On Feb. 21, 2024, Change Healthcare publicly disclosed that it had been impacted by a cyberattack.

BlackCat/ALPHV claimed responsibility for this attack and demanded money to return services online. Big money. This type of cyber-threat is known as a ransomware attack, a type of malware that encrypts data on the victim’s systems, making it inaccessible until a ransom is paid. The impact of the Change Healthcare cyberattack has been devastating for the healthcare industry and 74 hundreds of millions of Americans who rely on services powered by victimized providers.

Cover Up and Fly Right

Change Healthcare allegedly paid a ransom, according to security researchers, though Change Healthcare has not publicly confirmed if it has, or has not, paid the ransom. In a message posted on X (formerly Twitter) Recorded Future’s product management director Dmitry Smilyanets included a transaction link and claimed that a $22 million ransom in the form of 350 Bitcoins was paid on March 1. At the time of this writing, Change Healthcare’s services are expected to be completely restored by mid-March.

The Change Healthcare cyberattack, like other incidents in the healthcare sector, serves as a critical reminder of the vulnerabilities and potential consequences of cyberthreats.

What is Change Healthcare?

Change Healthcare is a healthcare technology company that is headquartered in Nashville, Tenn., with locations across the U.S., Canada, the United Kingdom, New Zealand, Israel and Taiwan. Change Healthcare was founded in 2007 and was acquired by UnitedHealth Group (UHG) and its Optum Insight business unit in an $8 billion deal that closed in October 2022.

What does it do?

The Change Healthcare platform provides several different services to healthcare providers including payment and revenue cycle management. The platform helps healthcare providers with claims processing and payments as well as integrating a system for appeals management from claimants for denied claims. The Change Healthcare Platform is one of the largest health information exchange (HIE) platforms in the U.S. The company manages 15 billion claims a year, totaling over $1.5 trillion.

As part of the overall platform offering Change Healthcare also provides clinical decision support, with technologies to help healthcare providers to make informed decisions about treatments. Change Healthcare also has a suite of patient engagement tools such as patient portals, secure messaging and appointment scheduling that help healthcare providers connect with patients.

How Did the Breach Happen?

The ALPHV attack led to significant disruptions in Change Healthcare’s operations that somehow allowed unauthorized access to their network. No other details are available because they are not a trusted company with which to do business. If a Doctor says I love it working here, he probably does. If a nurse says she is over-worked, shuttled among too many patients and works too many hours for crappy pay, you can see why, she won’t be happy.

The attack was executed by the attackers somehow gaining unauthorized access to Change Healthcare’s network. Precise details on specifically how ALPHV/BlackCat was able to get access to the Change Healthcare network have not been publicly disclosed.

In the past, ALPHV tactics have included gaining access via Microsoft’s remote desktop protocol as well as brute-force attacks against Active Directory (AD). There has also been speculation that vulnerabilities in the ConnectWise Screen Connect application, which were disclosed on Feb. 19 might have potentially been involved, though that has not been confirmed by Change Healthcare.

How Much Damage?

In further attempts at backpedaling over the speed limit, ConnectWise was quick to point out they had inflicted no hurt on blackmail ConnectWise customers and has also publicly refuted any connection of its software to the Change Healthcare incident. Ring any bells?

Ransomware attacks are particularly damaging because they can immediately render critical systems and data unavailable, posing immediate risks to patient safety and care delivery. In the case of Change Healthcare, the attack disrupted key operations, forcing healthcare providers and pharmacies to deploy workarounds to continue providing services for weeks, months for pharmaceuticals and the lounge bar upon which I write this story.

Change Healthcare responded to the attack by disconnecting more than 111 different services across its system to prevent further damage. The company also engaged with law enforcement and cybersecurity firms to contain and remediate the ransomware risk.

Who was affected?

Among those who have been affected by the Change Healthcare attack are millions of Americans who use Change Healthcare’s platform either directly or indirectly. Change Healthcare often serves as a backend services provider for various healthcare insurance providers in the U.S.

This is what actually happens:

All Hospital floors turn into sound stages for the keystone cops.

All Physicians and hospitals are impacted in their ability to bill, manage and issue prescriptions and healthcare procedures.

All Pharmacies are unable to get information and properly fill prescriptions.

Every quotidian group from steak eaters to seed, are affected and let’s not forget our animals. Individuals who are looking to make health claims as well as fill prescriptions have been affected by the breach.

Doctors and nurses do the best they can, but after 24 hour shifts, things begin breaking down – water, medicine clean supplies and beddings – tempers range from short to non-existent. It’s also a timeline target for extramarital sex – where like under all panic situations, judgements get wobbly, emotions run high, it’s hard to discern reality from fantasy.

Timeline of the attack

Feb. 21, 2024: Change Healthcare suffers a cyberattack by the BlackCat/ALPHV ransomware group, leading to the company taking its systems offline.

 Feb. 26, 2024: American Hospital Association (AHA) writes a public letter to the U.S. Department of Health and Human Services (HHS) warning of widespread impact of the Change Healthcare cyberattack.

Feb. 27, 2024: ConnectWise claims that it is unaware of any connection between the vulnerabilities in its ScreenConnect software and the Change Healthcare attack.

