Introduction
The cyber breach at Change Healthcare in 2024 stands out as one of the most significant cyber-attacks in recent memory. Its repercussions extend far beyond immediate industry disruptions, resonating deeply in regulatory circles and catalyzing the proposal of new laws within the healthcare sector. The hack's enduring impact not only revolves around its financial ramifications but also underscores critical lessons that executives and professionals in compliance, privacy, and security must understand to fortify their organizations against future vulnerabilities. In this article, we delve into the event itself, the forthcoming regulatory shifts, and actionable steps organizations can take to navigate this evolving landscape effectively.
Background – What Happened
Change Healthcare is a health care technology provider that works across the health care system to make clinical, administrative, and financial processes simpler for payers, providers, and consumers. It is owned and operated by its parent company UnitedHealth Group and is a technology subsidiary of UHG.
Change Healthcare processes about 50% of medical claims in the United States for around 900,000 physicians, 33,000 pharmacies, 5,500 hospitals, and 600 laboratories.1 Change Healthcare experienced a major cyber-attack on February 21, 2024, which has had an immediate and broad impact across the health care system.
How It Happened
The cyber-attack was carried out by a ransomware group known as ALPHV or BlackCat, who eventually claimed responsibility.2 This ransomware group has a history of disruptive attacks and was able to gain unauthorized access to Change Healthcare's network. Precise details specifically on how they gained access to the network have not been publicly disclosed. Once inside the network, ransomware was deployed, which immediately disrupted key operations, and required providers, pharmacies, and other partners to deploy manual workarounds. Change Healthcare disconnected more than 100+ different services across its system to prevent any additional damage.3
UnitedHealth Group confirmed a ransom was paid; reports indicate that $22 million in Bitcoin was paid to Blackcat.4 Reportedly, a second ransomware gang is holding Change HealthCare's data and is holding them for ransom, but the validity and credibility is still in question.5 UnitedHealth Group has reported that the breach has resulted in costs of over $850 million.6
An American Hospital Association survey of nearly 1,000 hospitals conducted between March 9 and March 12 found that 94% of hospitals have felt financial impact from the attack, and more than half have reported a "significant or serious" impact.7 74% of hospitals reported a direct effect on patient care.8
In the wake of interruptions to Change Healthcare's electronic claims processing systems, provider claim submissions to payers have dropped by more than one-third, according to an analysis of 1,850 hospitals and 250,000 physicians nationwide by the healthcare technology and analytics company Kodiak Solutions.9 Through March 9, the total estimated cash flow impact for hospitals reporting data to Kodiak is $6.3 billion in delayed payments.10
UnitedHealth Group's Response
UnitedHealth Group has provided additional assistance to providers to combat the chaos that came out of the Blackcat attack. On March 1, 2024, UHG began offering temporary funding and advancement of payments to assist providers who were feeling the impact of not receiving ongoing reimbursement for services.11
As of the week of March 18, 2024, UHG indicated it had systematically restored its systems and has indicated that both its pharmacy network and electronic payment platforms were up and running.12 As of April 3, 2024, UHG has also indicated that it has advanced over $4.7 billion to providers to assist with the backlog of claims unpaid.1
Next on UHG's plate is to work with providers to indicate what patients' information was exposed by the ransomware and coordinate with the federal government on its further response. In addition, UHG will need to respond to numerous class action lawsuits that have been filed against Change Healthcare following the hack.13
The Government's Response
On March 5, 2024, the U.S. Department of Health and Human Services (HHS) released a statement regarding this cybersecurity attack that indicated several items:
HHS' priority is to help coordinate efforts to avoid disruptions to healthcare;
HHS is in regular contact with UHG leadership to understand the impact and ensure the effectiveness of UHG's response;
HHS is working with a wide range of governmental entities and Medicare Administrative Contractors (MACs) to support healthcare entities during this outage
"HHS also takes this opportunity to encourage all providers, technology vendors, and members of the health care ecosystem to double down on cybersecurity, with urgency."2
On March 9, 2024, the Centers for Medicare and Medicaid Services (CMS) stated in a press release that providers who attest that their claims processing and/or payment operations have been impacted by the Change Healthcare breach and are negatively impacted from a cash flow perspective, may request an accelerated payment from their Medicare Administrative Contractor (MAC).3
This has resulted in the federal government considering a bi-partisan bill, "Strengthening Cybersecurity in Healthcare" which would require HHS to perform consistent evaluations of the Department's cybersecurity systems and report its findings to Congress.4 Doubling down on efforts to combat cybercrime, the U.S. has offered a $10 million bounty for information on the Blackcat hackers.5 In a statement to Forbes, UHG said it intended to cooperate with the investigation and noted its immediate focus is to "restore our systems, protect data and support those whose data may have been impacted."14
The federal government continues to take steps to not only deal directly with the impact of the Change Healthcare breach but is also letting all providers, plans, clearinghouses, and business associates know that expectations are high to adequately protect patient information.
On April 19, 2024, the OCR published an initial set of Frequently Asked Questions (FAQ) in response to the Change Healthcare Cybersecurity Incident.15 OCR then provided an update to the FAQ's on May 31, 2024.16 These FAQ's provide additional clarification to entities potentially impacted by the Change HealthCare breach and investigation.
"Affected covered entities that want Change Healthcare to provide breach notifications on their behalf should contact Change Healthcare,' the HHS' Office for Civil Rights (OCR) said in an update dated May 31."17 This announcement comes as a relief to many health care providers as notification to affected patients should occur within 60 days according to the HIPAA Privacy Regulations and many providers did not want the government to hold them to this requirement, rather they want the responsibility to be appropriately placed on Change Healthcare.
