcement of trouble on Feb. 21, a cascading series of confusing statements followed: UHC first said it was a “suspected nation-state associated cyber security threat actor.” But the ransomware group ALPHV/BlackCat issued a statement Feb. 29 saying that that’s not true — and that it had stolen 6 terabytes of data. It also said it had source code files for Change Healthcare software. United then confirmed on Feb. 29 that the culprit was the ransomware gang known as ALPHV/BlackCat.
“Change Healthcare production servers process extremely sensitive data to all of UnitedHealth clients that rely on Change Healthcare technology solutions,” ALPHV wrote, as quoted by Cybernews. “Meaning thousands of healthcare providers, insurance providers, pharmacies,etc…,” it added. It claimed to have 6 terabytes of data including active US military/navy personnel personal information; data including Phone numbers/addresses/SSN/emails/etc.; medical and dental records; financial payment information; insurance records and claims information.
As soon as the blog was posted, Cybernews reported, it was taken down. The group’s demands are unclear to the public.
[Update: On March 4, Wired reported that the hackers had received a payment of $22 million at a Bitcoin address, suggesting that a ransom payment had been made. Change Healthcare and UnitedHealthcare declined to confirm that they had paid a ransom, Wired said.]
Effects of attack
What does it mean for patients? We’ve heard a lot of different things. Some people told us there had been delays in getting medications, or confusion on billing for medical transactions. UnitedHealth, of course, is huge, and its subsidiaries, like Change and Optum, touch all sorts of transactions in healthcare. Change handles revenue cycle management, claims and denial management, consumer payments, billing and statements, member eligibility and enrollment and dozens of other funcions.
It seems that a lot of the billing relationships between pharmacies and purchasers and patients have been disrupted. “Change Healthcare handles nearly 1 in 3 patient records in the US, the American Hospital Association told HHS Secretary Xavier Becerra in a letter sent on Monday,” The Verge reported.
On Reddit, one person wrote “We actually had to get a hand written RX today because they can’t enter them into the digital system.”
Another: “Went to Costco to pick up 4 Rxs and they only had one. Said there is a nationwide issue with their Rx system and doctors had to use paper or fax.”
A third: “My husband is a doc and he’s been having to hand write and fax over urgent prescriptions for patients. It’s a fucking mess.”
(A commenter on a healthcare message board I’m on wrote “6 TERAbytes of data. TERA. Basically every person that went to the doctor since the beginning of time..”)
On that same board, healthcare systems people were trading suggestions on what to do: Workarounds, alternate claim processing sources (Availity, Claim.Md, Innovalon). One person wrote “paper.”
“Doctors told CNBC the outage has left them unable to check patients’ eligibility for treatment or fill prescriptions electronically, which has created more administrative responsibility for workers that are already overwhelmed by clerical work,” CNBC reported. “Perhaps more importantly, providers have been unable to receive reimbursements from insurers, effectively grinding many health systems’ revenue cycles to a halt.“
Long-term disruption
Change posted a soothing statement, saying not too much, with infrequent updates: “Change Healthcare can confirm we are experiencing a cybersecurity issue perpetrated by a cybercrime threat actor who has represented itself to us as ALPHV/Blackcat. Our experts are working to address the matter and we are working closely with law enforcement and leading third-party consultants, Mandiant and Palo Alto Network, on this attack against Change Healthcare’s systems. We are actively working to understand the impact to members, patients and customers.
“Patient care is our top priority, and we have multiple workarounds to ensure people have access to the medications and the care they need.”
“Based on our ongoing investigation, there’s no indication that Optum, UnitedHealthcare and UnitedHealth Group systems have been affected by this issue.”
Reports of a longer-term disruption were increasingly common.
“The outage caused by the Change Healthcare cyberattack could last weeks, a top UnitedHealth executive suggested in a Tuesday conference call with hospital cybersecurity officers, according to a recording obtained by STAT,” STAT reported.
“UnitedHealth Group Chief Operating Officer Dirk McMahon said the company is setting up a loan program to help providers who can’t submit insurance claims while Change is offline. He said that program will last “for the next couple of weeks as this continues to go on.” The loan program would be small comfort to many clients: If UnitedHealth is not able to pay claims, but will give them a loan (at what interest rate?) that would cover a fraction of their unpaid bills (the report we saw said $4,000 a month), would that really be a help?
The Verge added: “UnitedHealth is currently working with Google-owned Mandiant and cybersecurity software vendor Palo Alto Networks, CNBC reports. The company hasn’t indicated whether it plans to pay the ransom.”
Change HealthCare announced a “temporary funding assistance program,” referred to by many customers online as a loan program, to help clients who cannot process payments. To be clear, UnitedHealth is not able to pay claims because of the hack, and so UnitedHealth is giving a temporary loan.
The amount seems to be $4,000 a month, but terms (interest rates etc.) were not specified online. The question of whether UnitedHealth should make UnitedHealth customers whole for a UnitedHealth failure is not addressed here.
How are patients affected?