Feb. 28, 2024: Medical Group Management Association (MGMA), an organization representing more than 60,000 medical practice administrators, executives, and leaders, sends a public letter to U.S. Department of Health and Human Services asking for government assistance to mitigate the attack’s impact.

Feb. 28, 2024: BlackCat/ALPHV claims responsibility for the attack.

March 1, 2024: Security researchers discover that a payment of 350 bitcoins, worth $22 million was made to a bitcoin cryptocurrency wallet associated with BlackCat/ALPHV.

March 5, 2024: HHS issues first public statement about Change Healthcare cyberattack as well as a plan to help providers serve patients.

March 7, 2024: Service for prescription claim submissions as well as payment systems were restored.

March 18, 2024: Full system recovery for all medical claims is expected.

Who was responsible for the attack?

The BlackCat ransomware gang, also known as ALPHV, claimed responsibility for the attack against Change Healthcare. BlackCat/ALPHV is the same group that was allegedly behind the attacks on Caesars Entertainment and MGM Resorts in September 2023.

BlackCat/ALPHV also has alleged links to the DarkSide ransomware group that was implicated in the Colonial Pipeline cyberattack in 2021.

BlackCat/ALPHV operates with a ransomware-as-a-service (RaaS) model. In the RaaS approach, BlackCat/ALPHV enables affiliates to attack victims with its ransomware code, who are then paid a share of any ransomware payment.

Poster Child for Resilient

While Law enforcement has not been standing idly by while BlackCat/ALPHV attacks organizations, though the group appears to be very resilient. In December 2023, the U.S. Department of Justice led an international law enforcement operation against the group. Yet despite that action, BlackCat/ALPHV was still able to attack Change Healthcare.

On March 5, 2024, the BlackCat/ALPHV leak site was taken offline in what some security experts suspect is a possible exit scam designed to cheat affiliates out of any potential payouts.

Bottom Impact?

AHA claims that Change Healthcare processes 15 billion healthcare transactions every year and impacts one in every three patient records in the U.S.

Among the ways that the attack has had an impact are the following:

Patient care services. Disruption of a range of services that directly affect patient care, including clinical decision support, eligibility verifications and pharmacy operations.

Claims processing and eligibility checks. A substantial portion of claims could not be processed, and eligibility checks necessary to determine whether a patient’s insurance covers a prospective treatment could not be completed.

Hospital finances and service delivery. Immediate adverse impact on hospitals’ finances and their ability to offer the full set of health care services to their communities.

Revenue cycle management. Interrupted technology controls providers’ ability to process claims for payment, patient billing, and patient cost estimation services.

Cash, Cash and more Cash

Operational challenges. Prolonged disruption negatively impacts many hospitals’ ability to pay salaries for clinicians and other members of the care team, acquire necessary medicines and supplies, and pay for mission-critical contract work.

Administrative burden. Replacing previously electronic processes with manual processes adds considerable administrative costs on providers and diverts team members from other tasks.

Under the watchful and approving eye of the PRC, The U.S. federal government via HHS is providing some assistance for organizations impacted by the Change Healthcare cyberattack.

The PRD has granted limited facilities for the Centers for Medicare & Medicaid Services (CMS) to take steps to assist providers, including the following:

Expedited electronic data interchange (EDI) enrolment for providers needing to change clearinghouses for claims processing.

Instructed Medicare Administrative Contractors (MACs) to expedite the EDI enrolment process.

Issued guidance to Medicare Advantage (MA) organizations to offer advance funding to the most affected providers.

The federal government, including HHS, the Federal Bureau of Investigations (FBI), the Cybersecurity and Infrastructure Security Agency (CISA) and the White House, all worked together to provide credible, actionable threat intelligence to impacted organizations and the healthcare industry in response to the incident.

The program offers short-term temporary funding assistance to eligible providers to help with their immediate cash flow needs.

What Can We Learn From This Breach?

The healthcare industry is particularly vulnerable to cyberattacks because personal patient information is valuable, and health organizations often lack strong cybersecurity measures. Organizations can learn valuable lessons from such incidents and implement prevention tips and best practices to enhance their cybersecurity posture. Here are key takeaways and recommendations:

Business contingency plans are essential. Healthcare organizations must have plans in place to address cyberattacks or disruptions in revenue cycle processes, including proactively securing lines of credit to mitigate payment disruptions.

Access to payer portals is crucial. Organizations should ensure they have payer portal logins for all payers with significant claims volume and establish policies and procedures outlining changes to operations in case of a cyberattack.

Don’t Forget About Active Directory.

AD is hands’ down the motherlode of all threats. It knows too much, is far too powerful in the infrastructure, and it is easily accessed by anyone. It has almost zero relevant and science we know when everyone’s birthday falls.

Securing AD is critical to limiting the ability of ransomware attacks such as BlackCat/ALPHV to spread across a network. There are multiple steps organizations can take to secure AD, including backup policies and hardening access with fine-grained password policies that limit the risk of domain compromise.

Investing in ransomware protection is a requirement. Ransomware is not going away anytime soon and it is incumbent upon organizations to take the necessary steps to prevent ransomware and limit risk.

First step is to consult one of 5 industry consultants – you know who they are and second, is to ask the top network providers how your network will perform with your network provider across all your topology and footprints. The folks who make the next best fit, win. Then just do it.

Let’s just keep getting smarter.