How To Protect Your Organization
Healthcare executives, boards of directors, chief compliance officers, chief privacy officers, chief information officers, and chief information security officers must look to:
Reinforce cybersecurity protections and invest in more, if needed (be proactive instead of reactive in managing cyber risk), including following key principles of defense in depth and least privilege.
Ensure a robust privacy and security program is in place, including conducting regular risk assessments to understand blind spots and areas for improvement.
Include in your business partners in your privacy risk assessments.
Train and communicate with your workforce on cybersecurity, how to prevent attacks, and where to report if suspected issues arise.
Have a disaster recovery plan in place and ready to be implemented.
Document your response to any breaches via an incident response plan and know the steps you will take if your organization or a business associate experiences a breach.
Establish incident response plans and run "tabletop" exercises at your organization to simulate scenario(s) to test your processes and controls.
Continue monitoring of the latest updates to laws, regulations and policies posted from both a federal and state level.
How Ankura Can Help
Ankura Consulting Group employs experts in the areas of health care in both privacy and cybersecurity who regularly assist small to large health care entities and providers with the assessment of programs, implementation of these operational structures, testing of systems, and response to breaches. Our team can assist your organization with proactive assessments as well as in a reactive situation where response and remediation to an incident are required.
Footnotes
1 "UnitedHealth Says Advanced Over $2 Billion in Payments to Providers"; Reuters; March 19, 2024; UnitedHealth says advanced over $2 bln in payments to providers | Reuters
2 HHS Statement Regarding the Cyber-Attack on Change Healthcare; March 5, 2024; HHS Statement Regarding the Cyberattack on Change Healthcare | HHS.gov
3 Change Healthcare/Optum Payment Disruption (CHOPD) Accelerated Payments to Part A Providers and Advance Payments to Part B Suppliers; March 9, 2024; Change Healthcare/Optum Payment Disruption (CHOPD) Accelerated Payments to Part A Providers and Advance Payments to Part B Suppliers | CMS
4 Senator Hassan and Colleagues Introduce Bipartisan Bill to Protect U.S. Health Care Systems from Hackers; February 15, 2024; Senator Hassan and Colleagues Introduce Bipartisan Bill to Protect U.S. Health Care Systems From Hackers (senate.gov)
5 "US Offers $10 Million Bounty for Info on 'Blackcat' Hackers Who Hit UnitedHealth"; Reuters; March 27, 2024; US offers $10 million bounty for info on 'Blackcat' hackers who hit UnitedHealth | Reuters
6 https://www.cbsnews.com/news/unitedhealth-cyberattack-change-healthcare-hack-ransomware/
7 "AHA survey: Change Healthcare Cyberattack Having Significant Disruptions on Patient Care, Hospitals Finances"; American Hospital Association; March 15, 2024; https://www.aha.org/news/news/2024-03-15-aha-survey-change-healthcare-cyberattack-having-significant-disruptions-patient-care-hospitals-finances
8 "AHA survey: Change Healthcare Cyberattack Having Significant Disruptions on Patient Care, Hospitals Finances"; American Hospital Association; March 15, 2024; https://www.aha.org/news/news/2024-03-15-aha-survey-change-healthcare-cyberattack-having-significant-disruptions-patient-care-hospitals-finances
9 Cyberattack on healthcare claims processor costing hospitals $2 billion a week in cash flow, Kodiak Solutions data show; Businesswire; March 13, 2024; https://www.businesswire.com/news/home/20240313807696/en/Cyberattack-on-healthcare-claims-processor-costing-hospitals-2-billion-a-week-in-cash-flow-Kodiak-Solutions-data-show
10 Cyberattack on healthcare claims processor costing hospitals $2 billion a week in cash flow, Kodiak Solutions data show; Businesswire; March 13, 2024; https://www.businesswire.com/news/home/20240313807696/en/Cyberattack-on-healthcare-claims-processor-costing-hospitals-2-billion-a-week-in-cash-flow-Kodiak-Solutions-data-show
11 UnitedHealth Group Update on Change Healthcare Cyberattack; UnitedHealth Group Press Release; March 7, 2024; https://www.unitedhealthgroup.com/newsroom/2024/2024-03-07-uhg-update-change-healthcare-cyberattack.html
12 UnitedHealth Group Update on Change Healthcare Cyberattack; UnitedHealth Group Press Release; March 7, 2024; https://www.unitedhealthgroup.com/newsroom/2024/2024-03-07-uhg-update-change-healthcare-cyberattack.html
13 Change Healthcare Wants Data-Breach Lawsuits Heard in Nashville Federal Court; Reuters; April 4, 2024; https://www.reuters.com/legal/litigation/change-healthcare-wants-data-breach-lawsuits-heard-nashville-federal-court-2024-04-04/
14 Department of Health Investigating UnitedHealth After 'Unprecedented' Cyberattack; Forbes; March 13, 2024; https://www.forbes.com/sites/jamesfarrell/2024/03/13/department-of-health-investigating-unitedhealth-after-unprecedented-cyber-attack/?sh=2393d5557d70
15 HHS OCR; April 19,2024; https://www.hhs.gov/hipaa/for-professionals/special-topics/change-healthcare-cybersecurity-incident-frequently-asked-questions/index.html
16 OCR Updates Change Healthcare Cybersecurity Incident FAQs | HHS.gov; May 31, 2024
17 US health dept says UnitedHealth can notify patients of data breach | Reuters; June 12, 2024
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.