Meanwhile real patients are being affected too. But there’s not a lot of information online, and UnitedHealth and Change Healthcare are being tight-lipped — so it’s a little hard to know what’s going on
When we asked patients if they were being affected, they started talking about the inability to get prescriptions at the pharmacy. This of course is a problem that’s been going on for months if not years now – before the Change hack — because of shortages related to market problems, and manufacturing problems. These drug shortage issue seemed to be temporary but turn out to be much longer (all the medications related to ADHD and the like, including Ritalin, Adderall, Vyvanse, Concerta).
We’re aware also that shortages of cancer drugs have meant that patients are unable to get life-saving medications. Even simple antibiotics and saline solution are on and off shortages.
So which of these pre-existing problems are being made worse by the Change Healthcare hack? Who knows?
Justice Department December statement
Who is at fault? Change Healthcare first blamed a “nation-state” actor, and then said it was caused by Blackcat, also called Noberus and ALPHV. The U.S. Justice Department in December described the group’s ransomware activities in a statement. It said the FBI was offering a decryption tool to anyone affected and urging other victims to come forward.
“Blackcat actors employ a multiple extortion model of attack. Before encrypting the victim system, the affiliate will exfiltrate or steal sensitive data. The affiliate then seeks a ransom in exchange for decrypting the victim’s system and not publishing the stolen data. Blackcat actors attempt to target the most sensitive data in a victim’s system to increase the pressure to pay. Blackcat actors rely on a leak site available on the dark web to publicize their attacks. When a victim refuses to pay a ransom, these actors commonly retaliate by publishing stolen data to a leak website where it becomes publicly available.”
Meanwhile patients have questions, and doctors have increasingly dire statements.
It does seem to be indisputable that Change Healthcare has a role in making available to patients the co-pay assistance programs that manufacturers participate in, and that is having an immediate effect on patients being asked to pay charged prices (the manufacturer’s suggested retail) or exorbitant sums at the pharmacy, where they used to have a much lower cost with a co-pay coupon.
One doctor’s story
On LinkedIn, Dr. Christine Meyer wrote on March 1:
“This is MY current scenario.
“We are piecing together our claims submissions: paper, payer portals, one-at-a-time-whatever it takes. But, in about 2 weeks, our cash flow will slow to a trickle.
“I will infuse as much of my personal resources as possible to cover our payroll and expenses.
“When that dries up, I will begin by cutting non-essential staff. Phones won’t be answered, referrals won’t get done, and refills will take ages.
“Next, we will cut into our essential services. Vaccines will run out. Supply closets will become bare.
“After that, we will cut our hours and reduce our essential staff . That means no same-day sick appointments and no walk-ins.
“Our patients will be forced to the EDs.
“The EDs will become even more overrun than they are now.”
She tweeted her balance sheet (see screenshot, right) documenting the effects, and the impact that a $4,000 payment would have.
She went on to urge readers to contact regulators and elected representatives to alleviate the situation. “Please reach out to your representatives. The ‘intervention’ from Optum amounts to a $4000 per month loan. My payroll is a $175K per two weeks. That ‘loan’ costs me more in aggravation than it is worth. They can keep it.”
Dr. Meyer wrote on Twitter on Feb. 29: “The cyberattack on their company, Change Healthcare, has stopped our cash flow. Their 8-day outage has cost us hundreds of thousands. We won’t survive a few days, much less weeks.@UnitedHealthGrp, you should be ashamed.”
She did not reply to a request for comment on Sunday.
Other doctors, hospitals
“Dr. Kiranjit Khalsa, an allergist and immunologist who runs an independent practice in Scottsdale, Arizona, said her staff has been working longer hours to try and accommodate the extra work as a result of the breach, as well as manually calling in prescriptions,” CNBC reported. “She said the problems around reimbursement have been the ‘biggest burden,’ since she is worried about how she can continue to support her patients and employees. Khalsa is considering cutting back hours for staff and even closing the clinic for a few days.”
If United Healthcare pays the ransom, are those records now forever public on the internet? with people’s names, birthdays, Social Security numbers, and health histories? It seems obvious that could be one of the outcomes.
Meanwhile, Dr. Glaucomflecken, the internet joke persona of Dr. Will Flanary, has a lighter take — 67,000 pharmacies use Change Healthcare, and they have one in three patient records in the United States, he noted. “Protected patient information has been stolen from a company we own. This opens us up to legal action.”
A Chicago area children’s hospital had this to say: (link active on Feb 26, 2024)
“Thank you for your continued patience as Lurie Children’s works to recover our systems. As a reminder, please bring your printed insurance card to each appointment and also bring your child’s medication bottles or a complete list of their current medications.
“At this time, MyChart is unavailable and we appreciate your patience as we work to resolve this issue. Also, due to our systems being offline, we are using manual processes that will result in longer wait times between the request and completion of prescription requests.
“Please know that Lurie Children’s is open and providing care to patients with as few disruptions as possible. Patients scheduled for procedures and appointments are still being asked to arrive as scheduled unless their care provider contacts them directly to reschedule. If you were notified that your appointment was canceled, we will contact you to reschedule your appointment once systems have been restored. We apologize for the inconvenience.”
